Terraform runs don't execute in Terraform Enterprise

Avatar
Patrick Munne
  • Updated

Problem

Terraform Enterprise runs are not executing and fail with a Docker-related error. The tfe-build-worker container logs show a pull access denied error message.

To confirm the issue, inspect the tfe-build-worker container logs.

$ docker logs tfe-build-worker

The output contains an error similar to the following.

------
> [internal] load metadata for docker.io/library/94818adc3a27:latest:
------
94818adc3a27: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
#3 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
------

Cause

This error occurs when the Docker Engine version installed on the Terraform Enterprise host is not a supported version. For example, Terraform Enterprise releases older than v202306-1 do not support Docker Engine 23.0 or Docker Engine 24.0.

Check your Docker server version to confirm.

$ docker info | grep "Server Version"

An unsupported version will return output similar to the following.

Server Version: 23.0.0

Solutions

There are two potential solutions. The recommended approach is to use a supported version of Docker Engine.

Solution 1: Use a Supported Docker Engine Version (Recommended)

Downgrade Docker Engine to a version compatible with your Terraform Enterprise release. Refer to the Docker Requirements for Terraform Enterprise documentation for a list of supported versions.

If you are performing a new online installation, the installer script may automatically install an unsupported Docker version. Use the docker-version flag to specify a supported version during installation.

$ ./install.sh docker-version=20.10.17

After downgrading or installing a supported version, verify the version.

$ docker info | grep "Server Version"

The output should show a supported version.

Server Version: 20.10.17

Solution 2: Modify Docker Daemon Configuration (Unsupported Workaround)

Note: This configuration is not officially supported and may cause unexpected behavior. Use this workaround at your own risk.

For Docker Engine 23.0 and newer, you can disable the buildkit feature to restore the previous behavior.

  1. Modify the Docker daemon configuration file at /etc/docker/daemon.json to include the following settings.

    {
  "features": {
    "buildkit": false
  }
}

  2. Restart the required services in the correct order to apply the changes.

    ## Stop the TFE application if it is running.
$ replicatedctl app stop

## Stop Replicated services.
$ sudo systemctl stop replicated replicated-operator replicated-ui

## Stop the Docker service.
$ sudo systemctl stop docker

## Reload the systemd daemon.
$ sudo systemctl daemon-reload

## Start the Docker service.
$ sudo systemctl start docker

## Verify Replicated has started successfully.
$ replicatedctl system status

    The expected output is:

    {
  "Replicated": "ready",
  "Retraced": "ready"
}

  3. Start the Terraform Enterprise application.

    $ replicatedctl app start

Additional Information

Articles in this section

See more

Related articles