Docker Community Forums

Share and learn in the Docker community.

Use of Docker Private Repo doesn't work properly with Docker for AWS


(HKM Consulting LLC) #1

Expected behavior

Attempting to start a service with task=2 on a swarm comprised of 1 manager node and 1 worker node using a private repo in DockerHub as the source image. We should see one docker container on the manager and one on the worker.

Actual behavior

When executing this case, we see the manager node starts the container successfully, however the worker node does not. We used the command:

docker service tasks --all

and the worker node shows a state of Accepted but never switches to Running.

Additional Information

On the manager node we performed a docker login with the creds to access the private repo.

Here is the output from docker:

~ $ docker service tasks access

ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
960us0bkppw32zcdmrth7l4wa access.1 access hkmconsultingllc/privaterepo:xxxx Running about a minute ago Running ip-192-168-33-175.us-west-2.compute.internal
7usb4649x4nnakn5wrdc5rwuv access.2 access hkmconsultingllc/privaterepo:xxxx Accepted 2 seconds ago Accepted ip-192-168-33-18.us-west-2.compute.internal

Separately we also constrained the service to only run on the worker node and that failed to start. Finally we deployed the docker image as a public repo and it worked fine on both manager and worker nodes.

Steps to reproduce the behavior

  1. Create a private repo
  2. Create a task referring to the private repo
  3. Use docker service task --all to confirm it is not running

Are the worker nodes purposely configured to prevent SSH access when using Docker for AWS?
(Michael Friis) #2

Sorry about the slow response.

Currently we support passing --registry-auth to docker service create. This will cause swarm to store and use repo creds when starting more instances of the service in the future for any reason.

It looks like this is also showing up with docker deploy, although it’s not in the release client I’m using atm: https://github.com/docker/docker/blob/master/api/client/stack/deploy.go#L45

There are some gotchas with this approach, see here: https://github.com/docker/docker/issues/24940


DockerHub images in private repos not immediately accessible from AWS?
Access to AWS ECR
(HKM Consulting LLC) #3

We will give this a whirl Michael, thanks for the update!

Chris


(Johnparn) #4

Did you ever get this to work? I’ve tried using --with-registry-auth but without success so far, I can still only pull public images.