How to pull private images with 1.0

I’m not sure why, but your script yielded an invalid auth token for me… Maybe I made a typo somewhere. But the other method worked.

did it fail at the base64 encoding part or the dockerconfigjson file looks different? the script uses ‘>>’ which appends data to it. try a different file name or use ‘>’ if you dont mind losing your current dockerconfigjson file

Something about the base64 is different. The auth file that works and the one generated by your script have a visually different base64.

I decoded the one that works, and the one yielded by your script. The one that works looks something like this username:my-password-here%, whereas the one yielded by your script is missing the % sign, which is not actually a part of my password. The % appears to represent a line ending.

If I use echo -n "username:password" | base64 it actually yields the correct base64.

So, not really sure why that doesn’t work, but here’s what works for me:

cat <<EOF >> dockerconfigjson
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "$(echo -n 'username:password' | base64 )"
		}
	}
}
EOF

I am trying to do option 2 but I’m still getting permissions error. I have drone installed in Kubernetes. So I put the file (named docker-config.json) in /etc/configs/docker-config.json and set that as the value for DRONE_DOCKER_CONFIG.

The private repository I’m hoping to pull from is GCR.

1 Like

There are some known issues with config.json files and gcr. See https://github.com/drone/drone-runtime/issues/55 and the workaround proposed in the issue description.

I don’t have that issue though. My config.json is without the https entries.

      {
        "auths": {
          "https://index.docker.io/v1/": {
            "auth": "cow:moo"
          }
        },
        "credHelpers": {
          "gcr.io": "gcloud",
          "us.gcr.io": "gcloud",
          "eu.gcr.io": "gcloud",
          "asia.gcr.io": "gcloud",
          "staging-k8s.gcr.io": "gcloud",
          "marketplace.gcr.io": "gcloud"
        }
      }

I feel like I’m missing something. Should I also mount the gcloud creds?

I figured it out. I had to print the token and add it to the auths since I haven’t figured out a way to use the cloud creds helper.

I got the same issues when use plugins/docker images. I solved it in the way of set custom_dns: 8.8.8.8 .
Maybe you can try it.

Hello everyone!

I have issue :frowning: I’m trying to pull a image but give a specific tag, do you know if it is possible?

Like this:

services:
- name: used_in_my_test
  image: company/image:tagx
  commands:
  - npm start

I’m trying to pull a image but give a specific tag, do you know if it is possible?

Yes, this is possible. There are no issues pulling private images with tags.

If you look at the first post in this thread, you will see a Troubleshooting section. The troubleshooting section species the information that you need to provide to get support. All requested items in the list are required.

It would also be helpful if you could tell us how you are providing your registry credentials to Drone. The first post lists two options; which option are you using? If you are using the first option, have you double-checked your yaml to make sure it is correct?

1 Like

Thank you @bradrydzewski and sorry for not send an answer with the correct format. I solved that, it works, my issue was a typo. Thanks for the support.

Is this applicable for local builds with drone exec? I tried the following, but it doesn’t work:

.drone.yml

steps:
  - name: run-tests
    image: mycompany.org/org/repo
    commands:
      - python manage.py test

image_pull_secrets:
  - dockerconfigjson

secrets.txt

dockerconfigjson={"auths": {"mycompany.org": {"auth": "<my_auth_token>"}}}

command: drone exec --secret-file=secrets.txt

The exact same secret and .drone.yml works on the server, so it doesn’t seem to be a name mismatch issue.

Is this possible with the OSS version as there is no secret support?

encrypted secrets are supported https://docs.drone.io/configure/secrets/encrypted/

1 Like

Hi Brad, thank you for building drone it’s a wonderful project!

We are running drone in a google vm’s and we wanted to use the docker credHelpers to allow access to GCR. However i can only find the DRONE_DOCKER_CONFIG option for the drone/agent and not the drone/drone-runner-docker:1.3. Is this correct?

The DRONE_DOCKER_CONFIG parameter is available to drone/drone-runner-docker. See https://docs.drone.io/runner/docker/configuration/reference/drone-docker-config/

I’ve been having a bit of issue with this recently as well. I have a private docker registry that is authenticating through Nginx rather than handling it itself; pushing new images from Drone works just fine, so I’d assume I should be able to pull them back to use them in other steps as well? Or is this wrong?

I have replicated the config.json file stored by docker, created auth for it and verified it by decoding it back in Base64, added it as a named secret, and pulled that in with image_pull_secrets, but I am still getting a response of (URL masked):

default: Error response from daemon: Get https://*****/manifests/latest: no basic auth credentials

Should I be fine with Nginx doing my authentication for me, or is that not going to work with drone for pulls?

@dillius it is difficult to answer such questions without knowing more information such as:

  • drone server version
  • drone runner version
  • complete sample of a yaml that reproduces the issue
  • runner logs with trace logging enabled
  • runner configuration that demonstrates how you pass credentials to drone, or if using secrets, details about how you configured the secret.
  • fully qualified image name (ideally with sample command and output that demonstrate you can pull the image from the terminal, using the docker command line tools)

I would also recommend creating a separate thread that is specific to your issue.

Should I be fine with Nginx doing my authentication for me, or is that not going to work with drone for pulls?

I think it is important to clarify that Drone does not pull an image. Drone makes an API call to the host machine Docker daemon and instructs it to pull an image. Whether or not the registry sits behind an nginx proxy would impact the Daemon pulling the image, not Drone, since the Daemon is interacting with the proxy.

I guess I just find it strange how easy it is to achieve writing but how hard it is to achieve reading.

Based on your comments I remoted into the machine running drone and ensured I could manually reach my docker registry once logged in. From there I utilized that machine’s copy of config.json rather than the previous copy from my actual development machine

Even though the base64 values under auth didn’t change, apparently there was some magic in the formatting of the rest of the JSON that led to it now functioning correctly once I replaced the secret value with this other copy.

How to pull private images from ECR