https://pulumi.com logo
#general
Title
# general
m

most-pager-38056

12/03/2018, 10:45 PM
Hello! 👋 I’m still trying to automate our infrastructure using Github Actions. 😁 I’m trying to use Pulumi to create and push an image to ECR, but i can’t authenticate to ECR from a Github Action. Locally, i can inspect and push the image normally, so i’m not sure if there are any differences between how Pulumi handles the registry authentication locally vs using a CI provider.
Looking at the implementation, i wonder if the login result is being persisted to the machine. https://github.com/pulumi/pulumi-docker/blob/master/sdk/nodejs/docker.ts#L447-L450
w

white-balloon-205

12/03/2018, 11:30 PM
I am surprised that that could happen.
docker
itself stores logins in the filesystem, but I would not expect that to be a problem. @most-pager-38056 Do you see any messages about logging in in the output previous to what's in the screenshot? cc @lemon-spoon-91807 any thoughts? Is there additional logging @most-pager-38056 could turn on to get more of the diagnostic events?
l

lemon-spoon-91807

12/03/2018, 11:30 PM
what happens if you just run that command manually?
i'm curious what error is actually being produced.
m

most-pager-38056

12/03/2018, 11:36 PM
I don’t see any error messages in the action output. And i believe Pulumi would exit the process before building the image if the login couldn’t be completed, that happened to me sometimes when i was implementing the authentication. 😅 The error itself comes from
docker inspect
, i imagine this command runs after
docker login
.
l

lemon-spoon-91807

12/03/2018, 11:37 PM
Hi @most-pager-38056 can you clarify this
I don’t see any error messages in the action output.
is that if you run the command manually?
i wonder if the login result is being persisted to the machine.
m

most-pager-38056

12/03/2018, 11:38 PM
My bad. I don’t see any login error messages in the action output.
l

lemon-spoon-91807

12/03/2018, 11:38 PM
'docker login' shoudl be doing that automatically. it is persisted into: .docker/config.json
unless you have a credential manager
What happens if you try to run the
docker image inspect ...
command manually? Thanks!
m

most-pager-38056

12/03/2018, 11:39 PM
Yes, the problem is that i’m using Github Actions, so i can’t login into the machine and check these files. =/
l

lemon-spoon-91807

12/03/2018, 11:39 PM
ick.
m

most-pager-38056

12/03/2018, 11:42 PM
I thought it could be something related about how credentials are being persisted because Pulumi should immediately stop the update if credentials are not valid. I’m pretty sure that’s not the case, a lot of resources are updated before the docker image itself and all these resources use the same AWS credentials.
l

lemon-spoon-91807

12/03/2018, 11:42 PM
If we got some error from docker we should always be logging it as per:
w

white-balloon-205

12/03/2018, 11:42 PM
@most-pager-38056 Do you see
Executing 'docker login' ...
anywhere in your output?
l

lemon-spoon-91807

12/03/2018, 11:42 PM
Copy code
if (stderr.length > 0) {
                if (code && !reportErrorAsWarning) {
                    // Command returned non-zero code.  Treat these stderr messages as an error.
                    pulumi.log.error(stderr, logResource, streamID);
                }
                else {
                    // command succeeded.  These were just warning.
                    pulumi.log.warn(stderr, logResource, streamID);
                }
}
so you should at least see warnings or errors printed. so, it seems like the command is terminating in error, but without having printed any console output.
w

white-balloon-205

12/03/2018, 11:43 PM
@lemon-spoon-91807 The error he is getting appears to be
Error response from daemon: Forbidden
. It is not clear to me whether the library every tried to do
docker login
.
m

most-pager-38056

12/03/2018, 11:44 PM
@white-balloon-205 no, i don’t see these messages.
Before the docker build steps, i see all the resources preview.
w

white-balloon-205

12/03/2018, 11:44 PM
Could you share the whole log somewhere? DM with @lemon-spoon-91807 and I, or email at luke@pulumi.com work if it's something you can share.
l

lemon-spoon-91807

12/03/2018, 11:45 PM
Ah.
We have this bug that we fixed:
There was a loic bug where if you had multiple images with the same repo, we could attempt to starting working on the second image prior to the first completing its login step, causing us to fail with authentication errors
m

most-pager-38056

12/03/2018, 11:48 PM
@white-balloon-205 done! I just sent via DM to @lemon-spoon-91807.
I’m using the
dev
branch, so i imagine the fix is already there, right? (ah… i’m only building a single image right now)
l

lemon-spoon-91807

12/03/2018, 11:53 PM
can you take a look at the contents of the docker.ts or .js that you're pulling in?
i want to see if it has:
(or send to me in dm)
i need to see what loginToRegistry looks like in it
m

most-pager-38056

12/03/2018, 11:54 PM
Yes! I’m going to send you right now.
l

lemon-spoon-91807

12/03/2018, 11:57 PM
actually... @white-balloon-205 i don't see how this could be a login issue... the pull completed. and to pull you have to login first.
instead of the logs @most-pager-38056 can you send me the actual pulumi code you've written?
also, it would likely be good to have you run that code locally versus on ci/cd, so we can look at the difference in logs
m

most-pager-38056

12/03/2018, 11:57 PM
Yep! I just sent you via DM.
l

lemon-spoon-91807

12/03/2018, 11:57 PM
to see why it succeeds locally for you, but not in github
m

most-pager-38056

12/04/2018, 9:43 PM
Hi! Just sending an update. Github Actions simply doesn’t allow the
docker inspect
command. 😑 I’ve tried to authenticate manually using the Docker Login action before Pulumi and i’ve gotten the following error:
This Docker operation is forbidden by GitHub Actions, you can find documentation at https://developer.github.com/actions/
🤨
I ended up moving to CircleCI. Everything runs perfectly now, thanks! 😅
3 Views