moby: --with-registry-auth flag is lost during service update

Description I’ve created a docker swarm service using --with-registry-auth. Afterwards, when I update this service, the flag is not re-used, and has to be used explicit. Unfortunately I don’t see any way to detect if a service was started with the flag.

In previous version of docker-ce (eg 17.05) it was working just fine, and the digest was fetched, and if changed the service was updated. If I explicit add --with-registry-auth to the second command, it works fine, and the digest is fetched.

Steps to reproduce the issue:

docker service create --name test --with-registry-auth $(PRIVATE_REPO_WITH_AUTH_IMAGE)
docker service update --image $(PRIVATE_REPO_WITH_AUTH_IMAGE) test

Describe the results you received: The digest is removed from the image, but the service is not updated.

Describe the results you expected: I would expect the service to be updated if the digest for the image tag had changed.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      17.06.0-ce
 API version:  1.30
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:23:31 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.06.0-ce
 API version:  1.30 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:19:04 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 5
 Running: 5
 Paused: 0
 Stopped: 0
Images: 17
Server Version: 17.06.0-ce
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 85
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
 NodeID: ******
 Is Manager: true
 ClusterID: ******
 Managers: 3
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Root Rotation In Progress: false
 Node Address: *****
 Manager Addresses:
  *****:****
  *****:****
  *****:****
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: cfb82a876ecc11b5ca0977d1733adbe58599088a
runc version: 2d41c047c83e09a6d61d464906feb2a2f3c52aa4
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-78-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.859GiB
Name: node-4
ID: BAGH:2ZZ3:XGP6:NHBX:UFLG:7CEN:FPDO:NYCB:DZSX:CIZN:2QG6:OQDK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
 provider=digitalocean
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.): DigitalOcean hosted Docker swarm

About this issue

Original URL
State: open
Created 7 years ago
Comments: 15 (9 by maintainers)

Most upvoted comments

@thaJeztah @aaronlehmann is this something you are planning to fix?

We use a small docker service which automatically updates the images when they are updated on the registry. The problem is, that even though the service/container is mounted to /var/run/docker.sock the --with-registry-auth flag doesn’t work, and it gives me the following error:

image ${REGISTRY}/${IMAGE}:latest could not be accessed on a registry to record its digest. Each node will access ${REGISTRY}/${IMAGE}:latest independently, possibly leading to different nodes running different versions of the image.

All of these things worked fine in 17.05…

danieljuhl on Jul 25, 2017