Comments (12)
@s093294 I think this is happening because registry credentials are saved in root
's $HOME (/root/.docker
) simply because the extension runs as root
. Your user's (pksorensen
) $HOME is different (/home/pksorensen/.docker
).
If you pull the ascend/tiling
image via Azure Docker Extension, it should work. If you want to run docker commands as your user, you should probably login again using docker login
or switch to root (sudo -i
).
from azure-docker-extension.
In other words, this is by design for now. If you think you could work around this easily, then we may keep it as it is. If you have a good use case for it, then we might perhaps find a way to pass the credentials to the non-root user as well.
from azure-docker-extension.
Ye, its okay for now. I am also in design phase and could consider to run everything under sudo -i.
One usecase where it would be nice that the credentials was also populated to the active user is for the swarm cluster setup. (which is the one I am using atm). When each slave node is logged in using docker extension.
When sshing into one of the masters - I wonder if doing sudo run
on the master with DOCKER_HOST configure for the manager, if swarm will also be using sudo
on the slave nodes for running (I would assume not).
In my arm template, i do have the adminusername, so if its a simple matter of copying the content of /root/.docker to /home/adminusername/.docker I could do this is a custom script extension.
from azure-docker-extension.
@s093294 I suggest establishing an SSH tunnel to the swarm manager from your development machine instead of actually SSHing and setting DOCKER_HOST etc. to manage the swarm cluster. The docker-swarm ARM template we have has output commands (such as "sshTunnelCmd") that allows you to easily establish a tunnel to the cluster.
If you create a swarm cluster with the extension (what docker-swarm ARM template does), the slave nodes should be picking up the credentials. This is the case because the docker engine is started as root and it'll pick up the credentials supplied and swarm manager will directly talk to docker engine. (It doesn't matter if you do sudo docker run
targeting swarm manager; manager does not store any registry credentials).
Right now, setting environment variables etc on the master manages seem like a bit out of scope for the Azure Docker Extension (as it is more general purpose than the docker-swarm ARM template and has no notion of Swarm) and it certainly increases the surprise factor for any user of the extension (not to mention it will probably break existing users' environments).
We can continue discussing whether we should populate the environment/credentials for the swarm template on email if you like. I believe it will better to stick with the recommended method (SSH tunnels) to manage swarm clusters.
from azure-docker-extension.
I agree that the docker extension should not add environment variables.
I added a CustomScriptForLinux extension to all master nodes with the following command:
"commandToExecute": "/bin/bash -c 'echo \"DOCKER_HOST=:2375\" >> /etc/environment'"
Then it defaults for me to the swarm manager when sshing in or when i use sshClient from c#
using (var client = new SshClient(host, 2200, "pksorensen", new PrivateKeyFile(File.OpenRead(@"C:\dev\pksorensen.oss"))))
{
client.Connect();
now docker info gives the cluster info.
var infohost = client.RunCommand("docker info");
now running a command that rely on a image in the private hub.
var commandb = string.Format("docker run --rm -i -m 1536M {0} ascend/tiling /bin/bash -c \"cd /;mkdir /dataout;AscendTiling /data1/{1} /dataout {3} {4} {5};tar -zcvf {2} -C /dataout .;mv /{2} /data1/{2}\"",
string.Join(" ", CreateVolume(tileAShareOut, "data1")), tileName, zipName, xstart / 256, ystart / 256, maxZoom - 6/*// 16384 is 6 zoom lvlz */);
var infob = RunCommand(commandb, client);
it fails with
Error response from daemon: Error: image ascend/tiling:latest not found
which is the same experience if one sshed into the node and ran the command as the current user. So root has been signed in but not the "adminusername". I then conclude that when running docker run
on the swarm manager, the run commands on the slave nodes are not run under the root account as you indicate.
If I ssh in and do docker login as "adminusername" on all 3 slaves, then the above commands work as expected.
Let me know if you dont get same experience, other wise I will just debug a bit more in the end of the week.
from azure-docker-extension.
@s093294 You are indeed correct. docker login
credentials are not persisted into the docker-engine, they are just read from $HOME/.docker/config.json
when the caller does a docker push
.
For now, the private images used in "compose"
section of the extension configuration JSON would work fine as docker-compose is invoked as root. This is the automation part of the story.
