I’m having issues deploying a Docker container hosted on a private ECR registry to Nomad.
The job always fails with the following message: (haven’t found any more logs on this)
Driver Failure:
Failed to find docker auth for repo “<aws_id>.dkr.ecr.<aws_region>.amazonaws.com/”: docker-credential-ecr-login with input “<aws_id>.dkr.ecr.<aws_region>.amazonaws.com/<image_name>” failed with stderr:
I’m configuring the Docker authentication via the plugin
stanza in my client configs.
At first I’ve tried to use AWS configuration files (in both root & nomad user home directories) but this does not seem to work in nomad although docker-credential-ecr-login
returns valid authentication credentials.
$ export HOME=/home/nomad
$ echo "<aws_id>.dkr.ecr.<aws_region>.amazonaws.com/<image_name>"|docker-credential-ecr-login get
The docker-credential-ecr-login
binary is placed in /user/bin
so it is available to the nomad user.
Adding the AWS authenication credentails to the nomad systemd service via environment variables (suggested in this issue) also did not change anything
[Service]
Environment=AWS_ACCESS_KEY_ID=***
Environment=AWS_SECRET_ACCESS_KEY=***
… but still works in CLI…
$ export AWS_ACCESS_KEY_ID=***
$ export AWS_SECRET_ACCESS_KEY=***
$ echo "<aws_id>.dkr.ecr.<aws_region>.amazonaws.com/<image_name>"|docker-credential-ecr-login get
Update: I’ve discovered that the nomad systemd service specifies an EnvironmentFile at /etc/nomad.d/nomad.env
. Appending the AWS env vars to this file also did not change anything.
How can I debug the output of Nomads Docker authentication command since I’m not gaining any more information than failed with stderr:
?
Thanks!
AWS CLI Version: aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-104-generic botocore/1.16.19
Nomad version: Nomad v1.2.6
docker-credential-ecr-login version: 0.3.1
Docker version: 20.10.13
job.hcl
job "<name>" {
datacenters = ["dc1"]
group "web" {
count = 2
task "<app>" {
driver = "docker"
config {
image = "<aws_id>.dkr.ecr.<aws_region>.amazonaws.com/<image_name>:<tag>"
}
}
}
}
server.hcl
datacenter = "dc1"
data_dir = "/opt/nomad"
bind_addr = "0.0.0.0"
advertise {
# ...
}
server {
enabled = true
}
client {
enabled = true
}
plugin "docker" {
config {
auth {
config = "/etc/docker/config.json"
}
}
}
There’s also a (deprecated) way of configuring the Docker plugin via client.options.***
which also did not work for me.
/etc/docker/config.json
{
"credHelpers": {
"<aws_id>.dkr.ecr.<aws_region>.amazonaws.com": "ecr-login"
}
}