Docker: unable to push on a some registry when FROM clause contains a private registry different that target one or a proxy url #808
Comments
|
We also experience this. Interestingly enough, we have a GitLab CI pipeline that builds 2 images ("app" and "echo"), both Jobs are very similar as they extend the same base job ".build". However, the echo image can be built and pushed fined, while the app cannot. .build:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
variables:
TARGET_STAGE: production
IMAGE_TAG: ${CI_COMMIT_SHA}
REGISTRY_USER: none
REGISTRY_PASSWORD: ${KUBE_TOKEN}
environment:
name: integration
url: https://${KUBERNETES_URL}/console/project/${PROJECT_PREFIX}-${PROJECT}-${CI_ENVIRONMENT_NAME}/overview
before_script:
- echo '{"auths":{
"'${IMAGE_REGISTRY}'":{"username":"'${REGISTRY_USER}'","password":"'${REGISTRY_PASSWORD}'"},
"'${CI_REGISTRY}'":{"username":"'${CI_REGISTRY_USER}'","password":"'${CI_REGISTRY_PASSWORD}'"}}}' >
/kaniko/.docker/config.json
script:
- echo "destination=${IMAGE}:${IMAGE_TAG}, context=${DOCKER_CONTEXT}, dockerfile=${DOCKER_FILE}"
- sleep 10000000
- >-
/kaniko/executor
--context ${DOCKER_CONTEXT}
--destination ${IMAGE}:${IMAGE_TAG}
--target ${TARGET_STAGE}
--dockerfile ${DOCKER_FILE}
--build-arg GIT_COMMIT_REF_NAME=${CI_COMMIT_REF_NAME}
--build-arg GIT_COMMIT_SHA=${CI_COMMIT_SHA}
--build-arg GIT_COMMIT_SHORT_SHA=${CI_COMMIT_SHORT_SHA}
--build-arg BASE_IMAGE_TAG=${BASE_IMAGE_TAG}
only:
- master
# temporary
- merge_requests
app:
extends: .build
variables:
IMAGE: ${IMAGE_REGISTRY}/${PROJECT_PREFIX}-${PROJECT}-${CI_ENVIRONMENT_NAME}/${API_IMAGE_NAME}
DOCKER_FILE: docker/php/Dockerfile
DOCKER_CONTEXT: ${CI_PROJECT_DIR}
echo:
extends: .build
variables:
IMAGE: ${IMAGE_REGISTRY}/${PROJECT_PREFIX}-${PROJECT}-${CI_ENVIRONMENT_NAME}/${ECHO_IMAGE_NAME}
DOCKER_FILE: docker/echo/Dockerfile
DOCKER_CONTEXT: ${CI_PROJECT_DIR}/docker/echo(the sleep is debugging on the CI runner) The difference between dockerfiles might be noteworthy: |
|
I actually figured out why it cannot push: This does not (2 different private registries): Maybe it simply selects the wrong credentials when there are multiple configured in Can you confirm this? |
|
@ccremer That's it! In my case, my Removing the reference to the docker proxy made it . I am a little puzzled about the reason of this issue as I am not that expert in the underlying of docker. In my case both openshift and docker proxy are in my company network . I guess that |
|
Glad you could workaround the issue. At the same time it's confirmed. |
antechrestos
changed the title
antechrestos
changed the title
|
@ccremer Yes I also enriched the description. Thank you for your help. Cheers. |
tejal29
added
work-around-available
area/behavior
|
Going deeper in the issue with this issue |
|
Should be solved by upgrading the third party library |
|
@antechrestos kaniko is using |
|
@cvgw I was on holiday and waiting as a good thing as you migrated to module 😏 |
Actual behavior
I am currently trying to build and push an image on a openshift registry. The build is made from outside openshift cluster and push in the end to the openshift registry.
I am able to do it correctly with docker and the docker push is fine.
However, when I do it with kaniko it end with the following message
error pushing image: failed to push to destination default-route-openshift-image-registry.apps.us-west-1.starter.openshift-online.com/test-kaniko/test-kaniko:latest: unsupported status code 401I though it might be due to credential problem on my side, yet , I also did on laptop the following command
And then mount the image using the option
-v $HOME/.docker/config.json:/kaniko/.docker/config.json:roYet, I finally end with the
UNAUTHORIZEDstatus code.UNAUTHORIZEDstatus code with wireshark. This late one just sees all the previousOKstatus code. I am tempted to say that the underlying library does not handle the large auth header as openshift password used is a jwt token but I am not that sure as previous call are successful.The issue is related to the fact that the
Dockerfilecontains aFROMcommand whose image is a url through a docker proxy.To Reproduce
Steps to reproduce the behaviour, you can use openshift as I spotted it on it:
docker loginwith abuildertokendocker build & pushto validate your tokendocker run --rm --entrypoint "" -it -v $PWD:/sources -v $HOME/.docker/config.json:/kaniko/.docker/config.json:ro gcr.io/kaniko-project/executor:debug sh/kaniko/executor --context "/sources" --dockerfile "/Dockerfile" --destination "default-route-openshift-image-registry.apps.us-west-1.starter.openshift-online.com/test-kaniko/test-kaniko:latest" --verbosity info --skip-tls-verify --skip-tls-verify-pull--cacheflagThe text was updated successfully, but these errors were encountered: