moby: [1.12-rc4] Swarm can't pull from private repository

I’m using Google Container Registry to run some containers. I logged in on each worker node & manager using:

docker login -u oauth2accesstoken -e 123@1234.net https://asia.gcr.io
docker login -u oauth2accesstoken -e 123@1234.net https://gcr.io

But swarm still can’t pull the images. In the following case asia.gcr.io/ultimate-hydra-87508/web

Jul 20 13:47:18 ubuntu docker[21621]: time="2016-07-20T13:47:18.975571590Z" level=error msg="pulling image failed" error="Error: Status 403 trying to pull repository ultimate-hydra-

87508/web: "Unable to access the repository: ultimate-hydra-87508/web; please verify that it exists and you have permission to access it (no valid credential was supplied)."" modu le=taskmanager task.id=7gatxj3x3doje61utoj5mae3w

I was able to run the containers after manually logging in and pulling the images on each machine. I would expect that swarm would be able to pull the images if it had logged in each machine. Is there something special that I need to do to make pulling work w/ swarm?

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 31 (18 by maintainers)

Most upvoted comments

docker login -u username -p password docker pull containername:tag docker service create --with-registry-auth containername:tag

+1
khurram85 on Sep 16, 2016

@thaJeztah If the nodes do not store any credentials, how is this expected to work with tasks that are assigned afterwards, e.g. during a docker scale up (which has no --registry-auth flag) or during a rescheduling event caused by shutdown/crash of a node? In all of this cases it might be necessary to freshly pull an image on a node that wasn’t running an instance of the service before…

+1
Stehsegler on Jul 21, 2016

@IanLewis there’s no need to pass a value; that flag will pass the authentication information from the client to the nodes, so you need to log in first, and after that, you can create services (and the client will pass the authentication headers).

Note that when updating a service, you may need to pass that flag as well, because the authentication information is not stored on the nodes, and can be expired at the time you update a service

+1
thaJeztah on Jul 21, 2016
Read more comments on GitHub
← moby: [1.12-rc2] docker should not allow `start` and `restart` on swarm-managed containers
moby: [1.12 rc4]service discovery failed →