As of Marathon 1.5, you can upload your private Docker registry credentials to a secret store, then reference them in your app or pod definition. This functionality is only available if you are using the Mesos containerizer. If you are using the Docker containerizer, follow these instructions to use a private Docker registry. If you want to learn how to configure credentials to pull images from the Amazon Elastic Container Registry (AWS ECR) please refer to this blog post.
Log in to your private registry manually. This will create a ~/.docker
directory and a ~/.docker/config.json
file.
$ docker login some.docker.host.com
Username: foo
Password:
Email: foo@bar.com
Check that you have the ~/.docker/config.json
file.
$ ls ~/.docker
config.json
Your config.json
file should look like this, where value of auth
is a based64-encoded username:password
string. You can generate it using echo -n 'username:password' | base64
.
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "XXXXX",
"email": "<your-email>"
}
}
}
Add the config.json
file to a secret store. If you are using Enterprise DC/OS, follow these instructions to add the file to the DC/OS secret store.
Add the following two parameters to your app definition.
A location for the secret in the secrets
parameter:
"secrets": {
"pullConfigSecret": {
"source": "/mesos-docker/pullConfig"
}
}
A reference to the secret in the docker.pullConfig
parameter:
"docker": {
"image": "mesosphere/inky",
"pullConfig": {
"secret": "pullConfigSecret"
}
}
Note: This functionality is only supported with the Mesos containerizer: container.type
must be MESOS
.
A complete example:
{
"id": "/mesos-docker",
"container": {
"docker": {
"image": "your/private/image",
"pullConfig": {
"secret": "pullConfigSecret"
}
},
"type": "MESOS"
},
"secrets": {
"pullConfigSecret": {
"source": "/mesos-docker/pullConfig"
}
},
"args": ["hello"],
"cpus": 0.2,
"mem": 16.0,
"instances": 1
}
The Docker image will now pull using the provided security credentials given.
Add the following two parameters to your pod definition.
A location for the secret in the secrets
parameter:
"secrets": {
"pullConfigSecret": {
"source": "/pod/pullConfig"
}
}
A reference to the secret in the containers.image.pullConfig
parameter:
"containers": [
{
"image": {
"id": "nginx",
"pullConfig": {
"secret": "pullConfigSecret"
},
"kind": "DOCKER"
}
}
]
Note: This functionality is only supported if image.kind
is set to DOCKER
.
A complete example:
{
"id": "/pod",
"scaling": { "kind": "fixed", "instances": 1 },
"containers": [
{
"name": "sleep1",
"exec": { "command": { "shell": "sleep 1000" } },
"resources": { "cpus": 0.1, "mem": 32 },
"image": {
"id": "nginx",
"pullConfig": {
"secret": "pullConfigSecret"
},
"kind": "DOCKER"
},
"endpoints": [ { "name": "web", "containerPort": 80, "protocol": [ "http" ] } ],
"healthCheck": { "http": { "endpoint": "web", "path": "/ping" } }
}
],
"networks": [ { "mode": "container", "name": "my-virtual-network-name" } ],
"secrets": { "pullConfigSecret": { "source": "/pod/pullConfig" } }
}
To supply credentials to pull from a private registry, add a .dockercfg
to
the uris
field of your app. The $HOME
environment variable will then be set
to the same value as $MESOS_SANDBOX
so Docker can automatically pick up the
config file.
To supply credentials to pull from a private registry, add a docker.tar.gz
file to
the uris
field of your app. The docker.tar.gz
file should include the .docker
directory and the contained .docker/config.json
Log in to the private registry manually. Login creates a ~/.docker
directory and a ~/.docker/config.json
file in your home directory.
docker login
will append credentials to the file and won't replace the old ones. Credentialas will be stored unencrypted.
$ docker login some.docker.host.com
Username: foo
Password:
Email: foo@bar.com
Also note that by default, the credentials are not stored in the file, but rather in key store managed by the OS (e.g. oskeychain
for OSX, pass
for Linux).
Make sure the credentials are stored in the file. The new authentication should look like this:
"https://some.docker.host.com": {
"auth": "XXXXX",
"email": "<your-email>"
}
Where value of auth
is a based64-encoded username:password
string. You can generate it using echo -n 'username:password' | base64
.
Compress the ~/.docker
directory and its contents.
$ cd ~
$ tar -czf docker.tar.gz .docker
Verify that both files are in the archive.
$ tar -tvf ~/docker.tar.gz
drwx------ root/root 0 2015-07-28 02:54 .docker/
-rw------- root/root 114 2015-07-28 01:31 .docker/config.json
Put the archive file in a location that is accessible to your application definition.
$ cp docker.tar.gz /etc/
Note: The URI must be accessible by all nodes that will start your application. You can distribute the file to the local filesystem of all nodes, for example via RSYNC/SCP, or store it on a shared network drive like Google Cloud Storage or Amazon S3. Consider the security implications of your chosen approach carefully.
Add the path to the archive file login credentials to the fetch
parameter of your app definition.
"fetch": [
{
"uri": "file:///etc/docker.tar.gz"
}
]
For example:
{
"id": "/some/name/or/id",
"cpus": 1,
"mem": 1024,
"instances": 1,
"container": {
"type": "DOCKER",
"docker": {
"image": "some.docker.host.com/namespace/repo",
"network": "HOST"
}
},
"fetch": [
{
"uri": "file:///etc/docker.tar.gz"
}
]
}
The Docker image will now pull using the provided security credentials given.
Find out how to set up a private Docker registry with DC/OS.