I’m tasked with updating my company’s orb to prepare for the Nov 1 requirement to authenticate image pulls from Docker Hub. I’m new to authing Docker executors and new to orbs, but I used the section of the docs on authoring orbs and the page in the docs on authing Docker executors (https://circleci.com/docs/2.0/private-images/) as reference.
I created a minimal example of an orb and a workflow that uses the executor from it. My orb is:
version: 2.1 description: Testing out CircleCI orbs. Contains a command that prints to STDOUT. executors: default: docker: - image: cimg/node:12.16 auth: username: << parameters.docker-hub-id >> password: << parameters.docker-hub-password >> parameters: docker-hub-id: type: env_var_name default: DOCKER_HUB_ID docker-hub-password: type: env_var_name default: DOCKER_HUB_PASSWORD commands: greet: parameters: subject: type: string default: World! steps: - run: name: Perform Greeting command: | echo "Hello, << parameters.subject >>"
My workflow that uses my orb is:
version: 2.1 orbs: circleci-orb-test: firstname.lastname@example.org jobs: test-orb: executor: name: circleci-orb-test/default steps: - run: name: Do something before using the orb command: | echo "Here we go... about to use the orb..." - circleci-orb-test/greet: subject: CircleCI - run: name: Do something after using the orb command: | echo "Hopefully that worked!" workflows: test-orb: jobs: - test-orb
Then I added my Docker Hub ID as the value of the environment variable
DOCKER_HUB_ID and my Docker Hub password as the value of the envirionment variable
DOCKER_HUB_PASSWORD to my project. I also tried a token instead of my password.
When I run my workflow that uses my orb, it says it can’t authenticate to pull the
Build-agent version 1.0.41417-4036f5a3 (2020-10-16T14:37:07+0000) Docker Engine Version: 18.09.6 Kernel Version: Linux 9b8bed763545 4.15.0-1077-aws #81-Ubuntu SMP Wed Jun 24 16:48:15 UTC 2020 x86_64 Linux Starting container cimg/node:12.16 image cache not found on this host, downloading cimg/node:12.16 Error response from daemon: Get https://registry-1.docker.io/v2/cimg/node/manifests/12.16: unauthorized: incorrect username or password
When testing it more, I tried removing the parameters from my orb and hard-coding the username and using the environment variable
DOCKER_HUB_PASSWORD. At that point, it worked, even when I deleted the DOCKER_HUB_PASSWORD environment variable from my project (so it would have access to my username, but not my password).
Additionally, when it succeeds, the output as the job starts doesn’t include that new “you’re pulling an image without authing, it may be subject to rate limits” warning like I see in my main workflows when I don’t auth, even though at no point did I provide my Docker Hub password or token.
I’m confused about what’s going on here, and what we’re expected to do to auth with Docker Hub for Docker executors in our orbs.