Support private docker images

[mrocklin]

A user asked in a private channel:

Is there a way to pass a private image to Coiled? I noticed Coiled supports images from DockerHub, I guess my question is if we can pass a private image?

Today the answer is "unfortunately not". You can create a software environment from a docker image that our account can see (dockerhub or our ECR repository), or you could build a software environment from public packages and also private github accounts if you register a github auth token.

Supporting private docker images makes a lot of sense though. We would need to have access to that image repository. This probably leads to the larger discussion in #67 .

[matthiasdv]

The motivation behind this question was that most companies will have a private docker image available to run Dask clusters on. Typically containing private PyPi packages. While using the Software Environment functions to build this image inside Coiled is feasible, support for private images would speed up the process of getting Coiled up and running in an organisation.

[necaris]

The current reason that this isn't possible is because our worker nodes don't have access to the private Docker repositories. I can see a couple of immediate solutions, and would be interested in thoughts on either:

• storing long-lived credentials for private Docker repositories on the User / Account level -- potentially the most convenient for spinning up a cluster, but the most security concern for us
• passing in short-lived credentials in the coiled.Cluster() initializer -- security concerns can be mitigated by limiting access on our side and duration on the other, but this is much less convenient for the user
  • We could also allow storing the credentials in the coiled.yaml configuration, so that we have short-lived access but the user (or whoever's managing e.g. their JupyterHub instance) could conveniently store longer-lived tokens locally and we would not have access to them.

[mrocklin]

@necaris is this done?

[necaris]

@mrocklin we're working on it! We can currently already handle:

• private AWS ECR repositories through IAM permissions on AWS (using users' AWS accounts)
• private GCP registry through IAM permissions on GKE

We're working on option (1) from above, where we store private Docker repository credentials (testing with Docker Hub) encrypted and per-Account, and hope to release it in the next couple of weeks.

[matthiasdv]

@necaris That's super interesting, thanks for the reply. Is there a way for us to use the AWS ECR option at the moment?

[necaris]

@matthiasdv sorry for the delay here -- if you're using Coiled right now you're already using the AWS ECR option, just through our account; you can give us limited access to your AWS account and use that same option within your account as well. Please see https://docs.coiled.io/user_guide/backends.html#aws for more details :smile:

[FabioRosado]

We currently support private docker images if the user-provided docker hub credentials. I believe we can now close this issue

[bennnym]

Is there any documentation around this @FabioRosado ?

[FabioRosado]

@bennnym Hi Ben sure, we have documentation on creating software environments as well as one about uploading a file/directory to a cluster.

You can add your dockerhub credentials by going to Account > set backend options and follow the UI, on the step to configure registry options you can choose docker hub and add your username and token.

Hope this helps.