GHCR: Can't use Pass Credential Helper in Swarm

I’m trying to switch our on-premise Docker swarm images from Azure Container Registry to GitHub Container Registry. This swarm is using the docker pass credential helper, setup this way: https://geoffhudik.com/tech/2020/09/15/docker-pass-credential-helper-on-ubuntu/. That worked against Azure Container Registry images.

I logged out of the old ACR registry and logged in successfully on the manager to GHCR with the pass cred helper installed.

Initially I ran into this issue when deploying the stack against GHCR (could not be accessed on a registry to record its digest.): https://github.com/moby/moby/issues/34153#issuecomment-634923322 which mentions:

that’s a known issue with GitHub’s registry. The GitHub image registry currently isn’t compliant with the registry specification and doesn’t implement all options, see containerd/containerd#3291 (comment)

After I dropped the old stack and re-deployed the new stack which resulted in No such image: ghcr.io/my-org/my-image:label when the workers try to pull from GHCR.

Each time the stack is deployed using --with-registry-auth . At times I’ve also tried to force things with docker service update my_service --with-registry-auth --replicas 2.

It’s the same issue trying to docker pull the image directly on the swarm manager with the pass cred helper setup.

I’m able to pull the image from a machine outside the swarm (not using a cred helper) after logging in using the same credentials.

I’m also able to remove the credential helper on the swarm manager, login to the registry again, and Swarm nodes are able to pull from GHCR.

Is there something specific to GHCR where it won’t support use of the pass cred helper?

I’ll try to investigate this. We have seen a number of issues when the protocol isn’t given. So the command docker login ghcr.io isn’t the same as docker login https://ghcr.io because the credential manager sees those as different services. Can you try logging into both options?

Thanks @clarkbw. I tried logging out, logging in over https, redeploying the stack with auth but the result was the same.

I don’t recall having to login with HTTPS when doing this with ACR but I’m not positive.

Is it a private repo owned by accounts using legacy per-repository plans?

It seems you cannot use GitHub Container Registry in private repos:

GitHub Packages is not available for private repositories owned by accounts using legacy per-repository plans. Also, accounts using legacy per-repository plans cannot access GitHub Container Registry since these accounts are billed by repository. For more information, see “GitHub’s products.”

See https://docs.github.com/en/packages/managing-container-images-with-github-container-registry/configuring-access-control-and-visibility-for-container-images

GHCR is publishing into an organization. Being a private repo doesn’t affect the ability to publish as long as the organization isn’t on a legacy billing plan. GitHub internally and other users have many private repos that publish private container images without a problem.

1 Like