Running docker login as another user in Chef

Featured image for sharing metadata for article

Yesterday I was writing a cookbook, where I needed to log in to GitLab's private registry:

execute 'log in to the GitLab private registry' do
  command "docker login -u jamietanna -p node['registry_key'] registry.gitlab.com"
  sensitive true
  user 'another-user'
  only_if { node['registry_key'].nil? }
end

I had assumed that this code would work, much like any other execute block, but I was getting the error:

Warning: failed to get default registry endpoint from daemon (Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.35/info: dial unix /var/run/docker.sock: connect: permission denied). Using system default: https://index.docker.io/v1/
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/auth: dial unix /var/run/docker.sock: connect: permission denied

This was weird, as running the command interactively as that user worked fine:

$ whoami
staging-jvt-me
$ docker login -u jamietanna -p ${password} registry.gitlab.com
Login Succeeded

As did running it via su:

$ whoami
root
$ su another-user -c 'docker login -u jamietanna -p ${password} registry.gitlab.com'
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

The short-term fix is to update the execute block to the following:

 execute 'log in to the GitLab private registry' do
-  command "docker login -u jamietanna -p node['registry_key'] registry.gitlab.com"
+  command "su #{spectat.user} -c 'docker login -u jamietanna -p node['registry_key'] registry.gitlab.com'"
   sensitive true
   user 'another-user'
   only_if { node['registry_key'].nil? }
 end

I've not yet debugged the issue, but it seems that docker login expects some environmental configuration to be set, which isn't performed through a execute block's :user property, but is through running su ... -c.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#docker #chef #blogumentation.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.