fix: run docker login before service update to distribute registry au…#4489
Draft
guizaodev wants to merge 1 commit into
Draft
fix: run docker login before service update to distribute registry au…#4489guizaodev wants to merge 1 commit into
guizaodev wants to merge 1 commit into
Conversation
…th to Swarm worker nodes Docker Swarm requires credentials to be cached in the daemon's ~/.docker/config.json (via ) to properly distribute them to worker nodes during service updates. The passed through Dockerode's API is sent as the X-Registry-Auth header, but this alone is insufficient for Swarm credential distribution -- the daemon must also have the credentials locally cached. This mirrors the pattern already used in rollbacks.ts which includes a comment acknowledging this limitation: 'The authconfig in CreateServiceOptions alone is not sufficient -- Docker Swarm also relies on the daemon's cached credentials (~/.docker/config.json) to distribute auth to nodes.' Without this, deployments to multi-node Swarm clusters fail because worker nodes cannot pull images from private registries, causing containers to accumulate in 'Starting' state as old tasks are never replaced (start-first strategy waits for new tasks to become healthy).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR about?
Fixes Docker Swarm deployments where containers accumulate in "Starting" state and old containers are never replaced. When deploying applications to multi-node Swarm clusters, worker nodes cannot pull images from private registries (e.g., GHCR) because docker login is never executed on the daemon — only authconfig is passed through the Dockerode API. While authconfig is sent as the X-Registry-Auth header, Docker Swarm also requires the daemon's cached credentials (~/.docker/config.json) to distribute auth to worker nodes, as documented in Docker's --with-registry-auth behavior.
This PR adds a dockerLoginForApplication() call before service.update() / createService() in mechanizeDockerContainer, mirroring the pattern already used in rollbackApplication (rollbacks.ts:208-214), which includes an explicit comment acknowledging this limitation.
Checklist
Before submitting this PR, please make sure that:
canarybranch.Issues related (if applicable)
closes #4232
related #4411