Re: [HTCondor-users] Docker Universe V24 Changes.

[Dudu Handelman <duduhandelman@xxxxxxxxxxx>]

Thanks Greg,

Maybe it will work out of the box. Now that I'm familiar with "docker_send_credentials = true".

My current script is getting few arguments 

Imagename, username,  password

For example,  "imagename = private-registry.local/ubuntu:focal" 

The script have a list of registries. 

Server1

Server2

Server3

,,,, 

,,,, 

It will choose a random registry login to that registry and pull the image. 

 It will tag the image  to the original imagename. 

The script provides retries on case of a failure. 

So first I will test the knob and update you with the results. 

Thanks 

David 

Get Outlook for Android

---

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Greg Thain via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Monday, September 8, 2025 8:51:40 PM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Cc: Greg Thain <gthain@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Docker Universe V24 Changes.

 

On 9/3/25 09:32, Dudu Handelman wrote:

Hi all,

I’m testing a migration from 23.x to 24 and noticed a change in the Docker universe.

Background

• We use a private, read-only Docker registry served by multiple mirrors.
• Image pulls go through our custom pre-script, which handles authentication and load balancing across those mirrors.

In v24, I see a condor pull -q {imageName} step (apparently to verify the image exists). In our setup, this fails because it doesn’t authenticate to the registry, and the job is then held. I haven’t found a knob to disable this pre-check; ideally it would respect docker_pull_policy.

Is there a setting or another way to disable this verification step—without adding a wrapper?

Hi David:

There's no knob to turn off this, but this was added in support of "docker_send_credentials = true", to have first class support for authenticated docker images.  Is there a way we can make this work for you without your custom pre-script?

-greg