Hi! I'm having a problem similar to https://pantsbuild.slack.com/archives/C046T6T9U/p1673569181883479. In GitHub Actions, I can successfully log in to Azure Container Registry, then do

docker pull

. But if

pants test

(version 2.15.0rc2) tries to do the same, it results in:

Exception: Failed to pull image `***<http://registry.azurecr.io/runner/ubuntu20_***|registry.azurecr.io/runner/ubuntu20_***>`: Failed to pull Docker image `***<http://registry.azurecr.io/runner/ubuntu20_***|registry.azurecr.io/runner/ubuntu20_***>`: DockerResponseServerError { status_code: 500, message: "Get \"[https://***<http://registry.azurecr.io/v2/runner/ubuntu20_***/tags/list\|registry.azurecr.io/v2/runner/ubuntu20_***/tags/list\>](https://***<http://registry.azurecr.io/v2/runner/ubuntu20_***/tags/list/|registry.azurecr.io/v2/runner/ubuntu20_***/tags/list/>)": unauthorized: authentication required, visit <https://aka.ms/acr/authorization> for more information." }

I can see that the ACR login steps yields this:

DOCKER_CONFIG=/home/runner/work/_temp/docker_login_1675410905572

I have tried with:

[docker]
build_args = ["GIT_SHA"]
env_vars = ["DOCKER_CONFIG"]

[test]
extra_env_vars = ["DOCKER_CONFIG"]

as well as without the

env_vars

and

extra_env_vars

above, but it fails either way.

Hi Tor, So what docker credentials plugin is being used. Is that available on the hermetic PATH provided by Pants?

Hi! I’ve used this GitHub Actions step:

- name: Login to ACR
        uses: azure/docker-login@v1
        with:
          login-server: *****<http://registry.azurecr.io|registry.azurecr.io>
          username: ${{ secrets.SP_ACR_PULL_ID }}
          password: ${{ secrets.SP_ACR_PULL_PASSWORD }}

This yields a

DOCKER_CONFIG

, which makes sure that a step like this is successful:

- name: Test pulling from ACR
        run: docker pull *****<http://registry.azurecr.io/runner/ubuntu20_*****|registry.azurecr.io/runner/ubuntu20_*****>

huh, yea that seems like it should be enough to just forward the

DOCKER_CONFIG

env var in that case, fwict from the action. 🤔

Yes, this is

pants test

asking for an image that is defined like this:

docker_environment(
    name="docker-env-ubuntu20-*****",
    platform="linux_x86_64",
    image="*****<http://registry.azurecr.io/runner/ubuntu20_*****|registry.azurecr.io/runner/ubuntu20_*****>",
    python_bootstrap_search_path=["<PATH>"],
)

ok, in that case, the

[docker]

config section doesn’t apply, I think.. sorry for the confusion.

So I added this:

docker_environment(
    name="docker-env-ubuntu20-*****",
    platform="linux_x86_64",
    image="*****<http://registry.azurecr.io/runner/ubuntu20_*****|registry.azurecr.io/runner/ubuntu20_*****>",
    python_bootstrap_search_path=["<PATH>"],
    docker_env_vars=["DOCKER_CONFIG"],
)

Unfortunately, it didn’t help.

yea, you shouldn’t read too much into that, as that was for publishing an image, i.e. using a

docker_image

target.. so it’s completely different implementations between these two targets, as

docker_environment

is implemented in the Pants’s rust engine talking directly with the Docker daemon API (using some rust crate for it), where as

docker_image

is a backend plugin written in Python shell-ing out to the

docker

CLI client.

I actually did originally have it on

docker_environment

as well, but took it out when testing taking it out from those two others.

can you file as issue describing the setup for this one? sorry for the trouble.

Ok: https://github.com/pantsbuild/pants/issues/18187

@curved-television-6568: if you wouldn’t mind commenting on that issue with an explanation of how auth like this works in the docker plugin, i can take a stab at porting it to the environments backend

@witty-crayon-22786 there’s nothing special in the docker plugin wrgt auth, only the generic env support.

ok: so folks explicitly configure the env var to pass through, got it.