Nomad cannot pull other images if credential helper is in place

Question

I am trying to pull images from my ecr repository as well as from dockerhub using Nomad. The problem is that if I don't pull those images myself, Nomad won't pull them and will complain with the error:

Failed to find docker auth for repo "envoyproxy/envoy": docker-credential-ecr-login with input "envoyproxy/envoy" failed with stderr: exit status 1

It will easily pull the ECR images, but those images required for sidecars or non-ecr images deployed by me, for example postgres, won't be pulled with same error. Did anybody else encounter same issue?

Answer 1

The workaround I have found was adding:

"auth_soft_fail": true 

Add this as part the config.

Nomad cannot pull other images if credential helper is in place

Answer 2

For mixed ecr and non-ecr workload in recent nomad version it seems totally fine to point the auth config to a docker configuration that only includes the credHelpers stanza:

/etc/nomad.d/nomad-docker.hcl

plugin "docker" {
  config {
    auth {
      config = "/root/.docker/config.json"
    }
  }
}

/root/.docker/config.json

{
    "credHelpers": {
        "**********.dkr.ecr.eu-central-1.amazonaws.com": "ecr-login"
    }
}

Answer 3

I had this same issue, I'm not sure if there's a way around it if you're just using this stanza:

plugin "docker" {
  config {
    auth {
      helper = "ecr-login"
    }
  }
}

Alternatively, I set this:

plugin "docker" {
  config {
    auth {
      config = "/opt/docker.json"
    }
  }
}

And then populated the file at /opt/docker.json with the following values:

{
  "credHelpers": {
    "000000000000.dkr.ecr.us-west-2.amazonaws.com": "ecr-login"
  },
  "auths": {
    "https://index.docker.io/v1/": {}
  }
}

Replace 000000000000 with your aws account id and us-west-2 with your region.