We have config.json file which has docker registry auth details of our private artifactory registry. However, when we create a new deployment, ECE is not able to find the auth details and tries to connect to the registry as “anonymous” (authentication is required for private registry). We are trying to avoid situation where we need to do a separate docker pull before ECE tries (ECE should be able to find the auth for docker registry – bolded red below).
Currently 7.5 docker images dont exist on the EC2. We are expecting ECE to download them automatically if they dont exist already on the EC2 host. Is this expectation correct?
Is there a way to confirm ECE is able to read the ~/.docker/config.json or does it look for the auth for registry in a different location? Also, is there a specific format that ECE expects the file to be in? Below is the format we have currently.
I'll look into this more on Monday: we do have the capability to specify auths, but the API is somewhat hidden in ECE (we used to use it internally but don't any more).
If possible, I'd remove the auths from the docker registry (none of the images are actually sensitive) - if that's not possible for policy/pragmatic/etc reasons, I'd complain to your support rep and we can give you a script to use the internal API to configure it.
Hi Alex, Thanks. Unfortunately, we cant turn off authentication on the registry due to internal security concerns).
From the logs, it looks like ECE tries to look for the auth details from "somewhere". Is that what you referred to as "internal API"? Shouldnt ECE look at the standard docker auth file for the credentials?
Just to add, received a workaround which works. It's not ideal though since it requires us to tinker with the containers. Is there any alternate better solution?
"On each allocator (inside frc-allocators-allocator docker container), create /home/elastic/.docker/config.json and copy contents from the main host's file /home/elastic/.docker/config.json. This will allow the Allocator to successfully authenticate to the Artifactory registry and download required images."
Commands:
I think working with support to use the private API (as a one off) is probably preferred - the above is a fine interim while waiting to sort that out (btw you can just do docker exec -it frc-allocators-allocator bash for step 1+2)
@avarshney - we are working towards opening a safe and easy-to-understand version of the API question, but currently it's an internal API that is a) very coupled to the internal implementation of our infrastructure, b) very easy to use to bring down your platform!
As a result our support engineers work with ECE users to build them custom scripts based on the API (and ensure that people with a deep understanding of that API are on hand to help) - so contacting support is the right way to go for that
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.