However it looks like your use case is more manual and it involves SSHing into the VM, doing docker pull
for private repositories in there. Is that right? I am just trying to understand the use case, I see no problem in implementing the feature as long as it makes sense and does not pose security risks.
from azure-docker-extension.
My goal is to use a docker swarm cluster to execute our GIS heavy algorithms as it simplifies the process of moving what our engineers are working with into production as we can distribute it as docker containers.
These docker containers are hosted in a private registry.
I then want to incorporate the management part of scheduling/running the algorithms into our services such our C#/.NET backend with open a SSH connection and execute the docker run commands which then is distributed using docker swarm manager behind the scenes.
But as I see it right now, I do not require any changes to the docker extension. I can simply add a custom linux extension that copies over the root/.docker/ to adminusername/.docker/ ect. I could also just do a docker login when signed in the first time.
I do however see that it would make sense that there was two scopes in the docker extension, that allowed both being able to do docker login for the root for private images in the compose step, but also to execute a docker login for the adminusername.
Something like
"protectedSettings": {
"login": [{ //For docker compose setup
"username": "pksorensen",
"password": "***",
"email": "***"
},
{ //For when signed in as user.
"user":[parameters('adminUsername')],
"username": "pksorensen",
"password": "***",
"email": "***"
}],
},
The motivation for having it being part of the template is that then its my responsibility when setting up the infrastructure and i do not have to share credentials with developers that work on the services ontop of the docker swarm.
Hope the information helps
from azure-docker-extension.
I copyed over the credentials to the current user and when on a swarm-node, i can do the docker pull and it fetches the images from the private registry.
But when doing a docker pull from the manager I still run into the issue:
pksorensen@swarm-master-1:~$ docker pull ascend/tiling
Using default tag: latest
swarm-node-2: Pulling ascend/tiling:latest... : Error: image ascend/tiling:lates swarm-node-0: Pulling ascend/tiling:latest... : Error: image ascend/tiling:lates Error: image ascend/tiling:latest not found
I am guessing this is not directly related to the azure docker extension and wonder if I should try to create issues on docker instead.
Its unclear to me if its not supported to pull images from a private registry from swarm manager.
from azure-docker-extension.
Now that I know what to google for I found all the answeres I needed.
docker-archive/classicswarm#374 has the backlog discussion and docker-archive/classicswarm#1384 seem to have the solution that is part of 1.0.1
from azure-docker-extension.
@s093294 great to hear it is getting resolved.
Another point to watch out for is if you just copy from /root/.docker/config.json
, the file probably will have root:root
and 0600/-rw-------
permissions. When you run the docker client as azureuser
, it may fail to read, so you may need to chown it.
from azure-docker-extension.
Thanks @ahmetalpbalkan for the note, i did do that too.
For reference my scripts are here: https://gist.github.com/s093294/0f1b72d497dc2c84233a
from azure-docker-extension.
The Docker extension has been deprecated.
from azure-docker-extension.
Related Issues (20)
- pkg/vmextension: cut dependency to openssl in decoding private settings HOT 1
- Provide newest version of docker-compose HOT 5
- [Question] Availability on Azure Germany Cloud HOT 7
- Would be great to allow configuration of 1.12 swarm mode HOT 2
- Distro not supported: "Container Linux by CoreOS" 1235.6.0" HOT 6
- TLS certs are optional for ARM template but mandatory in portal HOT 6
- Install Should Fingerprint OS at a Minimum HOT 1
- Enable Must Report Accurate Status HOT 1
- Cannot get protected settings to work HOT 3
- Unable to redeploy failed docker-compose settings HOT 1
- Redeploy from ARM template does not copy pem's in the correct format HOT 1
- error downloading docker-compose: i/o timeout HOT 1
- Docker extension times out HOT 8
- Enhancement: possibility to specify docker storage folder HOT 1
- Extensions settings not updated on scale set HOT 2
- Docker Extension with 'login' setting always failed with ''docker login' failed' on docker 17.06.0-ce HOT 3
- Make intallation timeout more flexable HOT 2
- This extension is out of date HOT 2
- Move project to archive HOT 1
- Guide on installing Docker with cloud-init? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-docker-extension.