Cannot push to ECR - Githubissues

hauntingEcho commented 3 years ago

Is this a BUG REPORT or FEATURE REQUEST?: Bug report

Description

Cannot push images to ECR. I've tried using 1.3.3 and using docker-client version 8.10 per this old issue, but neither can connect to my docker client.

How to reproduce

set dockerfile.repository per ECR's required structure
provision the repo if needed: aws ecr create-repository --repository-name "$(mvn help:evaluate "-Dexpression=dockerfile.repository" -q -DforceStdout)"
use your ${ecr_name} in the command aws ecr get-login-password | docker login --username AWS --password-stdin "${ecr_name}"
mvn package
mvn dockerfile:push - fails
docker push "$(mvn help:evaluate "-Dexpression=dockerfile.repository" -q -DforceStdout):$(mvn help:evaluate "-Dexpression=dockerfile.tag" -q -DforceStdout)" - succeeds

What do you expect

mvn dockerfile:push succeeds whenever docker push would

What happened instead

push fails with error

org.apache.maven.plugin.MojoExecutionException: Could not push image
    at com.spotify.plugin.dockerfile.PushMojo.execute (PushMojo.java:90)
    at com.spotify.plugin.dockerfile.AbstractDockerMojo.tryExecute (AbstractDockerMojo.java:265)
    at com.spotify.plugin.dockerfile.AbstractDockerMojo.execute (AbstractDockerMojo.java:254)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: com.spotify.docker.client.exceptions.DockerException: no basic auth credentials
    at com.spotify.plugin.dockerfile.LoggingProgressHandler.handleError (LoggingProgressHandler.java:105)
    at com.spotify.plugin.dockerfile.LoggingProgressHandler.progress (LoggingProgressHandler.java:63)
    at com.spotify.docker.client.ProgressStream.tail (ProgressStream.java:77)
    at com.spotify.docker.client.DefaultDockerClient$ResponseTailReader.call (DefaultDockerClient.java:2754)
    at com.spotify.docker.client.DefaultDockerClient$ResponseTailReader.call (DefaultDockerClient.java:2738)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:748)

Software:

docker version:


Client: Docker Engine - Community
Cloud integration: 1.0.2
Version:           19.03.13
API version:       1.40
Go version:        go1.13.15
Git commit:        4484c46d9d
Built:             Wed Sep 16 17:00:27 2020
OS/Arch:           windows/amd64
Experimental:      false

Server: Docker Engine - Community Engine: Version: 19.03.13 API version: 1.40 (minimum version 1.12) Go version: go1.13.15 Git commit: 4484c46d9d Built: Wed Sep 16 17:07:04 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.3.7 GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175 runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683


- Spotify's dockerfile-maven version: 1.4.13

chrisxaustin commented 3 years ago

I know this is an old Issue, but I ran into this today with 1.4.13 and spent too much time troubleshooting it.

TL;DR - updating .docker/config.json to use credsStore=ecr-login is easiest. It also needs to have the registry in the auths section.

{
    "auths": {
                 "12345.dkr.ecr.us-east-2.amazonaws.com": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.09.0 (windows)"
    },
    "credsStore": "ecr-login"
}

I use the AWS Tools for PowerShell, but I suspect we have a similar problem. To authenticate I run: Invoke-Expression -Command (Get-ECRLoginCommand -Region us-east-2).Command

My .docker/config.json was auto-generated when I logged in, with these contents after I deleted the file and let docker re-create it.

{
    "auths": {
        "12345.dkr.ecr.us-east-2.amazonaws.com": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.09.0 (windows)"
    },
    "credsStore": "wincred"
}

Pushing with this failed, so I ran maven with the -X flag for debug output and saw the call to docker-credential-wincred get.

Stepping through the plugin execution in an attached debug session I saw ConfigFileRegistryAuthSupplier.authFor try the https variant and fail because docker-credential-wincred doesn't have that registry, as confirmed with

echo https://12345.dkr.ecr.us-east-2.amazonaws.com | docker-credential-wincred get

Trying without the protocol works:

echo 12345.dkr.ecr.us-east-2.amazonaws.com | docker-credential-wincred get

The plugin then tried without the protocol (yay!), but because config.json has a stub entry for that name DockerConfigReader.authForRegistry returned the empty object with no auth info and never reached the credsStore piece.

These options don't work:

add the https:// repository url to the auths section
remove the auths section - the build process fails when DockerConfigReader.authForAllRegistries doesn't add the credsStore since hasAuths is now false
add a stub entry to auths for a different name - the build fails since DockerConfigReader.authForAllRegistries only adds the credsStore for the registries named in the auths section

I believe these to be bugs:

The build path works properly and uses the authForAllRegistries, but the push path doesn't do the same.
DockerConfigReader.authForRegistry should check for empty auth and then fallback to credsStore

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

spotify / dockerfile-maven

Cannot push to ECR #369

Description

How to reproduce

What do you expect

What happened instead

Software: