Docker Run a Container with dynamic registry feeds

(Rob Livermore) #1

Given a lifecycle containing

  • a of on-premise tentacle with access to a private docker registry
  • a hosted in Azure with a azure registry

When promoting to the azure I get a Calimari error. The failure occurs when attempting to run a Docker CLI to logon to the azure registry. The Libray External Feed Test correctly. I think the “docker login” command is working but standard out is issuing a WARNING and the calimari is failing. This is running in a Azure sku “[smalldisk] Windows Server, version 1903 with Containers” with a listening tentical

Octopus Deploy v2019.3.3 LTS

      |       Running: Download package influxdb v1.7.6-nanoserver-1809 directly from Docker Registry v2 '******.azurecr.io' at https://***.azurecr.io under *****.azurecr.io

13:26:52 Verbose | Starting C:\windows\system32\WindowsPowershell\v1.0\PowerShell.exe in working directory ‘C:\Octopus\Work\20190628172652-71908-312’ using ‘OEM United States’ encoding running as ‘NT AUTHORITY\SYSTEM’ with the same environment variables as the launching process

13:26:52 Verbose | Octopus Deploy: Calamari version 4.15.2

13:26:53 Verbose | Environment Information:

13:26:53 Verbose | OperatingSystem: Microsoft Windows NT 10.0.17763.0

13:26:53 Verbose | OsBitVersion: x64

13:26:53 Verbose | Is64BitProcess: True

13:26:53 Verbose | CurrentUser: NT AUTHORITY\SYSTEM

13:26:53 Verbose | MachineName: ********

13:26:53 Verbose | ProcessorCount: 2

13:26:53 Verbose | CurrentDirectory: C:\Octopus\Work\20190628172652-71908-312

13:26:53 Verbose | TempDirectory: C:\windows\TEMP\

13:26:53 Verbose | HostProcessName: Calamari

13:26:53 Verbose | Feed type provided Docker using DockerImagePackageDownloader

13:26:53 Verbose | Name Value

13:26:53 Verbose | ---- -----

13:26:53 Verbose | PSVersion 5.1.17763.503

13:26:53 Verbose | PSEdition Desktop

13:26:53 Verbose | PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}

13:26:53 Verbose | BuildVersion 10.0.17763.503

13:26:53 Verbose | CLRVersion 4.0.30319.42000

13:26:53 Verbose | WSManStackVersion 3.0

13:26:53 Verbose | PSRemotingProtocolVersion 2.3

13:26:53 Verbose | SerializationVersion 1.1.0.1

13:26:53 Verbose | PowerShell Environment Information:

13:26:53 Verbose | OperatingSystem: Microsoft Windows NT 10.0.17763.0

13:26:53 Verbose | OsBitVersion: x64

13:26:53 Verbose | Is64BitProcess: True

13:26:53 Verbose | CurrentUser: NT AUTHORITY\SYSTEM

13:26:53 Verbose | MachineName: *********

13:26:53 Verbose | ProcessorCount: 2

13:26:53 Verbose | CurrentDirectory: C:\windows\system32\config\systemprofile\AppData\Local\Calamari\Temp\964172b8-9e6d-4b1b-b92c-63bcfe1f17ff

13:26:53 Verbose | CurrentLocation: C:\windows\system32\config\systemprofile\AppData\Local\Calamari\Temp\964172b8-9e6d-4b1b-b92c-63bcfe1f17ff

13:26:53 Verbose | TempDirectory: C:\windows\TEMP\

13:26:53 Verbose | HostProcessName: powershell

13:26:53 Verbose | TotalPhysicalMemory: 8388148 KB

13:26:53 Verbose | AvailablePhysicalMemory: 6494276 KB

13:26:53 Verbose | Docker version 18.09.6, build 1578dcadd2

13:26:54 Error | Calamari.exe : docker : WARNING! Your password will be stored unencrypted in octo-docker-configs\config.json.

13:26:54 Error | At C:\Octopus\Work\20190628172652-71908-312\Bootstrap.ps1:14 char:1

13:26:54 Error | + & “${env:TentacleHome}\Calamari\4.15.2\Calamari.exe” download-package …

13:26:54 Error | + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

13:26:54 Error | + CategoryInfo : NotSpecified: (docker : WARNIN…gs\config.json.:String) [], RemoteException

13:26:54 Error | + FullyQualifiedErrorId : NativeCommandError

13:26:54 Verbose | Process C:\windows\system32\WindowsPowershell\v1.0\PowerShell.exe in C:\Octopus\Work\20190628172652-71908-312 exited with code 1

(Rob Livermore) #3

Dx

The warning message source is the docker login command line, when using the --password-stdin option on a Windows/amd64 OS in a Docker Engine Enterprise a security warning is raised. The warning is caught by Octopus Deploy Calamari and converted to an error.

I think there are bugs.

  • Calamari should not convert a warning to an error. Should just forward the docker engine warning as a Octopus warning.
  • The documentation for the setup of Library | External Feeds | Docker Container Registry should document the docker engine credential dependency on the docker credential helper to be configured when specifying credentials.

Tx

Configure the docker engine enterprise to store the docker registry credential in the
Windows Credential Manager/CMDKEY. There is an open source (MIT license) project for docker credential helpers which integrates the docker engine to the Window Credential Manager. Found the setup directions here.

Rx

Script to install the docker credential helper for Windows Credential Manager. Download, unzip and copy to program files and set the environment Path Variable so docker can find the helper. Run on the docker engine one time.

$dockerCredentialVersion='0.6.2'
$DockerCredentialPath = [IO.Path]::Combine($env:ProgramFiles,'DockerCredential')
Invoke-WebRequest $('https://github.com/docker/docker-credential-helpers/releases/download/v{0}/docker-credential-wincred-v{0}-amd64.zip' -f $dockerCredentialVersion) -OutFile "$env:USERPROFILE\Downloads\docker-credential-wincred.zip" -UseBasicParsing;
Expand-Archive "$env:USERPROFILE\Downloads\docker-credential-wincred.zip" -DestinationPath $DockerCredentialPath;
Remove-Item -Path "$env:USERPROFILE\Downloads\docker-credential-wincred.zip" -Force
[Environment]::SetEnvironmentVariable('Path', [Environment]::GetEnvironmentVariable('Path', [EnvironmentVariableTarget]::Machine) + ";$DockerCredentialPath", [EnvironmentVariableTarget]::Machine)
Restart-Service docker
#4

Hi Rob,

Thanks for the extra information, and apologies that I haven’t responded sooner.

I will raise this issue with the engineers tomorrow morning australian time and investigate to see if we do have a bug here. I will provide an update as soon as I have one.

Regards,
Alex