Orb executor parameters not working for Docker auth

I’m tasked with updating my company’s orb to prepare for the Nov 1 requirement to authenticate image pulls from Docker Hub. I’m new to authing Docker executors and new to orbs, but I used the section of the docs on authoring orbs and the page in the docs on authing Docker executors (https://circleci.com/docs/2.0/private-images/) as reference.

I created a minimal example of an orb and a workflow that uses the executor from it. My orb is:

version: 2.1

description: Testing out CircleCI orbs. Contains a command that prints to STDOUT.

      - image: cimg/node:12.16
          username: << parameters.docker-hub-id >>
          password: << parameters.docker-hub-password >>
        type: env_var_name
        default: DOCKER_HUB_ID
        type: env_var_name
        default: DOCKER_HUB_PASSWORD

        type: string
        default: World!
      - run:
          name: Perform Greeting
          command: |
            echo "Hello, << parameters.subject >>"

My workflow that uses my orb is:

version: 2.1

  circleci-orb-test: mattwelke/circleci-orb-test@0.0.4

      name: circleci-orb-test/default

      - run:
          name: Do something before using the orb
          command: |
            echo "Here we go... about to use the orb..."
      - circleci-orb-test/greet:
          subject: CircleCI
      - run:
          name: Do something after using the orb
          command: |
            echo "Hopefully that worked!"

      - test-orb

Then I added my Docker Hub ID as the value of the environment variable DOCKER_HUB_ID and my Docker Hub password as the value of the envirionment variable DOCKER_HUB_PASSWORD to my project. I also tried a token instead of my password.

When I run my workflow that uses my orb, it says it can’t authenticate to pull the cimg/node image:

Build-agent version 1.0.41417-4036f5a3 (2020-10-16T14:37:07+0000)
Docker Engine Version: 18.09.6
Kernel Version: Linux 9b8bed763545 4.15.0-1077-aws #81-Ubuntu SMP Wed Jun 24 16:48:15 UTC 2020 x86_64 Linux
Starting container cimg/node:12.16
  image cache not found on this host, downloading cimg/node:12.16

Error response from daemon: Get https://registry-1.docker.io/v2/cimg/node/manifests/12.16: unauthorized: incorrect username or password

When testing it more, I tried removing the parameters from my orb and hard-coding the username and using the environment variable DOCKER_HUB_PASSWORD. At that point, it worked, even when I deleted the DOCKER_HUB_PASSWORD environment variable from my project (so it would have access to my username, but not my password).

Additionally, when it succeeds, the output as the job starts doesn’t include that new “you’re pulling an image without authing, it may be subject to rate limits” warning like I see in my main workflows when I don’t auth, even though at no point did I provide my Docker Hub password or token.

I’m confused about what’s going on here, and what we’re expected to do to auth with Docker Hub for Docker executors in our orbs.

Hi @mattwelke,

Thank you for the very detailed info. We’re still working on making the orb + Docker auth steps more clear, and we expect to have more information to release soon. This kind of feedback is super helpful for us. We know the deadline is coming fast!

I’m going to pass this on to the team working on it, and if I find any solutions, I’ll let you know ASAP!

1 Like

Hi @thekatertot,

Thanks for responding. It’s good to hear we’ll have official instructions soon. In the mean time, here’s my take on what we should do right now:

  • Docker executors in orbs - Hold off, wait for official instructions.
  • Docker executors in workflows - Follow steps in https://circleci.com/docs/2.0/private-images/ to auth with Docker Hub.
  • Build steps in workflows using Docker provided by setup_remote_docker - Add docker login to steps before docker build commands are run in steps to ensure base image pulls during our builds are authed with Docker Hub

Can you confirm?


That’s exactly right. :partying_face:

1 Like