community REQUEST: Create new Docker Hub repository: otel/opentelemetry-collector-ebpf-profiler

In https://github.com/open-telemetry/opentelemetry-collector-releases/pull/958, we start releasing a Collector distribution meant to use the eBPF Profiler.

We need to create the otel/opentelemetry-collector-ebpf-profiler Dockerhub repository to be able to have Docker releases of this new distribution. See https://github.com/open-telemetry/opentelemetry-collector-releases/pull/973

cc @bogdandrutu @mx-psi

Jun 10 '25 08:06 dmathieu

I support

Jun 10 '25 08:06 mx-psi

I've created the docker repo: https://hub.docker.com/repository/docker/otel/opentelemetry-collector-ebpf-profiler

And I've created an org secret named DOCKER_TOKEN_COLLECTOR_RELEASES and given access to that secret to https://github.com/open-telemetry/opentelemetry-collector-releases

We're going away from using a global docker token that all github repos use, so if you need access to any other docker repos from https://github.com/open-telemetry/opentelemetry-collector-releases just ask here and we can give the token stored in DOCKER_TOKEN_COLLECTOR_RELEASES access to other docker repos.

Jun 12 '25 21:06 trask

so if you need access to any other docker repos from https://github.com/open-telemetry/opentelemetry-collector-releases just ask here and we can give the token stored in DOCKER_TOKEN_COLLECTOR_RELEASES access to other docker repos.

Does this change affect existing repos? Will this affect our exsiting release process?

Jun 13 '25 07:06 mx-psi

Does this change affect existing repos? Will this affect our exsiting release process?

This is only for new requests currently. At some point we'll set up repo-scoped tokens for everyone who is using the global token today, and ensure the global token is no longer in use before we delete it.

Jun 13 '25 14:06 trask

How about giving access to all the containers collector-releases currently ships, so we can switch the secret globally rather than adding more configuration?

That would be:

opentelemetry-collector-contrib
opentelemetry-collector-k8s
opentelemetry-collector-otlp
opentelemetry-collector-ebpf-profiler
opentelemetry-collector

Jun 16 '25 09:06 dmathieu

@dmathieu sure! this is done now

Jun 16 '25 20:06 trask

The otel/opentelemetry-collector-opampsupervisor image is missing from the list above, @trask could you please also add that to the token permissions :)

Jun 17 '25 07:06 mowies

The otel/opentelemetry-collector-opampsupervisor image is missing from the list above, @trask could you please also add that to the token permissions :)

done

Jun 17 '25 16:06 trask

using the new docker token just failed during the collector release process :( see this workflow for example: https://github.com/open-telemetry/opentelemetry-collector-releases/actions/runs/15999727854/job/45131370392 @trask could you please double check if we definitely have access to the DOCKER_TOKEN_COLLECTOR_RELEASES secret in the collector-releases repo? and that the repo has correct permissions? did the docker username change that we should use?

Jul 01 '25 13:07 mowies

hm, it seems set up ok

I see this in the docker UI:

opentelemetry-collector-releases last accessed Jul 01, 2025 at 05:47:39

I'm assuming that means last successfully accessed(?)

can you correlate that time (assuming its either PDT or UTC) with any of your runs?

Jul 02 '25 15:07 trask

That seems to be the time of the failed run linked above (Jul 1 12:47 UTC). Is this accesses for the new token only? Because one job hadn't been updated properly and used the old token successfully at that time.

Jul 02 '25 15:07 jade-guiton-dd

Yes that time was for the new token specifically

Jul 02 '25 15:07 trask

@open-telemetry/ebpf-instrumentation-maintainers is your token working? I think you're the only other repo using the new token setup

Jul 02 '25 15:07 trask

@jade-guiton-dd it's certainly possible I made a copy paste snafu when adding your token. I'm on phone currently, but I can reset it later if you don't find anything

Jul 02 '25 15:07 trask

Hi @trask ! Yes, our DOCKER_TOKEN_EBPF_INSTRUMENTATION is working well for interactions with Docker Hub.

Jul 02 '25 15:07 mariomac

@jade-guiton-dd I sent https://github.com/open-telemetry/opentelemetry-collector-releases/pull/1004 to verify the new token. if that fails, I'll regenerate the token and copy it over again

Jul 07 '25 03:07 trask

@trask the test failed: https://github.com/open-telemetry/opentelemetry-collector-releases/actions/runs/16111433703/job/45455661355

Jul 07 '25 08:07 mowies

I think we got it sorted. For future reference, when migrating from the old token to the new token, we also need to change the username reference to the org-level ${{ vars.DOCKER_USERNAME }} (which is just otel).

At least in the collector-releases repo, it was pointing to a repo-level secret ${{ secrets.DOCKER_USERNAME }} which I believe was someone's personal docker account.

e.g.

      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ vars.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN_COLLECTOR_RELEASES }}

Jul 07 '25 15:07 trask

Closing, but don't hesitate to reach out if any further issues, thanks!

Jul 08 '25 19:07 trask

@trask the collector release failed again because of some missing permission. maybe we missed the builder dockerhub repo in the permissions. here's the failed release pipeline run: https://github.com/open-telemetry/opentelemetry-collector-releases/actions/runs/16615968814/job/47008596598#step:13:85

Jul 30 '25 07:07 mowies

@mowies it's failing on opentelemetry-collector-builder because that wasn't in the requests above, I've added it now to your token

Jul 30 '25 14:07 trask

yes, i must have overlooked it :( thanks! we'll try again with the new token

Jul 31 '25 06:07 mowies