Vagrant: Docker provisioner can't be used with private docker registries
In my team our CI server builds docker images that are pushed to a private registry (Quay.io, sort of a github/bitbucket for docker repos). Then, any dev can download those images doing "docker pull quay.io/myorg/myrepo", provided they have logged in or have a .dockercfg file in their home folder.
I'm building a Vagrantfile that will pull a bunch of images from quay.io and run a number of containers upon boot, using the Docker provisioner:
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = "hashicorp/precise64"
# Set up env vars to be used by the containers
# Copy quay.io credentials
config.vm.provision "file" do |f|
f.source = ".dockercfg"
f.destination = ".dockercfg"
end
# Install docker, pull images, and run containers!
config.vm.provision "docker" do |d|
d.pull_images "quay.io/myteam/myrepo"
d.pull_images "quay.io/myteam/mysecondrepo"
end
end
The vagrant provision fails with a 403 error (can't login to quay.io), but when I login to the machine (vagrant ssh) and run "docker pull quay.io/myteam/myrepo", the image gets pulled without issues. I think it's related to the fact that the Docker provisioner runs all commands with sudo, and that docker is expecting to find a .dockercfg in $HOME.
makobernal
All 6 comments
I think it is safe to drop the sudo from docker commands by now, vagrant should be capable of configuring the vagrant user dropping the need for it
fgrehm
on 28 Mar 2014
@fgrehm I suspect you're right, but don't want to do that in a patch release. Tagged for later.
mitchellh
on 2 Apr 2014
Note that dropping the sudo from the docker commands might not be enough, since docker will need access to the unix socket (permissions might not be ready upon first boot of VM), and because the $HOME var pointing to /home/vagrant might not be available when executing those docker commands (upon first boot)
makobernal
on 2 Apr 2014
@makobernal Yeah, I'm actually thinking now this is more of a misconfiguration. you probably want to put the .dockercfg file in root's HOME as well. That should make it work.
mitchellh
on 9 Apr 2014
For anyone else who stumbles across this ticket, looking to pull private images from Docker Hub, here's what it took for me:
First, you need to copy the login credentials (either ~/.dockercfg or ~/.docker/config.json) to the VM:
config.vm.provision "file", source: "path/to/config.json", destination: "~/.docker/config.json"
That much is obvious above. However, the Vagrant file provisioner is run as the vagrant user, whereas the docker provisioner is run as root.
To make the private repositories accessible to the docker provisioner, I also had to copy the credentials to the /root directory using a shell provisioner.
config.vm.provision "shell", inline: "sudo cp -R /home/vagrant/.docker /root/.docker"
zebulonj
on 16 Sep 2015
Vagrant docker provider has docker login related auth settings.
Can we have the docker provisioner, specifically the build_image also work like that?
We have Dockerfiles that FROM privateregistry.... that demands a docker login to that registry.
I am able to upload a .docker/config.json, but that is clunky and insecure.
richard-mauri
on 3 Feb 2016
Related issues
dorinlazar
路
3Comments
RobertSwirsky
路
3Comments
hesco
路
3Comments
lebogan
路
3Comments
gwagner
路
3Comments
Most helpful comment
For anyone else who stumbles across this ticket, looking to pull private images from Docker Hub, here's what it took for me:
First, you need to copy the login credentials (either
~/.dockercfgor~/.docker/config.json) to the VM:That much is obvious above. However, the Vagrant
fileprovisioner is run as thevagrantuser, whereas thedockerprovisioner is run asroot.To make the private repositories accessible to the
dockerprovisioner, I also had to copy the credentials to the/rootdirectory using ashellprovisioner.