0

I've been trying to deploy containers with fleet on a CoreOS cluster. However, some of the docker images are privately stored on quay.io requiring a login.

Now I could add a docker login as a precondition to every relevant unit file, but that doesn't seem right. I'm sure there must be a way to store the respective registry credentials somewhere docker can find it when trying to download the image.

Any ideas?

max.ott
  • 569
  • 1
  • 6
  • 16
  • Be careful with quay images, many of them are known to still be vulnerable to the heartbleed vulnerability. – maskeda Dec 07 '16 at 00:12

1 Answers1

0

The best way to do this is with a Quay "robot account", which is a separate set of credentials than your regular account. This is helpful for two reasons:

  1. they can be revoked if needed
  2. can be limited to a subset of your repositories

When you make a new robot account, if you click "view credentials", you will get the credentials pre-formatted for common use-cases, such as Docker and Kubernetes.

Quay.io Pre-formatted Docker config

In this case, you want "Docker Configuration", which is placed at ~/.docker/config.json on the server(s). Docker will automatically use this to authenticate with Quay.io.

Rob
  • 2,426
  • 17
  • 11
  • Thanks Rob. I know about creating the credentials. My question related to where I should add that in a CoreOS instance where the docker images are loaded through systemd. There is an /etc/docker directory. Would that be the right place for it and would that also be `config.json`? – max.ott Nov 16 '16 at 12:29