dockerfile-maven icon indicating copy to clipboard operation
dockerfile-maven copied to clipboard
verified publisher icon spotify

Cannot push to ECR

Open hauntingEcho opened this issue 5 years ago • 2 comments

Is this a BUG REPORT or FEATURE REQUEST?: Bug report

Description

Cannot push images to ECR. I've tried using 1.3.3 and using docker-client version 8.10 per this old issue, but neither can connect to my docker client.

How to reproduce

  1. set dockerfile.repository per ECR's required structure
  2. provision the repo if needed: aws ecr create-repository --repository-name "$(mvn help:evaluate "-Dexpression=dockerfile.repository" -q -DforceStdout)"
  3. use your ${ecr_name} in the command aws ecr get-login-password | docker login --username AWS --password-stdin "${ecr_name}"
  4. mvn package
  5. mvn dockerfile:push - fails
  6. docker push "$(mvn help:evaluate "-Dexpression=dockerfile.repository" -q -DforceStdout):$(mvn help:evaluate "-Dexpression=dockerfile.tag" -q -DforceStdout)" - succeeds

What do you expect

mvn dockerfile:push succeeds whenever docker push would

What happened instead

push fails with error

org.apache.maven.plugin.MojoExecutionException: Could not push image
    at com.spotify.plugin.dockerfile.PushMojo.execute (PushMojo.java:90)
    at com.spotify.plugin.dockerfile.AbstractDockerMojo.tryExecute (AbstractDockerMojo.java:265)
    at com.spotify.plugin.dockerfile.AbstractDockerMojo.execute (AbstractDockerMojo.java:254)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: com.spotify.docker.client.exceptions.DockerException: no basic auth credentials
    at com.spotify.plugin.dockerfile.LoggingProgressHandler.handleError (LoggingProgressHandler.java:105)
    at com.spotify.plugin.dockerfile.LoggingProgressHandler.progress (LoggingProgressHandler.java:63)
    at com.spotify.docker.client.ProgressStream.tail (ProgressStream.java:77)
    at com.spotify.docker.client.DefaultDockerClient$ResponseTailReader.call (DefaultDockerClient.java:2754)
    at com.spotify.docker.client.DefaultDockerClient$ResponseTailReader.call (DefaultDockerClient.java:2738)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:748)

Software:

  • docker version:
Client: Docker Engine - Community
 Cloud integration: 1.0.2
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:00:27 2020
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:07:04 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
  • Spotify's dockerfile-maven version: 1.4.13

hauntingEcho avatar Dec 07 '20 17:12 hauntingEcho

I know this is an old Issue, but I ran into this today with 1.4.13 and spent too much time troubleshooting it.

TL;DR - updating .docker/config.json to use credsStore=ecr-login is easiest. It also needs to have the registry in the auths section.

{
	"auths": {
                 "12345.dkr.ecr.us-east-2.amazonaws.com": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.0 (windows)"
	},
	"credsStore": "ecr-login"
}

I use the AWS Tools for PowerShell, but I suspect we have a similar problem. To authenticate I run: Invoke-Expression -Command (Get-ECRLoginCommand -Region us-east-2).Command

My .docker/config.json was auto-generated when I logged in, with these contents after I deleted the file and let docker re-create it.

{
	"auths": {
		"12345.dkr.ecr.us-east-2.amazonaws.com": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.0 (windows)"
	},
	"credsStore": "wincred"
}

Pushing with this failed, so I ran maven with the -X flag for debug output and saw the call to docker-credential-wincred get.

Stepping through the plugin execution in an attached debug session I saw ConfigFileRegistryAuthSupplier.authFor try the https variant and fail because docker-credential-wincred doesn't have that registry, as confirmed with

echo https://12345.dkr.ecr.us-east-2.amazonaws.com | docker-credential-wincred get

Trying without the protocol works:

echo 12345.dkr.ecr.us-east-2.amazonaws.com | docker-credential-wincred get

The plugin then tried without the protocol (yay!), but because config.json has a stub entry for that name DockerConfigReader.authForRegistry returned the empty object with no auth info and never reached the credsStore piece.

These options don't work:

  • add the https:// repository url to the auths section
  • remove the auths section - the build process fails when DockerConfigReader.authForAllRegistries doesn't add the credsStore since hasAuths is now false
  • add a stub entry to auths for a different name - the build fails since DockerConfigReader.authForAllRegistries only adds the credsStore for the registries named in the auths section

I believe these to be bugs:

  • The build path works properly and uses the authForAllRegistries, but the push path doesn't do the same.
  • DockerConfigReader.authForRegistry should check for empty auth and then fallback to credsStore

chrisxaustin avatar Sep 15 '21 19:09 chrisxaustin

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 09 '22 04:01 stale[bot]