How to pull private images with 1.0

bradrydzewski · December 6, 2018, 7:56pm

I have not had time to document this yet, so I figured I would write a quick post. If you are coming from Drone 0.8 you may be wondering how to configure credentials required to pull private images defined in your yaml, for example:

kind: pipeline
name: default

steps:
- name: build
  image: registry.company.com/my/image
  commands:
  - go build
  - go test

In the above example, registry.company.com/my/image is a private registry and requires username and password to pull the image. To provide Drone with the credentials you need to create a secret named dockerconfigjson, where the secret value is valid docker configuration file with your authentication credentials.

NOTE when you add the registry credentials as a secret you probably need to enable the secret for pull requests. I am pretty sure this is required, but I might be wrong. So for the moment, assume this is required.

The docker configuration file should look something like this:

{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "YW11cmRhY2E6c3VwZXJzZWNyZXRwYXNzd29yZA=="
		}
	}
}

You can then reference this secret in your yaml

kind: pipeline
name: default

steps:
- name: build
  image: registry.company.com/my/image
  commands:
  - go build
  - go test

image_pull_secrets:
- dockerconfigjson

If you are unfamiliar with this file please consult the official Docker documentation. Do not try to construct this file by hand. There is also a nice article about the config file format here: https://www.projectatomic.io/blog/2016/03/docker-credentials-store/

Troubleshooting
If you are having difficulty with registry secrets please provide the following:

version of Drone you are using
a copy of your yaml configuration file.
the output of drone secret info <repo> --name=<secret> for your secret
the output of drone build info <repo> <build> for your build
the output of your Drone runner logs with trace logging enabled
the output of your Docker daemon logs
if the build is a pull request, check to make sure the secret is enabled for pull requests.
if your registry is insecure, make sure the docker daemon is configured properly. https://docs.docker.com/registry/insecure/

Option 2

The second option would be to pass this file to the agent. This will make the credentials available globally to all builds and all repositories. First you would mount the config file into your agent container:

docker run \
-v /root/.docker/config.json:/root/.docker/config.json

Then you need to pass the agent the path of the mounted file:

docker run \
-e DRONE_DOCKER_CONFIG=/root/.docker/config.json

mhumeSF · January 25, 2019, 11:08pm

@bradrydzewski Per option 2, this is just going forward with 1.0? This doesn’t working with 0.8 currently, yea?

bradrydzewski · January 25, 2019, 11:09pm

correct, this thread is only applicable for 1.0

offroff · January 29, 2019, 7:37am

Are you sure about the name of the secret? .dockerconfigjson starts with a dot and that’s not allowed for docker secrets nor kubernetes secrets.

bradrydzewski · January 29, 2019, 3:30pm

yes, I am sure this is the correct secret name in Drone.

myers · February 1, 2019, 3:02pm

I was able to get this to work on my drone projects. Thanks for this, since global registry creds with k8s are currently undocumented I was having to pull the private base images by hand.

benwilson512 · February 2, 2019, 2:50pm

I’d be curious to see a version of this that worked with something like AWS ECR that requires regularly refreshing the token.

bradrydzewski · February 2, 2019, 4:41pm

AWS ECR does not work using the methods described in this thread, because as you mentioned, it requires special logic to periodically generate docker credentials. You therefore need to use a plugin for this. There is a thread that discusses this in depth:

And in one of the comments a community-member posts a plugin they created:
https://github.com/davidbyttow/drone-ecr-registry-plugin

developerdino · March 25, 2019, 5:00am

Posting this here as a reminder for myself and incase anyone else hits this issue.

When using option 1 to authenticate make sure you paste the contents of your dockerconfigjson file into the Drone settings -> secrets for you application and not the kubernetes configuration secrets.

This seems obvious to me now but I wasted several hours trying to work this out. Hopefully it saves someone else some time.

kody-abe · April 4, 2019, 3:47am

@bradrydzewski Is there an official drone way to pull and use AWS ECR images for steps for 1.0? Or do you have a recommendation for that given the AWS login credential fun I can’t just use dockerconfigjson.

Any ideas?

bradrydzewski · April 4, 2019, 1:02pm

you can use a registry plugin to provide the agent with ecr credentials:

kody-abe · April 4, 2019, 3:13pm

I forgot to mention I am running on Kubernetes native, so I think that complicates things a bit right? Thanks for your quick response on this!

kody-abe · April 4, 2019, 3:21pm

Actually, it looks like since our Kubernetes cluster already has permissions to our AWS ECR, I can just reference the image normally and it pulls it without any issue. Wish I would have just tried that first

kody-abe · April 4, 2019, 3:39pm

Side note @bradrydzewski - Looks like on kubernetes native when pull: true is set is is still using an old version of the image, is this a known issue or am I missing something?

bradrydzewski · April 4, 2019, 3:45pm

pull: true is not valid syntax for 1.0 (it was for 0.8). Instead you should use one of the following values:

pull: always
pull: if-not-exists
pull: never

Reference: https://docs.drone.io/pipeline/docker/syntax/steps/

kody-abe · April 4, 2019, 3:46pm

Welp, it must be too early for me or something. Thanks again!

andrexus · April 10, 2019, 3:48pm

The first option doesn’t seem to work with kubernetes scheduler

madsonic · April 19, 2019, 5:44pm

For those with default credential store enabled, in order to get the config file bradrydzewski mentioned

logout of docker
remove credStore
login to docker again

docker logout
# locate your docker config file. path should be ~/.docker/config.json
# and remove "credsStore": "xyz",
docker login --username # will prompt for password
# open ~/.docker/config.json again
# make a secret on drone with the content of the file, using only the auth part mentioned above

And for those rebellious enough, you can skip the hassle above by base64 encoding your credentials

cat <<EOF >> dockerconfigjson
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "$(base64 --input=credfile)"
		}
	}
}
EOF

# credfile content
username:password

john36711 · April 29, 2019, 7:34am

Excuse me! I add the dockerconfigjson’s value to drone -> setting -> secrets but when i push my git ,my private image still pull error ,my drone server image version is 1 ,if you can help me i will very thankful !!

Phibedy · May 4, 2019, 10:23pm

What is the best way to pull from aws ecr?
Is there no useful plugin like the drone-ecr?
I came up with a rather complicated cron-job version gathering the login data.

There is no DRONE_DOCKER_CONFIG: https://docs.drone.io/reference/server/