Support http basic auth credentials for FROM repo. #14
Comments
|
I think I'm running into this as well. Does this mean there is no way to build with a Dockerfile that relies on base images in a private repo? |
|
|
|
I'm having the same problem. The FROM image is hosted in a private repo. |
|
Having same issue.... But I'm wondering if the "Concourse Way" ™️ of doing this would be to fetch the base ( This seems to be at least the motivation for #1 Something like... resources:
- name: some-base-image
type: registry-image
icon: docker
source:
repository: requires-auth/some-base-image
tag: latest
username: ((registry-username))
password: ((registry-password))
- name: my-image-src
type: git
icon: github
source:
uri: https://github.com/...
jobs:
- name: build
plan:
- get: some-base-image
trigger: true
params: {format: oci}
- get: my-image-src
- task: build
privileged: true
config:
platform: linux
image_resource:
type: registry-image
source:
repository: vito/oci-build-task
inputs:
- name: some-base-image
- name: my-image-src
outputs:
- name: image
params:
load_bases: some-base-image/image.tar
run:
dir: my-image-src
path: buildThis would offload all credential management and fetching responsibility to the resource, which is more closely tied to that responsibility. It also would let you track/trigger/pull that base image just once (atomically). However, it too seems to be blocked (waiting on Wonder if @vito has ideas on what we could do in the interim.... |
|
Turns out I was just being a bit dim and had formatted my JSON wrong. I wrote this task to run before my oci-build-task: Then just added |
|
@jgriff Yep, you got it. That's my hope for the long term. Pretty bummed that it's still blocked, I would have thought other CI systems would want this sort of thing for controlling their build's inputs. 😕 I'll throw my hat into the ring on the upstream issue. @andy-paine Nice, good to know that works! Until things get unblocked upstream I'd be happy to review a PR for that. Sounds a little tricky to configure though; you'd need to provide a registry URL, a username, and a password - possibly multiple if there are multiple |
|
In case someone else stumbles upon: Adding |
|
For anyone who followed @andy-paine and @Geeman201 's code samples and run into this the alpine image's |
|
We've had similar issues with ECR so I've created a fork with ECR support - https://github.com/jprelph/oci-build-task - image is at jprelph/oci-build-task in docker hub. I just stuck support for passing username/password in as well via env var, seems to work OK - nothing too elegant about it, it just creates a /root/.docker/config.json file for buildkit to pick up. Usage details in the README, but it basically looks like: for username/password use, or: to pickup from IAM role. Happy to raise as a PR if felt worth doing, but I've thrown that together pretty quickly and at the moment only the ECR version supports multiple registries - I'm not sure how to handle that nicely with username/password. |
|
@vito we are trying to use private images (from google's container registry) as base images for builds. Could you please point us to where we can track the upstream issue? |
|
@ndcotta-bc here it is: moby/buildkit#706 I offered to help PR it but it doesn't look like the maintainers have had time to provide much guidance. 😕 |
|
We just ran into this with DockerHub rate limiting, e.g.: can result in: At this point I'd try adding credentials to use to pull FROM images, but this resource doesn't make it easy. I'll try @andy-paine's hack, thanks for that. Also Andy I think your indentation is a bit broken :) |
This is handy in working around an issue on the oci-build-task - concourse/oci-build-task#14 (comment)
|
Thanks for the hint @Krenair - I think I've fixed it now. (Shameless plug) I've added a task and some tests to EngineerBetter's repo of reusable tasks for anyone who wants to just grab this task nice and succinctly https://github.com/EngineerBetter/concourse-tasks/tree/main/generate-docker-config-file |
So we don't get caught in rate limiting issues when trying to pull a FROM image Based on this hack courtesy of Andy Paine: concourse/oci-build-task#14 (comment)
Thanks, looks better. I also put together a merged version that combines oci-build-task |
My solution: simply change the line to: No need for the full blown ubuntu for this. |
This adds 'image args', configurable with IMAGE_ARG_* - similar to
BUILD_ARG_*, only the value points to an image tarball.
The image tarball will be loaded and served by a local registry, and a
reference to the image in the local registry will be provided as the
build arg.
To use this, you must modify your Dockerfile like so:
ARG base_image=ubuntu
FROM ${base_image}
Then, when running oci-build-task, specify:
params:
IMAGE_ARG_base_image: ubuntu/image.tar
This will remain forward compatible if we ever switch to Kaniko (#46),
which would also require using build args as Kaniko image caching
requires a full digest to be specified in FROM.
fixes #1
closes #2
closes #3
closes #14
Signed-off-by: Alex Suraci <[email protected]>
|
I'm planning to close this with #52 which (finally!) adds support for loading pre-fetched image tarballs for use in The recommendation will be to fetch the image using the |
This commit updates the `build-images` pipeline to specify the `govuk-ruby-2.7.X` image as the base image for building app images. There are a [number of different ways to do this](concourse/oci-build-task#14) but this commit uses makes use of the [`IMAGE_ARG_*` param as part of the `vito/oci-build-task` resource](concourse/oci-build-task#52) which allows us to use image resources already defined in the pipeline within our Dockerfiles, where the base image is served from a registry local to the pipeline. It does this by bringing in these images as resources, namespaced under separate ECR repositories, then passing in the appropriate image to the build process via the `IMAGE_ARG_base_image` param (reflected in app `Dockerfile`s); the `FROM` command in said `Dockerfile`s then point to the correct ECR repository for the `govuk-ruby-2.7.X` base image (rather than to Docker Hub).
This commit updates the `build-images` pipeline to specify the `govuk-ruby-2.7.X` image as the base image for building app images. There are a [number of different ways to do this](concourse/oci-build-task#14) but this commit uses makes use of the [`IMAGE_ARG_*` param as part of the `vito/oci-build-task` resource](concourse/oci-build-task#52) which allows us to use image resources already defined in the pipeline within our Dockerfiles, where the base image is served from a registry local to the pipeline. It does this by bringing in these images as resources, namespaced under separate ECR repositories, then passing in the appropriate image to the build process via the `IMAGE_ARG_base_image` param (reflected in app `Dockerfile`s); the `FROM` command in said `Dockerfile`s then point to the correct ECR repository for the `govuk-ruby-2.7.X` base image (rather than to Docker Hub).
This commit updates the `build-images` pipeline to specify the `govuk-ruby-2.7.X` image as the base image for building app images. There are a [number of different ways to do this](concourse/oci-build-task#14) but this commit uses makes use of the [`IMAGE_ARG_*` param as part of the `vito/oci-build-task` resource](concourse/oci-build-task#52) which allows us to use image resources already defined in the pipeline within our Dockerfiles, where the base image is served from a registry local to the pipeline. It does this by bringing in these images as resources, namespaced under separate ECR repositories, then passing in the appropriate image to the build process via the `IMAGE_ARG_base_image` param (reflected in app `Dockerfile`s); the `FROM` command in said `Dockerfile`s then point to the correct ECR repository for the `govuk-ruby-2.7.X` base image (rather than to Docker Hub).
This commit updates the `build-images` pipeline to specify the `govuk-ruby-2.7.X` image as the base image for building app images. There are a [number of different ways to do this](concourse/oci-build-task#14) but this commit uses makes use of the [`IMAGE_ARG_*` param as part of the `vito/oci-build-task` resource](concourse/oci-build-task#52) which allows us to use image resources already defined in the pipeline within our Dockerfiles, where the base image is served from a registry local to the pipeline. It does this by bringing in these images as resources, namespaced under separate ECR repositories, then passing in the appropriate image to the build process via the `IMAGE_ARG_base_image` param (reflected in app `Dockerfile`s); the `FROM` command in said `Dockerfile`s then point to the correct ECR repository for the `govuk-ruby-2.7.X` base image (rather than to Docker Hub).
|
Hello everybody! I am facing the exact same issue described here. Regarding @vito comment with the recommended solution.
Is there anybody who can provide an example configuration? Because I'm having some problems setting that up as I do not fully understand how |
|
@CiucurDaniel I found a working solution in #52 (comment) |
I'd like to switch over to this new task (from the docker-image-resource task). However the FROM image in my dockerfile requires you to specify username/password to pull it. I don't see any way to currently do this with the oci-builder-task. This seems like pretty important functionality especially if the community is trying to push people in the oci-build-task direction.
From Alex:
"It might be easy enough to add support for it; I think buildkit will look under
$DOCKER_CONFIG/config.jsonfor credentials, the task just doesn't support creating/configuring it yet."Does anyone else know of a workaround?
The text was updated successfully, but these errors were encountered: