terraform-provider-docker/website/docs/index.html.markdown

---
layout: "docker"
page_title: "Provider: Docker"
sidebar_current: "docs-docker-index"
description: |-
  The Docker provider is used to interact with Docker containers and images.
---

# Docker Provider

The Docker provider is used to interact with Docker containers and images.
It uses the Docker API to manage the lifecycle of Docker containers. Because
the Docker provider uses the Docker API, it is immediately compatible not
only with single server Docker but Swarm and any additional Docker-compatible
API hosts.

Use the navigation to the left to read about the available resources.

## Example Usage

```hcl
# Configure the Docker provider
provider "docker" {
  host = "tcp://127.0.0.1:2376/"
}

# Create a container
resource "docker_container" "foo" {
  image = "${docker_image.ubuntu.latest}"
  name  = "foo"
}

resource "docker_image" "ubuntu" {
  name = "ubuntu:latest"
}
```

-> **Note**
You can also use the `ssh` protocol to connect to the docker host on a remote machine.
The configuration would look as follows:

```hcl
provider "docker" {
  host = "ssh://user@remote-host:22"
}
```

## Registry Credentials

Registry credentials can be provided on a per-registry basis with the `registry_auth`
field, passing either a config file or the username/password directly.

-> **Note**
The location of the config file is on the machine terraform runs on, nevertheless if the specified docker host is on another machine.

``` hcl
provider "docker" {
  host = "tcp://localhost:2376"

  registry_auth {
    address = "registry.hub.docker.com"
    config_file = "${pathexpand("~/.docker/config.json")}"
  }

  registry_auth {
    address = "quay.io:8181"
    username = "someuser"
    password = "somepass"
  }
}

data "docker_registry_image" "quay" {
  name = "myorg/privateimage"
}

data "docker_registry_image" "quay" {
  name = "quay.io:8181/myorg/privateimage"
}
```

-> **Note**
When passing in a config file either the corresponding `auth` string of the repository is read or the os specific
credential helpers (see [here](https://github.com/docker/docker-credential-helpers#available-programs)) are
used to retrieve the authentication credentials.

You can still use the enviroment variables `DOCKER_REGISTRY_USER` and `DOCKER_REGISTRY_PASS`.

An example content of the file `~/.docker/config.json` on OSX may look like follows:

```json
{
	"auths": {
		"repo.mycompany:8181": {
			"auth": "dXNlcjpwYXNz="
		},
		"otherrepo.other-company:8181": {

		}
	},
  "credsStore" : "osxkeychain"
}
```

## Certificate information

Specify certificate information either with a directory or
directly with the content of the files for connecting to the Docker host via TLS.

```hcl
provider "docker" {
  host    = "tcp://your-host-ip:2376/"

  # -> specify either
  cert_path = "${pathexpand("~/.docker")}"

  # -> or the following
  ca_material = "${file(pathexpand("~/.docker/ca.pem"))}" # this can be omitted
  cert_material = "${file(pathexpand("~/.docker/cert.pem"))}"
  key_material = "${file(pathexpand("~/.docker/key.pem"))}"
}
```

## Argument Reference

The following arguments are supported:

* `host` - (Required) This is the address to the Docker host. If this is
  blank, the `DOCKER_HOST` environment variable will also be read.

* `cert_path` - (Optional) Path to a directory with certificate information
  for connecting to the Docker host via TLS. It is expected that the 3 files `{ca, cert, key}.pem` 
  are present in the path. If the path is blank, the `DOCKER_CERT_PATH` will also be checked.

* `ca_material`, `cert_material`, `key_material`, - (Optional) Content of `ca.pem`, `cert.pem`, and `key.pem` files
  for TLS authentication. Cannot be used together with `cert_path`. If `ca_material` is omitted
  the client does not check the servers certificate chain and host name.

* `registry_auth` - (Optional) A block specifying the credentials for a target
  v2 Docker registry.
   
  * `address` - (Required) The address of the registry.
 
  * `username` - (Optional) The username to use for authenticating to the registry.
  Cannot be used with the `config_file` option. If this is blank, the `DOCKER_REGISTRY_USER`
  will also be checked.
 
  * `password` - (Optional) The password to use for authenticating to the registry.
  Cannot be used with the `config_file` option. If this is blank, the `DOCKER_REGISTRY_PASS`
  will also be checked.
 
  * `config_file` - (Optional) The path to a config file containing credentials for
  authenticating to the registry. Cannot be used with the `username`/`password` options.
  If this is blank, the `DOCKER_CONFIG` will also be checked.
 
 

~> **NOTE on Certificates and `docker-machine`:**  As per [Docker Remote API
documentation](https://docs.docker.com/engine/reference/api/docker_remote_api/),
in any docker-machine environment, the Docker daemon uses an encrypted TCP
socket (TLS) and requires `cert_path` for a successful connection. As an alternative,
if using `docker-machine`, run `eval $(docker-machine env <machine-name>)` prior
to running Terraform, and the host and certificate path will be extracted from
the environment.
website: docker docs 2015-03-28 22:05:17 -04:00			`---`
			`layout: "docker"`
			`page_title: "Provider: Docker"`
			`sidebar_current: "docs-docker-index"`
			`description: \|-`
			`The Docker provider is used to interact with Docker containers and images.`
			`---`

			`# Docker Provider`

			`The Docker provider is used to interact with Docker containers and images.`
			`It uses the Docker API to manage the lifecycle of Docker containers. Because`
Fix(docs) Correct spelling error in Docker documentation 2015-04-02 11:43:40 -04:00			`the Docker provider uses the Docker API, it is immediately compatible not`
website: docker docs 2015-03-28 22:05:17 -04:00			`only with single server Docker but Swarm and any additional Docker-compatible`
			`API hosts.`

			`Use the navigation to the left to read about the available resources.`

			`## Example Usage`

Massively add HCL source tag in docs Markdown files Signed-off-by: Max Riveiro <kavu13@gmail.com> 2017-04-17 06:17:54 -04:00			```hcl
website: docker docs 2015-03-28 22:05:17 -04:00			`# Configure the Docker provider`
			`provider "docker" {`
website/docs: Run `terraform fmt` on code examples (#12075) * docs/vsphere: Fix code block * docs: Convert `...` to `# ...` to allow `terraform fmt`ing * docs: Trim trailing whitespace * docs: First-pass run of `terraform fmt` on code examples 2017-02-18 17:48:50 -05:00			`host = "tcp://127.0.0.1:2376/"`
website: docker docs 2015-03-28 22:05:17 -04:00			`}`

			`# Create a container`
			`resource "docker_container" "foo" {`
website/docs: Run `terraform fmt` on code examples (#12075) * docs/vsphere: Fix code block * docs: Convert `...` to `# ...` to allow `terraform fmt`ing * docs: Trim trailing whitespace * docs: First-pass run of `terraform fmt` on code examples 2017-02-18 17:48:50 -05:00			`image = "${docker_image.ubuntu.latest}"`
			`name = "foo"`
website: docker docs 2015-03-28 22:05:17 -04:00			`}`

			`resource "docker_image" "ubuntu" {`
website/docs: Run `terraform fmt` on code examples (#12075) * docs/vsphere: Fix code block * docs: Convert `...` to `# ...` to allow `terraform fmt`ing * docs: Trim trailing whitespace * docs: First-pass run of `terraform fmt` on code examples 2017-02-18 17:48:50 -05:00			`name = "ubuntu:latest"`
website: docker docs 2015-03-28 22:05:17 -04:00			`}`
			```

Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			`-> Note`
			You can also use the `ssh` protocol to connect to the docker host on a remote machine.
			`The configuration would look as follows:`

			```hcl
			`provider "docker" {`
			`host = "ssh://user@remote-host:22"`
			`}`
			```

docker/docs: Document new data source + limitations (#7814) 2016-07-26 12:07:35 -04:00			`## Registry Credentials`

Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00			Registry credentials can be provided on a per-registry basis with the `registry_auth`
			`field, passing either a config file or the username/password directly.`

Fixes layout and notes in docs. (#26) * Fixed layout in the documentation. * Remove notes that only the public registry is supported. * Added description for environment variables for docker registry authentication. 2017-12-06 16:05:36 -05:00			`-> Note`
			`The location of the config file is on the machine terraform runs on, nevertheless if the specified docker host is on another machine.`

Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00			``` hcl
			`provider "docker" {`
			`host = "tcp://localhost:2376"`

			`registry_auth {`
			`address = "registry.hub.docker.com"`
Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			`config_file = "${pathexpand("~/.docker/config.json")}"`
Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00			`}`

			`registry_auth {`
			`address = "quay.io:8181"`
			`username = "someuser"`
			`password = "somepass"`
			`}`
			`}`

			`data "docker_registry_image" "quay" {`
			`name = "myorg/privateimage"`
			`}`

			`data "docker_registry_image" "quay" {`
			`name = "quay.io:8181/myorg/privateimage"`
			`}`
			```

