Just so that I can bring this thread to a proper conclusion, I worked out the issue.
*TL;DR:* The Jenkins slave container derived from the jnlp-slave image (with the docker client installed) was using the *root* user instead of the *jenkins* user. This causes the ECR credentials to be stored in the wrong place. So, when the *docker-build-publish* plugin pushes to the registry, docker push xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/<repo>:latest, there is no docker config file with the proper credentials. This causes the no basic auth credentials error. *Recap:* I am using a Jenkins master to trigger builds in an ECS cloud. The ECS slave task template uses an image derived from the jnlp-slave image with the docker client added. Additionally, /var/run/docker.sock is mounted from the source to the container to give the slave container access to the docker host’s docker server. The goal of this configuration is to provide a simple way for jnlp-worker containers to build & push docker images to a registry. The physical configuration is as follows: <https://lh3.googleusercontent.com/-XE4Tff61PJc/VxevuII6s2I/AAAAAAAAABY/kuInPPeytIw_6Yjzt0L3YEV5-X7SncQzgCLcB/s1600/build_ecs.png> *So, what was the source of the problem?* Well, initially I was having problems with the *jenkins* user accessing /var/run/docker.sock. The socket belongs to the *docker* group on the host and is assigned an random? GID. The *docker* group, however, was 1) not a group in the container and 2) the *jenkins* user was not a member of the group. So, I copped out and had the container run as *root*–laziness invites issues. The jenkins worker will hum along properly until it’s time to docker push to the registry and it cannot authenticate. The *Docker Build and Publish* plugin does correctly utilize the ECR plugin to retrieve a token to access the ECR registry. But, because this is all happening as the *root* user, the *Docker Commons* plugin stores the resultant login info at /root/.dockercfg. When docker push is invoked by the plugin, it can’t find credentials…booo. *A resolution* The resolution is simple, ensure that the jnlp worker if running as the *jenkins* user and ensure that the *docker* group from the host is replicated in the worker. A bit of searching led me to this post on the docker forums <https://forums.docker.com/t/docker-inside-jenkins-container/3583/2> and this script <https://github.com/SvenDowideit/docs-automation/blob/master/jenkins/setup-docker-and-start-jenkins.sh> by Sven Dowideit. With a few modifications to use this script as the ENTRYPOINT of the jnlp worker image, everything now works. -- a On Tuesday, April 12, 2016 at 11:15:38 AM UTC-4, A. Best wrote: > > Nicolas, > > Thanks for the response. > > Yes, I did select amazon credentials, as those are the only credentials I > have setup on this instance. In this particular case I was doing a variation > of the a Jenkins-Amazon build pipeline > <https://blogs.aws.amazon.com/application-management/post/Tx32RHFZHXY6ME1/Set-up-a-build-pipeline-with-Jenkins-and-Amazon-ECS>. > > I was using a simple prebuilt source repo to test the process. > > Here's a screenshot of the *Docker Build and Publish* build step. > > > <https://lh3.googleusercontent.com/-jX8H6lD8nrg/Vw0Oxnq7C2I/AAAAAAAAAAs/A1h-QE0_sn4aqPCe7HiWDvM3095bDwzfQCLcB/s1600/jenkins_build.png> > > Thanks, > > > On Monday, April 11, 2016 at 6:42:38 PM UTC-4, nicolas de loof wrote: >> >> Did you well selected amazon credentials in build and publish build step >> configuration ? >> >> 2016-04-11 22:53 GMT+02:00 A. Best <ab...@utilitas.io>: >> >>> *Versions used in testing:* >>> Jenkins: 1.642.3 >>> Amazon ECR Plugin: 1.0 >>> <https://wiki.jenkins-ci.org/display/JENKINS/Amazon+ECR> >>> Cloudbees Docker Build & Publish: 1.2.1 >>> <https://wiki.jenkins-ci.org/display/JENKINS/CloudBees+Docker+Build+and+Publish+plugin> >>> >>> *ECS Container Instance* >>> Docker Version: 1.9.1 >>> API Version: 1.21 >>> >>> >>> I have a couple of quick question about the amazon-ecr-plugin >>> <https://wiki.jenkins-ci.org/display/JENKINS/Amazon+ECR>. >>> >>> In the About >>> <https://wiki.jenkins-ci.org/display/JENKINS/Amazon+ECR#AmazonECR-About> >>> section >>> of the plugin, the Cloudbees Docker Build and Publish >>> <https://wiki.jenkins-ci.org/display/JENKINS/CloudBees+Docker+Build+and+Publish+plugin> >>> is >>> referenced as an example of how the ECR plugin can be used. >>> >>> For my specific use case, I have the Jenkins master connecting to a >>> Jenkins JNLP slave running in an ECS cluster. I’m using a container based >>> on the jenkinsci/jnlp-slave >>> <https://hub.docker.com/r/jenkinsci/jnlp-slave/> to perform the build. >>> With the right permissions and mounted volumes, I am able to use the docker >>> host(which is the ECS container instance) to build docker images. >>> >>> >>> <https://lh3.googleusercontent.com/-KDL4GXfm5w0/VwwHwOiZQfI/AAAAAAAAAAY/jkj3Uzrhcm0NYeVpLyaRrmDF69oFxtL8Q/s1600/Screen%2BShot%2B2016-04-11%2Bat%2B4.20.38%2BPM.png> >>> >>> >>> The *Docker Build and Publish* plugin does use the dockerfile at the >>> root of the project and build it as expected. However, I’m running into an >>> issue when the plugin attempts to push the image to ECR. >>> >>> The push refers to a repository >>> [<my-user-id>.dkr.ecr.us-east-1.amazonaws.com/ >>> <http://amazonaws.com/flask-signup>test-repository] (len: 1)7a8e1872c5e2: >>> Preparing >>> Post >>> https://<my-user-id>.dkr.ecr.us-east-1.amazonaws.com/v2/test-repository/blobs/uploads/ >>> <http://amazonaws.com/v2/flask-signup/blobs/uploads/>: no basic auth >>> credentials >>> Build step 'Docker Build and Publish' marked build as failure >>> Finished: FAILURE >>> >>> It seems that the build is attempting to push to the registry with no >>> credentials. I was assuming that the ECR plugin would provide docker with >>> the correct AWS credentials to login to the registry so that the newly >>> built image could be pushed. >>> >>> Do I need any additional packages installed on the Jenkins slave to get >>> this to work? >>> >>> Am I missing something? >>> >>> Are my expectations for the plugin wrong? >>> >>> >>> Thanks, >>> >>> Adam >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-use...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/eaf6f71a-9758-4838-bb05-fd4fa43ee021%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-users/eaf6f71a-9758-4838-bb05-fd4fa43ee021%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/74b4b710-b786-48e1-816a-b785d6f94728%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
