Terraform: Cannot pull images from private registry with docker provider

Used library should be using $HOME/.dockercfg or $HOME/.docker/config.json. Can you provide some more info on the used resources (dummy out the sensitive stuff) and some debug logging?

I've been looking at the Terraform code.. I see you are using go-dockerclient, but just using an empty instance of "AuthConfiguration"

https://github.com/hashicorp/terraform/blob/master/builtin/providers/docker/resource_docker_image_funcs.go#L110

There's this go-dockerclient function called "NewAuthConfigurationsFromDockerCfg()" (https://godoc.org/github.com/fsouza/go-dockerclient#NewAuthConfigurationsFromDockerCfg) so I've modified the previous file.. and replaced line 110, with this:

splitImage := strings.Split(image, "/")
auths, _ := dc.NewAuthConfigurationsFromDockerCfg()
auth := auths.Configs[splitImage[0]]
if err := client.PullImage(pullOpts, auth); err != nil {
    return fmt.Errorf("Error pulling image %s: %s\n", splitImage[0], err)
}

And it works fine..

There's this issue hashicorp/nomad/issues/660 , that seem to be related.

My example tf file:

provider "docker" {
  host = "tcp://${aws_instance.dockertesting.public_dns}:2375/"
}

resource "docker_container" "dockerImage" {
  image = "${docker_image.dockerImage.latest}"
  name = "echoapi"
}

resource "docker_image" "dockerImage" {
  name = "quay.io/Company/dockerImage"
}

The provider just returns a 403 when trying to pull the image..

2016/02/02 15:02:25 [ERROR] root: eval: *terraform.EvalRefresh, err: docker_image.DockerImage: Unable to read Docker image into resource: Unable to pull image quay.io/Company/DockerImage: Error pulling image quay.io/Company/DockerImage: Error: Status 403 trying to pull repository Company/DockerImage: "{\"error\": \"Permission Denied\"}"
2016/02/02 15:02:25 [ERROR] root: eval: *terraform.EvalSequence, err: docker_image.DockerImage: Unable to read Docker image into resource: Unable to pull image quay.io/Company/DockerImage: Error pulling image quay.io/Company/DockerImage: Error: Status 403 trying to pull repository Company/DockerImage: "{\"error\": \"Permission Denied\"}"
2016/02/02 15:02:25 [ERROR] root: eval: *terraform.EvalOpFilter, err: docker_image.DockerImage: Unable to read Docker image into resource: Unable to pull image quay.io/Company/DockerImage: Error pulling image quay.io/Company/DockerImage: Error: Status 403 trying to pull repository Company/DockerImage: "{\"error\": \"Permission Denied\"}"
2016/02/02 15:02:25 [ERROR] root: eval: *terraform.EvalSequence, err: docker_image.DockerImage: Unable to read Docker image into resource: Unable to pull image quay.io/Company/DockerImage: Error pulling image quay.io/Company/DockerImage: Error: Status 403 trying to pull repository Company/DockerImage: "{\"error\": \"Permission Denied\"}"
2016/02/02 15:02:25 [TRACE] Exiting eval tree: docker_image.DockerImage
2016/02/02 15:02:25 [DEBUG] vertex docker_container.DockerImage, got dep: docker_image.DockerImage
2016/02/02 15:02:25 [DEBUG] vertex provider.docker (close), got dep: docker_container.DockerImage
2016/02/02 15:02:25 [DEBUG] vertex root, got dep: provider.docker (close)
Error refreshing state: 1 error(s) occurred:

2016/02/02 15:02:25 [DEBUG] vertex root, got dep: provisioner.local-exec
2016/02/02 15:02:25 [DEBUG] vertex root, got dep: provisioner.file
2016/02/02 15:02:25 [DEBUG] vertex root, got dep: provisioner.chef
2016/02/02 15:02:25 [DEBUG] vertex root, got dep: var.aws_key_path
2016/02/02 15:02:25 [DEBUG] vertex root, got dep: var.rds-link_eip1
2016/02/02 15:02:25 [DEBUG] wa* docker_image.DockerImage: Unable to read Docker image into resource: Unable to pull image quay.io/Company/DockerImage: Error pulling image quay.io/Company/DockerImage: Error: Status 403 trying to pull repository Company/DockerImage: "{\"error\": \"Permission Denied\"}"

Thanks!

I have the same problem.

+1

I can also confirm this bug. This is a WAG but I'm wondering if the image is getting parsed correctly.

@jonbrouse That was my thought at first as well, but it's actually parsing stuff OK near as I can tell. The issue seems to be the authentication. I saw the option for including the docker env file for the go-dockerclient library as @jmprusi notes, but I've been investigating a different route and playing with some code that lets you put user/pass in the image resource definition. This seems like it would be better, in that it would keep the configuration for credentials within the terraform configuration instead of adding another env/external dependency. But maybe it should do both? take terra resource config first, then env??

Is there a workaround? Terraform is completely non-functional for Docker without the capability of using your credentials to access a registry. Seems like a big miss. I used up a lot of time setting up some stuff only to find out Terraform is a no-go for Docker. Any workaround is acceptable if we know that you are fixing the issue. By the way, my error message is slightly different. It gets a 500 on the pull with the error: 'no basic auth credentials'. I think it is the same thing though.

Facing the same issue , any workaround?

In my case it pull the image , but still results in this error:

docker_image.ubuntu: Creating...
  latest: "" => "<computed>"
  name:   "" => "ubuntu:precise"
Error applying plan:

1 error(s) occurred:

* docker_image.ubuntu: **Unable to read Docker image into resource** Unable to find or pull image ubuntu:precise

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

There was a pull request. I rebuilt my terraform with the change from the pull request and things worked. However, there are plenty of other things in the Docker world that terraform hasn’t kept up with. I stopped using it. I’m watching to see if they support the other providers the way they support Amazon.

Michael Corum
VP, Technical Architecture Solutions

RGA Reinsurance Company
16600 Swingley Ridge Road
Chesterfield, Missouri 6301701706
T 636.736.7066
www.rgare.com

From: Ijaz ahmad khan <[email protected]notifications@github.com>
Reply-To: hashicorp/terraform <[email protected]reply@reply.github.com>
Date: Wednesday, January 11, 2017 at 3:34 PM
To: hashicorp/terraform <[email protected]terraform@noreply.github.com>
Cc: Corum Michael <[email protected]mcorum@rgare.com>, Comment <[email protected]comment@noreply.github.com>
Subject: Re: [hashicorp/terraform] Cannot pull images from private registry with docker provider (#4934)

In my case it pull the image , but still results in this error:

docker_image.ubuntu: Creating...
latest: "" => ""
name: "" => "ubuntu:precise"
Error applying plan:

1 error(s) occurred:

• docker_image.ubuntu: Unable to read Docker image into resource Unable to find or pull image ubuntu:precise

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform/issues/4934#issuecomment-272001696, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFo5lVNb8y5SxWe5j3-rz5gBboR3aaJPks5rRUrXgaJpZM4HQrfO.

Any update on this issue?

+1

What is the state of this..

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.