Issue with Docker update module and AWS ECR credential helper

Hello,

I am trying to manage a docker image hosted on AWS Elastic Container Registry using the docker update module.

AWS ECR uses AWS ECR Credential Helper to manage authentication.

Everything works great until the ArtifactInstall phase when the docker daemon errors out unauthorized, as it would if the cred helper was not installed or the pull was attempted for some other private repo.

I’m able to pull the image listed in the mender artifact manifest without issue, and there’s only a root user configured on this install (aws cred store is configured for the user running mender daemon).

Is there maybe an environment issue I’m missing here? Thanks!

Is there maybe some environment variable setup or some such you need to access the credential helper?

The binary just needs to be available on the path, /usr/sbin in my case.

After that, credential helpers for docker are defined in ~/.docker/config.json:

{
        "credHelpers": {
                "reponumber.ecr.us-east-1.amazonaws.com": "ecr-login"
        }
}

Which should look for docker-credential-ecr-login on the path when dealing with reponumber.ecr.us-east-1.amazonaws.com. The ecr helper looks for some config in ~/.aws, specifically a region and set of creds.

@Alan @lramirez any ideas?

Turns out the HOME env variable when running the update module was set to /root, a nonexistent directory on my install. Correcting it to /home/root brought things in line.

Not sure if there’s some logic behind this but it feels like a bug? Maybe HOME should either be inherited or match the user running mender daemon.

That’s interesting. I definitely think it can be fixed. @Alan do you want to take a look?

Any update on this? It still seems to be an issue. I had to do:

ln -s /home/root /root

To get the docker update module to work.