Drone

Howto drone exec private docker registry (drone 1.1)

I have builds with private registry pulls working perfectly well with secrets through the UI. I’m trying to get drone exec to work from command line. I feel like I’ve missed something obvious but meh. I’ve read the v1.0 faq and worked through that. I’m working with drone v1.1

  • like this:

    # --trusted would be superfluous in this case
    sudo drone exec --secret-file /home/<user>/.drone_secrets/project.env
    
  • my secrets file looks like this:

    priv_docker_registry=@/home/<user>/.drone_secrets/docker-registry-login.json
    
  • docker-registry-login.json (works perfectly through the UI):

    {
        "auths": {
            "docker.example.com": {
                "auth": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx"
            }
        },
        "HttpHeaders": {
            "User-Agent": "Docker-Client/18.09.1 (linux)"
        }
    }
    
  • my .drone.yml:

    kind: pipeline
    name: default
    
    steps:
    - name: preprocess
      image: docker.example.com/mydrone-plugins/drone-pypi:latest
      commands:
      - python3 ./hello.py
      # other possible commands
      # - pip3 install virtualenv
      # - virtualenv venv
    
    # note that this secret works fine in drone v1.1
    image_pull_secrets:
    - priv_docker_registry
    

what am I missing?
Also note, my files paths are verified and my file also matches my /home/<user>/.docker.config.json.

usually we recommend running docker pull manually to pull images you require, instead of having drone do this. we recommend adding pull: if-not-exists when running locally so that Drone does not try to pull images that already existing in your local cache.

steps:
- name: preprocess
  image: docker.example.com/mydrone-plugins/drone-pypi:latest
  pull: if-not-exists

with that being said, I think you can do something like this:

drone exec --registry=https://username:password@registry.company.com

but in general I recommend just pulling what you need manually.

1 Like

That’s good to know.
I’ve confirmed that works.
:smiley:

I have lots of images on a private registry, and settings if-not-exists manually when running locally feels like a bad way to do this.

It seems that using --secret-file should work with image_pull_secrets, only it doesn’t. Could there be a bug?

In the meantime I could of course create a script that temporarily replaces pull: always with pull: if-not-exists and pulls all my images.

I cannot confirm this. It has worked for me, however, if you are experiencing issues I recommend cloning the repository and sending a patch.

I might try to debug that way, thanks.

Could you perhaps give me some pointers? My current situation is as follows:

  • everything is working fine when using the drone server
  • My registry is running on a non-default port (5000)
  • When setting --secret-file there is an effect that I can see when using environment: from_secret . All secret variables are just ******* which I assume is on purpose.

I ended up writing a script to make exec work. just posting here since it might help someone.


cp .drone.yml .drone.yml.bak
# These env variables are missing in exec for some reason. Need to emulate here
echo -n "DRONE_COMMIT_SHA=" > /tmp/drone_exec.env
echo `git rev-parse HEAD` >> /tmp/drone_exec.env
echo -n "DRONE_SOURCE_BRANCH=" >> /tmp/drone_exec.env
echo `git rev-parse --abbrev-ref HEAD` >> /tmp/drone_exec.env
# Drone currently has some problems connecting to a private registry through "exec".
# So, we just brute force this (exec is rarely needed locally)

# Use local images if available
sed -i 's/pull\: always/pull\: if-not-exists/g' .drone.yml
docker pull my.private.registry/my_image

drone exec --trusted --env-file /tmp/drone_exec.env $@
mv .drone.yml.bak .drone.yml