Docker-swarm automatically pulling missing image from private docker-registry

Question

We have a docker-swarm cluster. The manager node holds the credentials to our private docker registry. When we start new containers on other nodes the image might need be pulled from the private docker registry.

Is there a way to tell the crate container command to pull the image (if not already existent on the node) and to provide it with the credentials?

For example: We want to call the following command from the swarm manager (that has the credentials for the private docker registry):

docker create -e contraint:server==app docker.exampleRegistry.com/path/image:1.0.0

This should pull the image and start a container on another node (labeled app ). The docker registry docker.exampleRegistry.com is private. But we get:

Error response from daemon: unauthorized: authentication required

Answer 1

Got it! The docker cli may not be capable of doing that (neither is our java driver) but the docker remote API can do it using the X-Registry-Auth header to provide the credentials:

curl -v -X POST -H "Content-Type: application/json"\
-H "X-Registry-Auth: <base64ecoded({"username": "string", "password": "string", "email": "string", "serveraddress" : "string", "auth": ""})>"\
-d '{"Image": "docker.exampleRegistry.com/path/image:1.0.0", "Env": ["contraint:server==app"]}'\
https://localhost:2376/containers/create?name=container \
--key path_to_key \
--cacert path_to_ca

https://github.com/docker/docker/blob/master/docs/reference/api/docker_remote_api.md#authentication