Watchtower: Support .dockercfg / authConfig for using watchtower with images from private registry

Created on 3 Sep 2015  路  16Comments  路  Source: containrrr/watchtower

To support pulling private images. I want to mount a .dockercfg file containing the authconfig or give an env with the (base64 encoded) version of .dockercfg to the watchtower container.

from: https://docs.docker.com/reference/api/docker_remote_api/

  • Since API version 1.2, the auth configuration is now handled client side, so the client has to send the authConfig as a POST in /images/(name)/push.
    authConfig, set as the X-Registry-Auth header, is currently a Base64 encoded (JSON) string with the following structure: {"username": "string", "password": "string", "email": "string", "serveraddress" : "string", "auth": ""}. Notice that auth is to be left empty, serveraddress is a domain/ip without protocol, and that double quotes (instead of single ones) are required.

Something like this: https://github.com/fsouza/go-dockerclient/blob/master/auth.go#L50

Most helpful comment

https://github.com/CenturyLinkLabs/watchtower/pull/13

allows

docker run -d --name watchtower \
  -e REPO_USER="" \
  -e REPO_PASS="" \
  -e REPO_EMAIL="" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  drud/watchtower container_name --debug

All 16 comments

@pnicolai I was just talking about this yesterday with someone else in this PR https://github.com/CenturyLinkLabs/watchtower/pull/2.

This is most definitely a gap in the current implementation, and I think that leveraging the existing .dockercfg probably makes the most sense. I like the idea of supporting either a mounted file or an env var -- I did something similar with the TLS config options.

This will most likely be the next thing that I work on, but would welcome PRs if anyone else wants to take a crack at it.

@wilstrup this is relevant to our discussion in #2

Has any progress been made on this, @bdehamer?

Hi @atomaka, @bdehamer is no longer at CenturyLink, and no progress has been made on this request.

CenturyLink is the maintainer for these open source projects, but we welcome and encourage community contributions. I recommend that you, @wilstrup or @pnicolai implement and test support for private registries, and then submit a PR with your enhancement.

https://github.com/CenturyLinkLabs/watchtower/pull/13

allows

docker run -d --name watchtower \
  -e REPO_USER="" \
  -e REPO_PASS="" \
  -e REPO_EMAIL="" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  drud/watchtower container_name --debug

What's the status on this? It would definitely come in handy for me right now.

Would be very useful for me, too.

@frodopwns, does #13 this allow specifying a private registry URL for the auth credentials to apply to?

@tomjrob I don't actually use any registries other than Docker Hub but I'm happy to look into it further. I will post back here.

@tomjrob It seems to work. I tested with a private quay.io repo and my fork of watchtower picked up on changes to it just fine. I'd imagine this will work with any of the other registries.

Is there any progress on that issue? Any option or something to pass a private registry other than docker-hub, ie gitlab?

I just ran across this issue as well, being able to vol mount an existing .docker/config.json file would be extremely useful, especially when talking about multiple auths to multiple different registries. In my case I have some images on Gitlab and other legacy items on Docker Hub.

After spending some time lurking in the code of watchtower and trying to make it work with Amaon ECR (private registry) I guess the right approach is to replace the docker-client library (or update the existing one), by one that will honour docker-credentials-helper.

Looks like docker-credentials-helper is the official way to transparently authenticate to private registries.

Should be fixed with #26 and next upcoming v0.1.0

New official builds are now available on docker hub. Issue should be fixed with v0.1.0

This still does not work for me at all.
Any awareness of further issues with private repo authentication via docker config.json file?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Fredrik81 picture Fredrik81  路  5Comments

aogg picture aogg  路  3Comments

mlmnetcologne picture mlmnetcologne  路  3Comments

Ezwen picture Ezwen  路  6Comments

auanasgheps picture auanasgheps  路  6Comments