Batch icon indicating copy to clipboard operation
Batch copied to clipboard
verified publisher icon Azure

Batch Pool does not support private org dockerhub repositories

Open arun-nemani opened this issue 4 years ago • 4 comments

Problem Description

Azure batch integration with dockerhub repositories during pool creation works as expected for public repositories (both user based and org based, but not for org private repositories. I have also confirmed that private repository connections work as expected when the target private repository is under the user dockerhub account, and the exact user login credentials are provided.

However, private dockerhub connections do not work as expected for organization based private repositories, where member dockerhub login credentials are provided.

Steps to Reproduce

Azure Batch --> Add Pool Image Type: Marketplace Publisher: microsoft-azure-batch Offer: ubuntu-server-container Sku: 20-04-lts Container Configuration:

  • Container image names: XXXXXXXXXX
  • Registry username: XXXXXX
  • Password: XXXXXX
  • Registry server: index.docker.io

Expected Results

Idle State for VM node upon Pool creation

Actual Results

Message - pull access denied for XXXXXXXX, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Additional Comments

Further confirmations:

  • Confirmed dockerhub member access credentials are correct for the private repo housed under organization (confirmed via docker login and docker pull...
  • Confirmed dockerhub organization is correctly allowing read access to desired dockerhub team members.
  • Confirmed org repository when converted to public, works as expected on Azure Batch
  • Confirmed that simply converting org repository to private results in Pool errors on Azure Batch I have confirmed that if I make this repository named XXXXX when designates as public works as expected when creating a pool (even with registry username and password already specified). However, converting this repository to private, causes the error stated above.

arun-nemani avatar Apr 17 '21 15:04 arun-nemani

Tagging @bgklein and @staer.

alfpark avatar Apr 19 '21 17:04 alfpark

I got this to work by setting "registryServer": "docker.io" and, crucially, explicitly qualifying the registry in the container image name like docker.io/myorg/myrepo.

I suspect Batch might be naively looking for a domain component in the image name to match against the list of defined registries.

okofish avatar Oct 22 '21 22:10 okofish

thanks for the update, I'll take a look to see what is going on under the hood here

staer avatar Oct 26 '21 18:10 staer

I believe that I have identified the code at fault being the bit that maps the repository to authentication. As @okofish noted, a temporary workaround is to specify the full docker.io repository URL in the image name. I will work on a more permanent fix.

staer avatar May 03 '22 15:05 staer