Nomad: Nomad Docker driver silently discards auth when no key found

Created on 29 Aug 2016  路  10Comments  路  Source: hashicorp/nomad

Nomad version

0.4.1-rc1

Operating system and Environment details

Ubuntu 16.04
Docker 1.12.0

Issue

When Nomad is configured to use docker authentication credentials through the use of the docker.auth.config driver option, but no auth key exists for the requested image, it silently falls back.

Expected Behavior

A debug message is logged.

I ran into this while trying to debug why my private repo credentials were not working under Nomad. They worked when interacting Docker directly. It seems that Docker does not mandate the use of the https:// prefix in the auths config for SSL repos, but Nomad does. In addition to debug logging, an update to the docker documentation for docker.auth.config driver option to specify the requirement would have saved a lot of time.

themconfig typbug
Source
picture evan2645

Most helpful comment

I think we can do a bit better job parsing the key in the docker driver

picture dadgar on 28 Nov 2016
1 👍1

All 10 comments

Perhaps another option might be to mirror native docker behavior in auth key selection, since the lack of parity there was one of the other unexpected results

evan2645 picture evan2645 on 30 Aug 2016

Can you expand on how they are treated differently?

dadgar picture dadgar on 30 Aug 2016

When using the docker binary and passing the auths config file, it uses the quay.io auth configuration key even though it is https under the hood. Nomad consumes this file directly, and requires the use of https:// prefix on the auth key. In this way, an auth config with key quay.io works with the docker binary but not nomad.

evan2645 picture evan2645 on 30 Aug 2016

Here is an example of a configuration file which worked with docker binary but not nomad:

{
 "quay.io": {
  "auth": "REDACTED",
  "email": ""
 }
}
evan2645 picture evan2645 on 30 Aug 2016

Would an else DEBUG log at https://github.com/hashicorp/nomad/blob/master/client/driver/docker.go#L910 be an acceptable change? Thanks

gliptak picture gliptak on 23 Nov 2016

I think we can do a bit better job parsing the key in the docker driver

dadgar picture dadgar on 28 Nov 2016
1 👍1

@dadgar So would it need to be prefixed with https:// if protocol wasn't specified (to match Docker's behaviour)?

gliptak picture gliptak on 28 Nov 2016

@gliptak Yep that would be the first thought. I want to see how docker does it itself too

dadgar picture dadgar on 28 Nov 2016

@evan2645 This PR makes Nomad behave the same as docker: https://github.com/hashicorp/nomad/pull/2190

dadgar picture dadgar on 23 Jan 2017

WooHoo!! Thank you @dadgar

evan2645 picture evan2645 on 24 Jan 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

leowmjw picture leowmjw  路  3Comments
ashald picture ashald  路  3Comments
jrasell picture jrasell  路  3Comments
joliver picture joliver  路  3Comments
dvusboy picture dvusboy  路  3Comments