moby
Push to private registry
I am using the rooless docker image ( moby/buildkit:rootless v0.16.0), and I am trying to build and push an image to a private registry that uses http and has a self-signed certificate.
I have tried multiple solutions that I have found a bit everywhere including:
- adding a
buildkitd.tomlto~/.config/buildkitwith:
debug = true
insecure-entitlements = [ "network.host", "security.insecure" ]
[registry."my-repo:80"]
http = true
insecure = true
ca = ["/home/user/self-signed-cert.crt"]
I have tried with and without the port in the url, with and without the certificate, and with and without the insecure-entitlements.
- adding the same content in the same location but inside a file called
config.toml - passing the flag:
--registry-auth-tlscontext host=http://my-repo,insecure=true,ca=/home/user/self-signed-cert.crt - trying the flag
--config, but it does not exist anymore, apparently - passing the argument registry-insecure
--output type=image,name=my-repo/name/image:0.0.1,push=true,registry.insecure=true
At the end, I think that the configuration is simply ignored as I always get (except for the config flag):
error: failed to solve: failed to push my-repo/name/image:0.0.1: failed to do request: Head "https://my-repo/v2/name/image/blobs/sha256:etc": tls: failed to verify certificate: x509: certificate signed by unknown authority
Notice that the error mentions https and not http, that's why I think my configuration is ignored.
The command I pass is (plus the various options I mentioned above):
buildctl build \
--frontend=dockerfile.v0 \
--local context=. \
--local dockerfile=. \
--opt build-arg:http_proxy=${http_proxy} \
--opt build-arg:https_proxy=${https_proxy} \
--opt build-arg:HTTP_PROXY=${HTTP_PROXY} \
--opt build-arg:HTTPS_PROXY=${HTTPS_PROXY} \
--opt build-arg:no_proxy=${no_proxy} \
--opt build-arg:NO_PROXY=${NO_PROXY} \
--output type=image,name=my-repo/name/image:0.0.1,push=true,registry.insecure=true
Do you have any suggestion?
http and has a self-signed certificate.
That is not a realistic combination. If you are using HTTP then there is no certificate. If you have a self-signed certificate then you are using HTTPS.
Thank you for your reply @tonistiigi , sorry my bad, I tried so many combinations that I was lost at a certain point.
I tried again with:
debug = true
[registry."my-repo:80"]
http = true
and with:
debug = true
insecure-entitlements = [ "network.host", "security.insecure" ]
[registry."my-repo"]
insecure = true
ca = ["/home/user/self-signed-cert.crt"]
and I got in both:
error: failed to solve: failed to push my-repo/name/image:0.0.1: failed to do request: Head "https://my-repo/v2/name/image/blobs/sha256:etc": tls: failed to verify certificate: x509: certificate signed by unknown authority
and with --output type=image,name=my-repo/name/image:0.0.1,push=true,registry.insecure=true as it seemed to work on https://github.com/moby/buildkit/issues/4458, and I got a different error, which I think means that the HEAD call succeeded, but the GET one failed:
error: failed to solve: failed to push my-repo/name/image:0.0.1: failed to authorize: failed to fetch anonymous token: Get "https://my-repo:443/artifactory/api/docker/name/v2/token?scope=repository%3Aname%2Fimage%3Apull%2Cpush&service=service-name%3A443": tls: failed to verify certificate: x509: certificate signed by unknown authority
I have also added a .docker/config.json file with the auths information to login.
Anything else I can try?
If you only push to an HTTP registry, there's no need to configure it in a file; you can simply add the parameter registry.insecure=true.
The question is obviously about a private registry using TLS with a self-signed certificate like it is set up in numerous corporate environment Is there a way or an alternative to achieve that ?
see https://github.com/moby/buildkit/issues/6068#issuecomment-3097413956 for a workaround
