2015-03-28 22:05:17 -04:00
---
layout: "docker"
page_title: "Provider: Docker"
sidebar_current: "docs-docker-index"
description: |-
The Docker provider is used to interact with Docker containers and images.
---
# Docker Provider
The Docker provider is used to interact with Docker containers and images.
It uses the Docker API to manage the lifecycle of Docker containers. Because
2015-04-02 11:43:40 -04:00
the Docker provider uses the Docker API, it is immediately compatible not
2015-03-28 22:05:17 -04:00
only with single server Docker but Swarm and any additional Docker-compatible
API hosts.
Use the navigation to the left to read about the available resources.
## Example Usage
2017-04-17 06:17:54 -04:00
```hcl
2015-03-28 22:05:17 -04:00
# Configure the Docker provider
provider "docker" {
2017-02-18 17:48:50 -05:00
host = "tcp://127.0.0.1:2376/"
2015-03-28 22:05:17 -04:00
}
# Create a container
resource "docker_container" "foo" {
2017-02-18 17:48:50 -05:00
image = "${docker_image.ubuntu.latest}"
name = "foo"
2015-03-28 22:05:17 -04:00
}
resource "docker_image" "ubuntu" {
2017-02-18 17:48:50 -05:00
name = "ubuntu:latest"
2015-03-28 22:05:17 -04:00
}
```
2016-07-26 12:07:35 -04:00
## Registry Credentials
2017-11-21 04:14:07 -05:00
Registry credentials can be provided on a per-registry basis with the `registry_auth`
field, passing either a config file or the username/password directly.
2017-12-06 16:05:36 -05:00
-> **Note**
The location of the config file is on the machine terraform runs on, nevertheless if the specified docker host is on another machine.
2017-11-21 04:14:07 -05:00
``` hcl
provider "docker" {
host = "tcp://localhost:2376"
registry_auth {
address = "registry.hub.docker.com"
config_file = "~/.docker/config.json"
}
registry_auth {
address = "quay.io:8181"
username = "someuser"
password = "somepass"
}
}
data "docker_registry_image" "quay" {
name = "myorg/privateimage"
}
data "docker_registry_image" "quay" {
name = "quay.io:8181/myorg/privateimage"
}
```
2017-12-06 16:05:36 -05:00
-> **Note**
2018-10-28 16:00:44 -04:00
When passing in a config file make sure every repo in the `auths` object should have
a corresponding `auth` string.
2017-12-06 16:05:36 -05:00
In this case, either use `username` and `password` directly or set the enviroment variables `DOCKER_REGISTRY_USER` and `DOCKER_REGISTRY_PASS` or add the string manually via
```sh
echo -n "user:pass" | base64
# dXNlcjpwYXNz=
```
and paste it into `~/.docker/config.json` :
2017-11-21 04:14:07 -05:00
```json
{
"auths": {
"repo.mycompany:8181": {
"auth": "dXNlcjpwYXNz="
}
2017-12-06 16:05:36 -05:00
}
2017-11-21 04:14:07 -05:00
}
```
2016-07-26 12:07:35 -04:00
2018-09-26 12:27:04 -04:00
## Certificate information
Specify certificate information either with a directory or
directly with the content of the files for connecting to the Docker host via TLS.
```hcl
provider "docker" {
host = "tcp://your-host-ip:2376/"
# -> specify either
cert_path = "${pathexpand("~/.docker")}"
# -> or the following
ca_material = "${file(pathexpand("~/.docker/ca.pem"))}" # this can be omitted
cert_material = "${file(pathexpand("~/.docker/cert.pem"))}"
key_material = "${file(pathexpand("~/.docker/key.pem"))}"
}
```
2015-03-28 22:05:17 -04:00
## Argument Reference
The following arguments are supported:
* `host` - (Required) This is the address to the Docker host. If this is
blank, the `DOCKER_HOST` environment variable will also be read.
* `cert_path` - (Optional) Path to a directory with certificate information
2018-09-26 12:27:04 -04:00
for connecting to the Docker host via TLS. It is expected that the 3 files `{ca, cert, key}.pem`
are present in the path. If the path is blank, the `DOCKER_CERT_PATH` will also be checked.
2016-09-20 14:52:40 -04:00
2016-11-22 07:18:09 -05:00
* `ca_material` , `cert_material` , `key_material` , - (Optional) Content of `ca.pem` , `cert.pem` , and `key.pem` files
2018-09-26 12:27:04 -04:00
for TLS authentication. Cannot be used together with `cert_path` . If `ca_material` is omitted
the client does not check the servers certificate chain and host name.
2016-11-22 07:18:09 -05:00
2017-11-21 04:14:07 -05:00
* `registry_auth` - (Optional) A block specifying the credentials for a target
v2 Docker registry.
* `address` - (Required) The address of the registry.
* `username` - (Optional) The username to use for authenticating to the registry.
Cannot be used with the `config_file` option. If this is blank, the `DOCKER_REGISTRY_USER`
will also be checked.
* `password` - (Optional) The password to use for authenticating to the registry.
Cannot be used with the `config_file` option. If this is blank, the `DOCKER_REGISTRY_PASS`
will also be checked.
* `config_file` - (Optional) The path to a config file containing credentials for
authenticating to the registry. Cannot be used with the `username` /`password` options.
If this is blank, the `DOCKER_CONFIG` will also be checked.
2016-09-21 04:30:50 -04:00
~> **NOTE on Certificates and `docker-machine`:** As per [Docker Remote API
documentation](https://docs.docker.com/engine/reference/api/docker_remote_api/),
in any docker-machine environment, the Docker daemon uses an encrypted TCP
socket (TLS) and requires `cert_path` for a successful connection. As an alternative,
if using `docker-machine` , run `eval $(docker-machine env <machine-name>)` prior
to running Terraform, and the host and certificate path will be extracted from
the environment.
