0

I am on a Windows machine using Terraform 0.13.4 and trying to spin up some containers on a remote host using Terraform and the Docker provider:

provider "docker" {
  host = "tcp://myvm:2376/"

  registry_auth {
    address = "myregistry:443"
    username = "myusername"
    password = "mypassword"
  }

  ca_material = file(pathexpand(".docker/ca.pem"))
  cert_material = file(pathexpand(".docker/cert.pem"))
  key_material = file(pathexpand(".docker/key.pem"))
}

data "docker_registry_image" "mycontainer" {
  name = "myregistry:443/lvl1/lvl2/myimage:latest"
}

I am having a hard time with this as it cannot authenticate with my private registry. Always getting 401 Unauthorized.

If I don't do this to grab the sha256_digest and just use the docker_container resource, everything works but it forces replacements of the running containers.

Angelos Bousias
  • 73
  • 2
  • 7
  • Hello do you have problem with the authentification or the problem is the force replacements of the running containers. – Montassar Bouajina Nov 04 '20 at 08:52
  • The actual problem is the force replacements. If I use the named image ID in my `docker_container` resource it always "forces replacement". If I switch to the `sha256 digest` of my image this doesn't happen. However to get that I need to logon to the registry using the code shared, unless there is another way which I am not aware. – Angelos Bousias Nov 04 '20 at 08:58
  • i think you missed the docker_image resource iposted the answer you can check it – Montassar Bouajina Nov 04 '20 at 09:38
  • I saw it but doesn't stop from authenticating with the registry. See my comment on your answer. – Angelos Bousias Nov 04 '20 at 11:45

2 Answers2

1

Hello Angelos if you dont want to force replace the running container you should try this :

provider "docker" {
  host = "tcp://myvm:2376/"

  registry_auth {
    address = "myregistry:443"
    username = "myusername"
    password = "mypassword"
  }

  ca_material = file(pathexpand(".docker/ca.pem"))
  cert_material = file(pathexpand(".docker/cert.pem"))
  key_material = file(pathexpand(".docker/key.pem"))
}
data "docker_registry_image" "mycontainer" {
  name = "myregistry:443/lvl1/lvl2/myimage:latest"
}

resource "docker_image" "example" {
  name = data.docker_registry_image.mycontainer.name
  pull_triggers = [data.docker_registry_image.mycontainer.sha256_digest]
  keep_locally = true
}

then in the container use :

resource "docker_container" "example" {
  image = docker_image.example.latest
  name = "container_name"
   
}

you shoukd use

docker_image.example.latest

Using the resource docker_image itself if it already exist he wont pull the image and doesn't restart the container but if you pass the name as a string he will replace the container everytime.

https://www.terraform.io/docs/providers/docker/r/container.html

Montassar Bouajina
  • 1,482
  • 1
  • 8
  • 20
  • even if the image is locally pulled on that host, the code like this still tries to authenticate with the registry, thus stopping at the same error. I tried skipping the `docker_registry_image` resource and get the `sha256_digest` from the `docker_image` resource but it is not available. – Angelos Bousias Nov 04 '20 at 11:43
  • You need the authentification don't remove it but using docker_image resource and passing **.latest** to the docker_container will not recreate the container – Montassar Bouajina Nov 04 '20 at 11:47
  • But the authentication failing is still blocking if the only way to get the `sha256_digest` is using the `docker_registry_image` resource. Currently it fails before trying to pull the image. – Angelos Bousias Nov 04 '20 at 15:11
1

Turns out that the code is correct and that the container service I am using (older version of ProGet) is not replying correctly for the auth calls. I tested the code using another registry and it all works as expected.

Angelos Bousias
  • 73
  • 2
  • 7