Fixes layout and notes in docs. (#26) * Fixed layout in the documentation. * Remove notes that only the public registry is supported. * Added description for environment variables for docker registry authentication. 2017-12-06 16:05:36 -05:00			`-> Note`
Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			When passing in a config file either the corresponding `auth` string of the repository is read or the os specific
			`credential helpers (see [here](https://github.com/docker/docker-credential-helpers#available-programs)) are`
			`used to retrieve the authentication credentials.`
Fixes layout and notes in docs. (#26) * Fixed layout in the documentation. * Remove notes that only the public registry is supported. * Added description for environment variables for docker registry authentication. 2017-12-06 16:05:36 -05:00
Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			You can still use the enviroment variables `DOCKER_REGISTRY_USER` and `DOCKER_REGISTRY_PASS`.
Fixes layout and notes in docs. (#26) * Fixed layout in the documentation. * Remove notes that only the public registry is supported. * Added description for environment variables for docker registry authentication. 2017-12-06 16:05:36 -05:00
Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			An example content of the file `~/.docker/config.json` on OSX may look like follows:
Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00
			```json
			`{`
			`"auths": {`
			`"repo.mycompany:8181": {`
			`"auth": "dXNlcjpwYXNz="`
Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			`},`
			`"otherrepo.other-company:8181": {`

Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00			`}`
Updates the docs (#165). Closes #158 * updates the docs due to the changes of #147 * adds documentation for the ssh usage option of #153 * updates docs for usage of the os credentials helpers * adds pathexpand for config_file in docs 2019-07-17 13:02:02 -04:00			`},`
			`"credsStore" : "osxkeychain"`
Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00			`}`
			```
docker/docs: Document new data source + limitations (#7814) 2016-07-26 12:07:35 -04:00
Fix/cert material (#91) * Fixes connection via TLS to docker host with file contents. Closes #86 * Fixes skip of TLS verification if ca_material is not present. Closes #14 2018-09-26 12:27:04 -04:00			`## Certificate information`

			`Specify certificate information either with a directory or`
			`directly with the content of the files for connecting to the Docker host via TLS.`

			```hcl
			`provider "docker" {`
			`host = "tcp://your-host-ip:2376/"`

			`# -> specify either`
			`cert_path = "${pathexpand("~/.docker")}"`

			`# -> or the following`
			`ca_material = "${file(pathexpand("~/.docker/ca.pem"))}" # this can be omitted`
			`cert_material = "${file(pathexpand("~/.docker/cert.pem"))}"`
			`key_material = "${file(pathexpand("~/.docker/key.pem"))}"`
			`}`
			```

website: docker docs 2015-03-28 22:05:17 -04:00			`## Argument Reference`

			`The following arguments are supported:`

			* `host` - (Required) This is the address to the Docker host. If this is
			blank, the `DOCKER_HOST` environment variable will also be read.

			* `cert_path` - (Optional) Path to a directory with certificate information
Fix/cert material (#91) * Fixes connection via TLS to docker host with file contents. Closes #86 * Fixes skip of TLS verification if ca_material is not present. Closes #14 2018-09-26 12:27:04 -04:00			for connecting to the Docker host via TLS. It is expected that the 3 files `{ca, cert, key}.pem`
			are present in the path. If the path is blank, the `DOCKER_CERT_PATH` will also be checked.
Update index.html.markdown Add note to reinforce the need for cert_path on any docker-machine based Docker environment. 2016-09-20 14:52:40 -04:00
provider/docker: authentication via values instead of files (#10151) * Docker authentication via values * Rename parameters to ca_material, cert_material, and key_material. Add environment variables. 2016-11-22 07:18:09 -05:00			* `ca_material`, `cert_material`, `key_material`, - (Optional) Content of `ca.pem`, `cert.pem`, and `key.pem` files
Fix/cert material (#91) * Fixes connection via TLS to docker host with file contents. Closes #86 * Fixes skip of TLS verification if ca_material is not present. Closes #14 2018-09-26 12:27:04 -04:00			for TLS authentication. Cannot be used together with `cert_path`. If `ca_material` is omitted
			`the client does not check the servers certificate chain and host name.`
provider/docker: authentication via values instead of files (#10151) * Docker authentication via values * Rename parameters to ca_material, cert_material, and key_material. Add environment variables. 2016-11-22 07:18:09 -05:00
Feat/private registry support (#21) * Add support for private registry auth. Adapted documentation and tests. * Clarified README. 2017-11-21 04:14:07 -05:00			* `registry_auth` - (Optional) A block specifying the credentials for a target
			`v2 Docker registry.`

			* `address` - (Required) The address of the registry.

			* `username` - (Optional) The username to use for authenticating to the registry.
			Cannot be used with the `config_file` option. If this is blank, the `DOCKER_REGISTRY_USER`
			`will also be checked.`

			* `password` - (Optional) The password to use for authenticating to the registry.
			Cannot be used with the `config_file` option. If this is blank, the `DOCKER_REGISTRY_PASS`
			`will also be checked.`

			* `config_file` - (Optional) The path to a config file containing credentials for
			authenticating to the registry. Cannot be used with the `username`/`password` options.
			If this is blank, the `DOCKER_CONFIG` will also be checked.



provider/docker: Add alternative to cert_path Add a note about using `eval $(docker-machine env)` when using Docker Machine to avoid having to hard code a certificate path. 2016-09-21 04:30:50 -04:00			~> NOTE on Certificates and `docker-machine`: As per [Docker Remote API
			`documentation](https://docs.docker.com/engine/reference/api/docker_remote_api/),`
			`in any docker-machine environment, the Docker daemon uses an encrypted TCP`
			socket (TLS) and requires `cert_path` for a successful connection. As an alternative,
			if using `docker-machine`, run `eval $(docker-machine env <machine-name>)` prior
			`to running Terraform, and the host and certificate path will be extracted from`
			`the environment.`