coollabsio
[Bug]: pulling private gcr.io (Google Cloud Artifacts Registry) Docker image fails
Error Message and Logs
I'm unable to deploy a docker image from a private Google Cloud Artifacts Registry.
Through the Coolify UI, I opened a Terminal session on localhost and installed all the gcloud stuff successfully. Here, I can simply pull my docker image, e.g. docker pull gcr.io/my-project/app:latest, no problem.
However, when I create a new Resource, select Docker Image and set the Docker Image to the same gcr.io/my-project/app:latest and click Deploy on the Configuration page, I get the following error in my Deployment Logs:
error getting credentials - err: exec: "docker-credential-gcloud": executable file not found in $PATH, out:''
In the localhost terminal, which docker-credential-gcloud returns a valid path that is in my $PATH.
It appears that my setup through the localhost terminal is not applied to wherever the docker pull is executed.
Steps to Reproduce
Prerequisites: Clean Coolify instance, a private Docker container in the Google Artifacts Registry, and a GCP service account with Artiacts Registry Admin permissions (as key.json).
- Install gcloud through Coolify Terminal
- Authenticate this Service Account on your Coolify machine through the Coolify Terminal: Save key.json locally and authenticate with
gcloud auth activate-service-account --key-file key.json - Configure Docker using
gcloud auth configure-docker gcr.io - Test this first: In the Terminal, pull image manually
docker pull gcr.io/my-project/app:latest– this should succeed - In Coolify, create a new Resource > select Docker Image > set Docker Image to your repo
gcr.io/my-project/app:latest– this fails
Example Repository URL
No response
Coolify Version
v4.0.0-beta.380
Are you using Coolify Cloud?
No (self-hosted)
Operating System and Version (self-hosted)
Ubuntu 24
Additional Information
No response
Running into this same issue, though using beta.390 and the hosted version of coolify on an Ubuntu 24 server. I'm able to pull directly in the server terminal but the automated deploy process isn't able to successfully pull with that same "file not found in $PATH" error.
For anyone coming across this trying to use pre-built docker images in Github container registry (GHCR), OR trying to build your image in Coolify and have Coolify push it to your container registry, and getting any of the following types of errors:
error getting credentials - err: exec: "docker-credential-pass": executable file not found in $PATH, out:'' error getting credentials - err: exec: "docker-credential-secretservice": executable file not found in $PATH, out:'' error getting credentials - err: exec: "docker-credential-gcloud": executable file not found in $PATH, out:''
This is due to the fact that your image is being pulled/pushed NOT by your server, but inside of a running docker container managed by Coolify:
ghcr.io/coollabsio/coolify-helper:1.0.7 (or whatever version)
The code for that helper is in this repo, here: https://github.com/coollabsio/coolify/blob/main/.github/workflows/coolify-helper.yml
In order for coolify to use docker containers on your host, you must do a docker login as documented in this issue: https://github.com/coollabsio/coolify/issues/4604 (also here https://coolify.io/docs/knowledge-base/docker/registry#docker-credentials, but not as clear)
When you use docker login on the host, your .docker/config.json file is then mapped onto a volume on the coollabsio/coolify-helper docker image via the following command:
sudo docker run -d --network coolify --name [something] --rm -v /home/youruser/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/coollabsio/coolify-helper:1.0.7
The OS in this helper DOES NOT CONTAIN the docker-credential-* helper packages, so you cannot use them on the host machine when you use docker login. If you use them on the host, the ~/.docker/config.json file will contain the credsSource value pointing to your helper. The helper does not contain those binaries, so the docker commands fail.
The simple solution is: Do not use those credential helpers on your host. Yes, you have to use docker login and allow it to store your credentials in plain text in config.json. Just make sure you've locked down the file only to the services that need it!
For the coolify maintainers -- this is a detectable situation where you can detect that the host has specified a docker-credentials-* helper that the coolify-helper does not support, and throw a useful error. You could even subsequently install them on the helper container once it boots :)
I have the same issue, but on AWS ECR, however the issue with AWS is that when using docker login, the credentials will expire in 12 hours, so you'd have to do it again.
It's possible to run a cronjob to do this, but it may be worthwhile to support this as it makes it easier to restore from a backup or to clone projects or servers via Coolify
Wouldn't it be better to allow coolify users specify the registry credentials per project?
Wouldn't it be better to allow coolify users specify the registry credentials per project?
I am trying to migrate clients onto coolify. Our current pipeline involves building of our docker images onto GCR through github actions. Since this is a private registry. Coolify should be able to allow application to specify registry credentials per project. The solution I see now is to set one generic credentials on the server to be used by all projects.
@codinronan This is exactly the issue I encountered and the fix was the same. Thanks! :) Hope coolify guys will fix this quite soon!
