Failure to pull with docker_compose_v2 despite authenticating previously

[milongo]

SUMMARY

Pulling from private registry doesn't work after doing docker login

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.docker.docker_login and community.docker.docker_compose_v2 / community.docker.docker_compose_v2_pull module

ANSIBLE VERSION

ansible [core 2.16.6]
  config file = /Users/milongo/LocalDocs/horoma/devops-iac-automation/ansible.cfg
  configured module search path = ['/Users/milongo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/milongo/miniconda3/envs/devops-iac/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/milongo/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/milongo/miniconda3/envs/devops-iac/bin/ansible
  python version = 3.10.14 (main, Mar 21 2024, 11:21:31) [Clang 14.0.6 ] (/Users/milongo/miniconda3/envs/devops-iac/bin/python3.10)
  jinja version = 3.1.3
  libyaml = True

COLLECTION VERSION

# /Users/milongo/miniconda3/envs/devops-iac/lib/python3.10/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 8.6.0 

CONFIGURATION

CONFIG_FILE() = /Users/milongo/LocalDocs/horoma/devops-iac-automation/ansible.cfg
EDITOR(env: EDITOR) = nano
PAGER(env: PAGER) = less

OS / ENVIRONMENT

STEPS TO REPRODUCE

- name: Run docker pipeline
  hosts: "{{ target }}"
  vars:
    registry_url: "{{ ecr_registry_url }}"
  tasks:
    - name: Get ansible user data
      ansible.builtin.user:
        name: "{{ ansible_user }}"
        state: present
      register: user_details

    - name: Docker login to AWS ECR
      community.docker.docker_login:
        state: present
        username: "AWS" # change this depending on private repository
        password: "{{ ecr_login_password }}"
        registry_url: "{{ registry_url }}"
      changed_when: true

    - name: Docker compose repo
      community.docker.docker_compose_v2:
        project_src: "{{ user_details.home }}/{{ path_to_repos }}/repo"
        state: "present"

EXPECTED RESULTS

After logging in, successfully being able to pull my images in private repository.

ACTUAL RESULTS

Failure to authenticate

fatal: [18.208.187.13]: FAILED! => {"actions": [{"id": "my-image", "status": "Pulling", "what": "service"}], "changed": false, "cmd": "/snap/bin/docker compose --ansi never --progress plain --project-directory /home/ubuntu/docker/my-image up --detach --no-color --quiet-pull --", "containers": [], "images": [], "msg": "Error when processing my-image: Error response from daemon: Head \"[https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest\](https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest%5C)": no basic auth credentials", "rc": 18, "stderr": " my-image Pulling \n my-image Error \nError response from daemon: Head \"[https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest\](https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest%5C)": no basic auth credentials\n", "stderr_lines": [" my-image Pulling ", " my-image Error ", "Error response from daemon: Head \"[https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest\](https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest%5C)": no basic auth credentials"], "stdout": "", "stdout_lines": []}

[felixfontein]

The docker_compose_v2(_pull) module doesn't do anything else than running docker compose. If that isn't able to pull from the registry, then it's a problem with your docker setup or the way you log in to the registry.

You're using the docker_login module to authenticate. That module verifies that the credentials are correct by using the /auth endpoint of the Docker daemon, and stores the credentials in the credential store (which that is depends on your Docker config file).

Now docker_compose_v2(_pull) can only use the credentials if it has access to the same credential store that docker_login stored them in. You are running Docker CLI from a Snap. My guess is that your Docker CLI setup does not use the same credentials store than docker_login (which uses code from Docker SDK for Python for accessing the credentials store).

[milongo]

Thank you for the answer! I'm not modifying the CLI setup as far as I know. How do I get the docker CLI setup to use the same credentials store than docker_login?

[felixfontein]

Usually they do use the same context, unless you changed something. Are you maybe using Docker contexts? (I.e. does docker context ls show something else than default?)

[milongo]

No...

docker context ls
NAME        DESCRIPTION                               DOCKER ENDPOINT               ERROR
default *   Current DOCKER_HOST based configuration   unix:///var/run/docker.sock

[felixfontein]

In that case, no idea. I cannot replicate this with a regular registry.

[milongo]

Thanks for the help. Any idea what I can try to progress? are you able to authenticate to a private registry the same way I am doing it?

[felixfontein]

If you run docker login with ansible.builtin.command, does a subsequent community.docker.docker_compose_v2 then work?

are you able to authenticate to a private registry the same way I am doing it?

Yes, it works for me.

BTW, I noticed that in the error message you posted:

fatal: [18.208.187.13]: FAILED! => {"actions": [{"id": "my-image", "status": "Pulling", "what": "service"}], "changed": false, "cmd": "/snap/bin/docker compose --ansi never --progress plain --project-directory /home/ubuntu/docker/my-image up --detach --no-color --quiet-pull --", "containers": [], "images": [], "msg": "Error when processing my-image: Error response from daemon: Head \"https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest\": no basic auth credentials", "rc": 18, "stderr": " my-image Pulling \n my-image Error \nError response from daemon: Head \"https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest\": no basic auth credentials\n", "stderr_lines": [" my-image Pulling ", " my-image Error ", "Error response from daemon: Head \"https://account-id.dkr.ecr.region.amazonaws.com/v2/my-image/manifests/latest\": no basic auth credentials"], "stdout": "", "stdout_lines": []}

there is a backslash \ (%5C in the quoted URL) at the end of the URL, which looks like to be part of the tag. Could it be that you have a problem somewhere else, like a backslash showing up in the image's tag that shouldn't be there?