Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-19731

Add Capability for 'Docker Runner' to connect to private image registry

XMLWordPrintable

    • 25
    • 25

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      Currently, Docker Runner only connects to public Docker Image Registries to pull images from, such as hub.docker.com

      Please add the capability to connect to private registries to pull images.

      Suggested Solution

      Allow auth to private registries through input credentials, or the Shared Credentials

      Workaround

      Remote Agents 

      Add the docker login command to the .profile of the Remote Agent user, for each Agent which will be using the Docker Runner build capability.

      docker login -u <username> -p <password> <registryhost:port>

      To keep from having passwords stored in plain text in a script you can use the credential helper as outlined in the documentation for docker login

      Elastic Agents

      1. From the top navigation bar select    > Elastic Bamboo > Image configurations.
      2. Select your preferred elastic image configuration and select edit 
      3. Scroll down to Instance startup script section.
      4. Add the script below and save. Ensure to replace with the contents of your $HOME/.docker/config.json and your artifactory URL  
        #!/bin/bash
export HOME=/home/bamboo
cd $HOME
mkdir .docker && chmod 700 .docker 
cat > .docker/config.json << EOF
{
    "auths": {
        "private_registry_URL": {
            "auth": "AUTH_TOKEN"
        }
    }
}
EOF
chown -R bamboo:bamboo .docker

          Form Name

            [BAM-19731] Add Capability for 'Docker Runner' to connect to private image registry

            Aron Rosenberg added a comment -

            Here is a relatively simple workaround for the lack of Authentication options on the Docker Runner.

            1. Create a two stage build. Call the 1st stage "Fetch the Container", and the 2nd stage "Build"
            2. Configure the 1st Stage to use an Agent Environment and have one job called "Fetch".
              1. Add a Docker task to the "Fetch" job.
                1. Set the Command to "Pull from a repository".
                2. Select custom registry and put your container URL in here including the version tag (You can use Bamboo variables if you want plan branches to pull different tags)
                3. Set the Authentication Type to your needed requirements (Shared credentials works well)
            3. Configure the 2nd Stage to use Docker as the runner
              1. Put the exact same container URL used in the 1st stage Docker Pull task as the "Docker Image" value.
            4. Add a new unique Requirement to the 1st and 2nd stage and make sure your agent has the same Requirement set on it. Using a Custom Requirement works great for this. This will force the same agent to be reused on each stage.

             

            This works because Docker pull just fetches the image into the machine local cache. When the 2nd stage goes to grab the container image, it is already in the local cache and thus doesn't need additional authentication.

            Aron Rosenberg added a comment - Here is a relatively simple workaround for the lack of Authentication options on the Docker Runner. Create a two stage build. Call the 1st stage "Fetch the Container", and the 2nd stage "Build" Configure the 1st Stage to use an Agent Environment and have one job called "Fetch". Add a Docker task to the "Fetch" job. Set the Command to "Pull from a repository". Select custom registry and put your container URL in here including the version tag (You can use Bamboo variables if you want plan branches to pull different tags) Set the Authentication Type to your needed requirements (Shared credentials works well) Configure the 2nd Stage to use Docker as the runner Put the exact same container URL used in the 1st stage Docker Pull task as the "Docker Image" value. Add a new unique Requirement to the 1st and 2nd stage and make sure your agent has the same Requirement set on it. Using a Custom Requirement works great for this. This will force the same agent to be reused on each stage.   This works because Docker pull just fetches the image into the machine local cache. When the 2nd stage goes to grab the container image, it is already in the local cache and thus doesn't need additional authentication.

            Nicolas Esteves added a comment -

            Any news?

            Nicolas Esteves added a comment - Any news?

            Krystian Brazulewicz added a comment -
            Atlassian Update

            Hi everyone,

            Thanks for your interest in this issue.
            This request is considered a potential addition to our longer-term roadmap.

            We'll typically review this request in about 6 months time, at which point we’ll consider whether we need to alter its status.

            For the nearest future we've decided to prioritise other areas of the Bamboo roadmap, including:

            1. Performance and stability improvements
            2. Providing building blocks for High Availability and Disaster Recovery solutions
            3. Improving permission system
            4. Allowing per-project allocation of resources
            5. Improving Bitbucket Server and Jira integrations

            You can learn more about our approach to highly voted server suggestions here.

            To learn more on how your suggestions are reviewed, see our updated workflow for server feature suggestions.

            Kind regards,
            Bamboo Team

            Krystian Brazulewicz added a comment - Atlassian Update Hi everyone, Thanks for your interest in this issue. This request is considered a potential addition to our longer-term roadmap. We'll typically review this request in about 6 months time, at which point we’ll consider whether we need to alter its status. For the nearest future we've decided to prioritise other areas of the Bamboo roadmap, including: Performance and stability improvements Providing building blocks for High Availability and Disaster Recovery solutions Improving permission system Allowing per-project allocation of resources Improving Bitbucket Server and Jira integrations You can learn more about our approach to highly voted server suggestions here . To learn more on how your suggestions are reviewed, see our updated workflow for server feature suggestions . Kind regards, Bamboo Team

            Sean Finn added a comment -

            Security matters. agent's shouldn't have access, only when a build plan runs should there be access. The security container is the build plan, not the build agent.

            Sean Finn added a comment - Security matters. agent's shouldn't have access, only when a build plan runs should there be access. The security container is the build plan, not the build agent.

            Mike Eldridge added a comment -

            This would be really nice to have. Private container services are growing in popularity (Amazon Elastic Container Registry, Azure Container Registry, etc.).

            Mike Eldridge added a comment - This would be really nice to have. Private container services are growing in popularity (Amazon Elastic Container Registry, Azure Container Registry, etc.).

            Warren added a comment -

            The workaround will not work unless the agent only ever connects to one private image registry.  The ability to use different registries or authentications would be very useful in companies.

            Warren added a comment - The workaround will not work unless the agent only ever connects to one private image registry.  The ability to use different registries or authentications would be very useful in companies.

              Unassigned Unassigned
              rwatson@atlassian.com Robert W (Inactive)
              Votes:
              62 Vote for this issue
              Watchers:
              48 Start watching this issue

                Created:
                Updated: