Buildx doesn't respect insecure registries

[Re4zOon]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

Using the buildx plugin the insecure registries are not working after the latest update.
By default it tries HTTPS (443).
Issue visible on multiple systems.

Expected behaviour

Use port 80

Actual behaviour

Uses port 443

Buildx version

github.com/docker/buildx v0.12.1 30feaa1

Docker info

Client: Docker Engine - Community
 Version:    25.0.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 25.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc version: v1.1.11-0-g4bccb38
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 5.15.133.1-microsoft-standard-WSL2
 Operating System: Ubuntu 22.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 11.58GiB
 Name: Re4zOon-ThinkBook
 ID: WYZY:FVFE:G4KA:VOCH:RMQ7:LJSQ:FEDQ:BUQ2:BR63:KVHY:WAFU:C2XH
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  our-registry
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

Builders list

NAME/NODE     DRIVER/ENDPOINT STATUS  BUILDKIT             PLATFORMS
default *     docker
  default     default         running v0.12.4+3b6880d2a00f linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/amd64/v4, linux/386
desktop-linux                 error

Cannot load builder desktop-linux: protocol not available

Configuration

FROM our-registry/base-images/debian:latest

RUN echo "hello"

Build logs

❯ docker build .
[+] Building 0.1s (2/2) FINISHED                                                                                                                                                                   docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                         0.0s
 => => transferring dockerfile: 112B                                                                                                                                                                         0.0s
 => ERROR [internal] load metadata for our-registry/base-images/debian:latest                                                                                                                   0.0s
------
 > [internal] load metadata for our-registry/base-images/debian:latest:
------
Dockerfile:1
--------------------
   1 | >>> FROM our-registry/base-images/debian:latest
   2 |
   3 |     RUN echo "hello"
--------------------
ERROR: failed to solve: our-registry/base-images/debian:latest: failed to do request: Head "https://our-registry/v2/base-images/debian/manifests/latest": dial tcp 192.168.1.1:443: connect: no route to host

Additional info

Insecure registry is set properly in /etc/docker/daemon.json:

❯ cat /etc/docker/daemon.json
{
  "insecure-registries":["http://our-registry", "our-registry"],
  "hosts": ["unix:///mnt/wsl/shared-docker/docker.sock"]
}

[jedevc]

The actual error message you're seeing doesn't seem to be an HTTPS error:

ailed to solve: our-registrybase-images/debian:latest: failed to do request: Head "https://our-registry/v2/base-images/debian/manifests/latest": dial tcp 192.168.1.1:443: connect: no route to host

It looks like somehow it doesn't connect to your registry at all? Can you ping our-registry from your host without issue?

[Re4zOon]

The problem is its trying to use HTTPS, even tho its in insecure registries.
There was a similar (if not the same) issue with buildx some months ago: #1642.
Also using the old builder it works fine:

❯ export DOCKER_BUILDKIT=0 && export COMPOSE_DOCKER_CLI_BUILD=0
❯ docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
            environment-variable.

Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM our-registry/base-images/debian:latest
latest: Pulling from base-images/debian
2f44b7a888fa: Pull complete
2af9ac79606f: Pull complete
a3ed95caeb02: Pull complete
50c9649d4a99: Pull complete
0fd1aca8d474: Pull complete
Digest: sha256:77b2ed0229b60e6f6599a178afd2e79a6488d2ca9db9db70cc312e7367f04b83
Status: Downloaded newer image for our-registry/base-images/debian:latest
 ---> 496d45f55202
Step 2/2 : RUN echo "hello"
 ---> Running in 8b159c428675
hello
 ---> Removed intermediate container 8b159c428675
 ---> 9afd9c6b8296
Successfully built 9afd9c6b8296

[jedevc]

The problem is its trying to use HTTPS, even tho its in insecure registries.

Sure, that's possible there could be a bug here, but that's not what the error you've shared shows. #1642 is about http: server gave HTTP response to HTTPS client.

I'm unsure as to why the resolution for images should be different here, any ideas @crazy-max @thaJeztah? Given this is buildkit-in-docker.

[Re4zOon]

Indeed, its not exactly the same.
In any case, just try to build an image using a base from an insecure registry and you shall receive the same issue.

[thaJeztah]

I think I saw a discussion somewhere where BuildKit initialises a client with either http or https, and because of that would not work with combinations (registry itself using http, but blobs downloaded through https and/or vice-versa). I wonder if that's related here.

[jedevc]

cc @vvoland who did some work on this recently as well:

• util/resolver: Fix insecure mirrors moby/buildkit#4293
• util/resolver: Perform Insecure HTTPS + HTTP fallback in one docker.RegistryHost moby/buildkit#4299

[thaJeztah]

Related discussion for my previous comment;

• Docker 25 cannot use unsecured private s3 registry moby/moby#47240 (comment)

[furai]

Don't you need a toml file to configure builder instances to make insecure repos work with buildkit and buildx?

docker buildx create --name custom_builder --config conf.tomll

And conf.toml file like:

[registry."example.registry.com"]
  insecure = true                          

Or am I missing the point here? That's what I've been doing for contacting insecure registries for over a year now. The setting in daemon.json don't affect the buildkit builder instances. You have to explicitly set them up.

[Re4zOon]

Well, it worked until 25.x.y with buildx (which I guess is built on top of buildkit).
If you run docker build . on 24.x.y it works even without a toml config as long as the daemon is correctly set.

[furai]

Are you sure that in 24.x you had docker build aliased to docker buildx?

[Re4zOon]

Oh yeah. By default it is buildx. We did not modify docker in any way (apart from the insecure registries in daemon.json).
Its simple docker-ce from the repo.

[root@jenkins~]# docker build
ERROR: "docker buildx build" requires exactly 1 argument.
See 'docker buildx build --help'.

Usage:  docker buildx build [OPTIONS] PATH | URL | -

Start a build
[root@jenkins~]#

[Re4zOon]

Hi,

Any updates? Its blocking our second upgrade schedule for our jenkins'.

[martadinata666]

v0.13.1 fail use http registry. My flow shown as below

    - docker buildx create --use --config buildx-config.toml
    - docker buildx build --build-arg RELEASE=$RELEASE --build-arg DATE=$DATE --push --platform linux/amd64 . -t "$CI_REGISTRY_IMAGE:$RELEASE" -t "$CI_REGISTRY_IMAGE:$RELEASE-$DATE" -f Dockerfile

buildx-config.toml

[registry."192.168.0.2:5050"]
  insecure = true
  http = true

Buildx keep requesting https, in the end locking to old version with --driver-opt image=moby/buildkit:v0.12.2.

[haseoleonard]

Is there any update with this issue ? we are being blocked by this exact issue and currently only working with the workaround --driver-opt image=moby/buildkit:v0.12.2

[jiseongg]

@martadinata666, I have exactly same issues with exactly same commands in my ubuntu server, which blocks our CI/CD pipeline in Jenkins. :( However, it works in my mac with M2 chip.

Ubuntu Docker version:

# docker version
Client: Docker Engine - Community
 Version:           26.0.2
 API version:       1.45
 Go version:        go1.21.9
 Git commit:        3c863ff
 Built:             Thu Apr 18 16:27:07 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.0.2
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.9
  Git commit:       7cef0d9
  Built:            Thu Apr 18 16:27:07 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.31
  GitCommit:        e377cd56a71523140ca6ae87e30244719194a521
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

# docker buildx version
github.com/docker/buildx v0.14.0 171fcbe

Mac Docker version:

# docker version
Client:
 Cloud integration: v1.0.35+desktop.13
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:14:46 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.29.0 (145265)
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:02 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

# docker buildx version
github.com/docker/buildx v0.13.1-desktop.1 2368b2ee41873b948cb607251cec573ed00f00f9

[martadinata666]

Maybe i need to add more info to my deployment as well

$ docker info
Client:
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.14.0
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
Server:
 Containers: 144
  Running: 121
  Paused: 0
  Stopped: 23
 Images: 84
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: fluentd
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local local-persist
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: r86fuksfkz1m8cpbnpp5pkbh0
  Is Manager: true
  ClusterID: tokof9pri5nwl[34](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L34)mqw6y5w2b9
  Managers: 1
  Nodes: 2
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.0.2
  Manager Addresses:
   192.168.0.2:2377
 Runtimes: youki crun io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda[36](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L36)dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-26-generic
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 31GiB
 Name: homelab
 ID: 2JTD:RTQI:7ACK:663S:F2DR:T5MR:BAHF:VMYN:WOAE:WWVC:HHVS:KCSN
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.0.2:5050
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.17.0.0/16, Size: 16
   Base: 172.18.0.0/16, Size: 16
   Base: 172.19.0.0/16, Size: 16
   Base: 172.20.0.0/16, Size: 16
   Base: 172.21.0.0/16, Size: 16
   Base: 172.22.0.0/16, Size: 16
   Base: 172.23.0.0/16, Size: 16
   Base: 172.24.0.0/16, Size: 16
   Base: 172.25.0.0/16, Size: 16
   Base: 172.26.0.0/16, Size: 16
   Base: 172.27.0.0/16, Size: 16
   Base: 172.28.0.0/16, Size: 16
   Base: 172.29.0.0/16, Size: 16
   Base: 172.30.0.0/16, Size: 16
   Base: 192.168.0.0/16, Size: 20
[DEPRECATION NOTICE]: API is accessible on http://0.0.0.0:2[37](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L37)5 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/
In future versions this will be a hard failure preventing the daemon from starting! Learn more at: https://docs.docker.com/go/api-security/
$ docker buildx version
github.com/docker/buildx v0.14.0 171fcbeb69d67c90ba7f44f41a9e418f6a6ec1da
$ docker buildx create --use --config ./buildkit-config.toml
laughing_mayer
$ docker buildx inspect --bootstrap
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1
#1 pulling image moby/buildkit:buildx-stable-1 3.1s done
#1 creating container buildx_buildkit_laughing_mayer0
#1 creating container buildx_buildkit_laughing_mayer0 0.8s done
#1 DONE 3.9s
Name:          laughing_mayer
Driver:        docker-container
Last Activity: 2024-05-07 02:25:47 +0000 UTC
Nodes:
Name:                  laughing_mayer0
Endpoint:              unix:///var/run/docker.sock
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.13.2
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/[38](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L38)6, linux/mips64le, linux/mips64, linux/loong64, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         32349[40](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L40)b43ab
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:           false
 Filters:       type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration: 48h0m0s
 Keep Bytes:    488.3MiB
GC Policy rule#1:
 All:           false
 Keep Duration: 1440h0m0s
 Keep Bytes:    10.24GiB
GC Policy rule#2:
 All:        false
 Keep Bytes: 10.24GiB
GC Policy rule#3:
 All:        true
 Keep Bytes: 10.24GiB
$ docker buildx build --push --platform linux/arm64,linux/amd64 -t "$CI_REGISTRY_IMAGE" -t "$CI_REGISTRY_IMAGE:$RELEASE" . -f Dockerfile
2024/05/07 09:25:51 http2: server connection error from localhost: connection error: PROTOCOL_ERROR
2024/05/07 09:25:52 http2: server connection error from localhost: connection error: PROTOCOL_ERROR
#0 building with "laughing_mayer" instance using docker-container driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 253B done
#1 DONE 0.1s
#2 [auth] dedyms/debian:pull token for 192.168.0.2:5050
#2 DONE 0.0s
#3 [linux/arm64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest
#3 ERROR: failed to copy: httpReadSeeker: failed open: unexpected status code https://192.168.0.2:5050/v2/dedyms/debian/blobs/sha256:c379dfc3f11170f66cc9fcfcb2fa67a46[42](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L42)7d473f5b2499ecdde7bf101c74c63: 400 Bad Request
#4 [linux/amd64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest
#4 CANCELED
------
 > [linux/arm64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest:
------
Dockerfile:1
--------------------
   1 | >>> FROM 192.168.0.2:5050/dedyms/debian:latest
   2 |     RUN sudo apt update && \
   3 |         sudo apt install -y --no-install-recommends iperf3 && \
--------------------
ERROR: failed to solve: 192.168.0.2:5050/dedyms/debian:latest: failed to resolve source metadata for 192.168.0.2:5050/dedyms/debian:latest: failed to copy: httpReadSeeker: failed open: unexpected status code https://192.168.0.2:5050/v2/dedyms/debian/blobs/sha256:c379dfc3f11170f66cc9fcfcb2fa67a[46](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4107#L46)427d473f5b2499ecdde7bf101c74c63: 400 Bad Request

[uliss3s]

Same problem on a fresh install of Docker 26.1.2 in an VM with Oracle Linux 8.9.
Executing the command "docker build ." results in failure if the base image is in an insecure registry. Looks like the "insecure-registries" property in the file "/etc/docker/daemon.json" is still being ignored.

I can manually pull the same image without problem.

The workaround for now is using "export DOCKER_BUILDKIT=0".

docker builder version
github.com/docker/buildx v0.14.0 171fcbe

Example of a docker compose setup:

[user@host]# docker compose --verbose up -d --build --force-recreate
TRAC[0000] Docker Desktop integration not enabled       
DEBU[0000] using default config store "/home/user/.docker/buildx" 
[+] Building 0.0s (2/2) FINISHED                                                                                                                                                                    docker:default
 => [app internal] load build definition from Dockerfile                                                                                                                                                      0.0s
 => => transferring dockerfile: 439B                                                                                                                                                                          0.0s
 => ERROR [app internal] load metadata for my.private.registry:1234/docker/amazoncorretto:17                                                                                                              0.0s
------
 > [app internal] load metadata for my.private.registry:1234/docker/amazoncorretto:17:
------
DEBU[0000] using default config store "/home/user/.docker/buildx" 
DEBU[0000] serving grpc connection                      
DEBU[0000] stopping session                              span="load buildkit capabilities"
DEBU[0000] serving grpc connection                      
DEBU[0000] stopping session                             
DEBU[0000] serving grpc connection                      
DEBU[0000] stopping session                             
failed to solve: my.private.registry:1234/docker/amazoncorretto:17: failed to resolve source metadata for my.private.registry:1234/docker/amazoncorretto:17: failed to do request: Head "https://my.private.registry:1234/v2/docker/amazoncorretto/manifests/17": remote error: tls: unrecognized name

[jishi]

I have been pulling my hair for a day now trying to understand how this actually works, because it is fairly schizofrenic.

So adding an http mirror into daemon.json, will cause most of the "normal" docker commands to actually use that mirror as is (namely, use http).

However, this also makes buildkit use that mirror, but instead call it via https (WTF?). Not only that, it will then wait for a timeout on EVERY request (30-60 seconds, even more WTF) before moving onto calling the docker hub registry directly, making it seemingly "work" but completely defunct because pulling the image takes forever. Just getting metadata takes 90 seconds for me.

The only way I managed to get it to work, is to declare a NEW builder with a NEW config that configures the mirror as a repository with http = true, but this instead gives me another builder that isn't used by default when invoking docker build, only when calling docker buildx (woot), and most of CI builds (where I use this) is actually building behind the scenes via docker compose, I have no clue how that would work. I also seem to need to add --output flag to the build command to actually store the image, this is a lot of hoops to get this working.

This also seem to have been an ongoing issue for the past 6 years or so (when trying to follow the various issues filed for this), where to me, since it obviously uses the mirror configuration from daemon.json (and knows about it), why wouldn't it also respect the http scheme like the rest of the docker tooling?

What is this https enforcement actually trying to enforce?

[crazy-max]

Should be fixed by moby/buildkit#4975 and can be tested with https://github.com/moby/buildkit/releases/tag/v0.14.0-rc1

[martadinata666]

I'm pretty curious, as to why it still fails. Would you like me to upgrade something?

$ docker info
Client:
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.14.0
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
Server:
 Containers: 115
  Running: 106
  Paused: 0
  Stopped: 9
 Images: 64
 Server Version: 26.1.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: fluentd
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local local-persist
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: r86fuksfkz1m8cpbnpp5pkbh0
  Is Manager: true
  ClusterID: tokof9pri5nwl34mqw6y5w2b9
  Managers: 1
  Nodes: 2
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.0.2
  Manager Addresses:
   192.168.0.2:2[37](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4169#L37)7
 Runtimes: youki crun io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e377cd56a71523140ca6ae87e30244719194a521
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-28-generic
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 31GiB
 Name: homelab
 ID: 2JTD:RTQI:7ACK:663S:F2DR:T5MR:BAHF:VMYN:WOAE:WWVC:HHVS:KCSN
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.0.2:5050
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.17.0.0/16, Size: 16
   Base: 172.18.0.0/16, Size: 16
   Base: 172.19.0.0/16, Size: 16
   Base: 172.20.0.0/16, Size: 16
   Base: 172.21.0.0/16, Size: 16
   Base: 172.22.0.0/16, Size: 16
   Base: 172.23.0.0/16, Size: 16
   Base: 172.24.0.0/16, Size: 16
   Base: 172.25.0.0/16, Size: 16
   Base: 172.26.0.0/16, Size: 16
   Base: 172.27.0.0/16, Size: 16
   Base: 172.28.0.0/16, Size: 16
   Base: 172.29.0.0/16, Size: 16
   Base: 172.30.0.0/16, Size: 16
   Base: 192.168.0.0/16, Size: 20
[DEPRECATION NOTICE]: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/
In future versions this will be a hard failure preventing the daemon from starting! Learn more at: https://docs.docker.com/go/api-security/
$ docker buildx version
github.com/docker/buildx v0.14.0 171fcbeb69d67c90ba7f44f41a9e418f6a6ec1da
$ docker buildx inspect --bootstrap
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:v0.14.0-rc1
#1 pulling image moby/buildkit:v0.14.0-rc1 2.9s done
#1 creating container buildx_buildkit_stoic_gagarin0
#1 creating container buildx_buildkit_stoic_gagarin0 0.4s done
#1 DONE 3.3s
Name:          stoic_gagarin
Driver:        docker-container
Last Activity: 2024-06-03 11:44:21 +0000 UTC
Nodes:
Name:                  stoic_gagarin0
Endpoint:              unix:///var/run/docker.sock
Driver Options:        image="moby/buildkit:v0.14.0-rc1"
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.14.0-rc1
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/[38](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4169#L38)6, linux/mips64le, linux/mips64, linux/loong64, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         c1d53dcd1114
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:           false
 Filters:       type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration: 48h0m0s
 Keep Bytes:    488.3MiB
GC Policy rule#1:
 All:           false
 Keep Duration: 14[40](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4169#L40)h0m0s
 Keep Bytes:    10.24GiB
GC Policy rule#2:
 All:        false
 Keep Bytes: 10.24GiB
GC Policy rule#3:
 All:        true
 Keep Bytes: 10.24GiB
$ docker buildx build --push --platform linux/arm64,linux/amd64 -t "$CI_REGISTRY_IMAGE" -t "$CI_REGISTRY_IMAGE:$RELEASE" . -f Dockerfile
#0 building with "stoic_gagarin" instance using docker-container driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 253B done
#1 DONE 0.0s
#2 [auth] dedyms/debian:pull token for 192.168.0.2:5050
#2 DONE 0.0s
#3 [linux/amd64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest
#3 ...
#4 [linux/arm64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest
#4 ERROR: failed to copy: httpReadSeeker: failed open: unexpected status code https://192.168.0.2:5050/v2/dedyms/debian/blobs/sha256:c379dfc3f11170f66cc9fcfcb2fa67a46[42](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4169#L42)7d473f5b2499ecdde7bf101c74c63: 400 Bad Request
#3 [linux/amd64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest
#3 CANCELED
------
 > [linux/arm64 internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest:
------
Dockerfile:1
--------------------
   1 | >>> FROM 192.168.0.2:5050/dedyms/debian:latest
   2 |     RUN sudo apt update && \
   3 |         sudo apt install -y --no-install-recommends iperf3 && \
--------------------
ERROR: failed to solve: 192.168.0.2:5050/dedyms/debian:latest: failed to resolve source metadata for 192.168.0.2:5050/dedyms/debian:latest: failed to copy: httpReadSeeker: failed open: unexpected status code https://192.168.0.2:5050/v2/dedyms/debian/blobs/sha256:c379dfc3f11170f66cc9fcfcb2fa67a[46](http://192.168.0.2:10000/dedyms/iperf3/-/jobs/4169#L46)427d473f5b2499ecdde7bf101c74c63: 400 Bad Request

[jacobchan]

#Step1 # craete buildx config file on your local machine
mkdir -p ~/.docker/buildx
cat > ~/.docker/buildx/buildkitd.toml << EOF
debug = true
[registry."114.67.223.128:5080"]
http = true
insecure = true

[registry."http://114.67.223.128:5080"]
http = true
insecure = true
EOF

#Step2 create builder with the config file specified
docker buildx create --name mybuilder
--driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760
--driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=10485760
--driver-opt env.BUILDKIT_UNSAFE_HTTP=1
--config ~/.docker/buildx/buildkitd.toml
--use

You can try to fix the http request problem by specify --config param .It works for me .

[Re4zOon]

Hi,

This is still not solved, can you please reopen it?
@crazy-max

buildx: Docker Buildx (Docker Inc.)  
Version:  v0.17.1  
Path:     /usr/libexec/docker/cli-plugins/docker-buildx  

[shutcode]

it nearly works for me ,but another error occurred:

(base) [root@registry multi-platform]# sudo docker buildx build --platform linux/amd64 -t multi-platform:latest --load .
[+] Building 0.1s (4/4) FINISHED                                                                                                                                    
 => [internal] load .dockerignore                                                                                                                              0.0s
......
------
Dockerfile:1
--------------------
   1 | >>> FROM registry.example.com/gobuildx:0.3.0
   2 |     
   3 |     RUN uname -m > /arch
--------------------
ERROR: failed to solve: registry.example.com/gobuildx:0.3.0: failed to fetch schema1 manifest: httpReadSeeker: failed open: content at http://registry.example.com/v2/ci/gobuildx/manifests/sha256:bc7f061f847f88ffc11b2a50f30d30b1d382574db1a6fc287e49bd2a80ec2d70 not found: not found

#Step1 # craete buildx config file on your local machine mkdir -p ~/.docker/buildx cat > ~/.docker/buildx/buildkitd.toml << EOF debug = true [registry."114.67.223.128:5080"] http = true insecure = true

[registry."http://114.67.223.128:5080"] http = true insecure = true EOF

#Step2 create builder with the config file specified docker buildx create --name mybuilder --driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760 --driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=10485760 --driver-opt env.BUILDKIT_UNSAFE_HTTP=1 --config ~/.docker/buildx/buildkitd.toml --use

You can try to fix the http request problem by specify --config param .It works for me .

[martadinata666]

I don't know how this issue can be resolved, yet still persist and no resolution given.

�[0KRunning with gitlab-runner 17.7.0 (3153ccc6)�[0;m
�[0K  on v17.7.0 t1_EnLT5K, system ID: r_qyzv5POSogPE�[0;m
�[0K  feature flags: FF_USE_FASTZIP:true�[0;m
section_start:1735149316:prepare_executor
�[0K�[0K�[36;1mPreparing the "docker" executor�[0;m�[0;m
�[0KUsing Docker executor with image 192.168.0.2:5050/dedyms/docker-with-buildx:latest ...�[0;m
�[0KAuthenticating with credentials from job payload (GitLab Registry)�[0;m
�[0KPulling docker image 192.168.0.2:5050/dedyms/docker-with-buildx:latest ...�[0;m
�[0KUsing docker image sha256:584811aade4d2c5a37a0fdf3f69600a7bb7e44c65643c0b5876570fb9c57bbaa for 192.168.0.2:5050/dedyms/docker-with-buildx:latest with digest 192.168.0.2:5050/dedyms/docker-with-buildx@sha256:056f1f7acefacdbea17b7fca9bfd3f60ab26f641810e7976bb9e58be208b9753 ...�[0;m
section_end:1735149316:prepare_executor
�[0Ksection_start:1735149316:prepare_script
�[0K�[0K�[36;1mPreparing environment�[0;m�[0;m
Running on runner-t1enlt5k-project-8-concurrent-0 via 46933db96a29...
section_end:1735149316:prepare_script
�[0Ksection_start:1735149316:get_sources
�[0K�[0K�[36;1mGetting source from Git repository�[0;m�[0;m
�[32;1mFetching changes with git depth set to 1...�[0;m
Reinitialized existing Git repository in /builds/t1_EnLT5K/0/dedyms/iperf3/.git/
�[32;1mChecking out 6f301371 as detached HEAD (ref is master)...�[0;m

�[32;1mSkipping Git submodules setup�[0;m
section_end:1735149317:get_sources
�[0Ksection_start:1735149317:step_script
�[0K�[0K�[36;1mExecuting "step_script" stage of the job script�[0;m�[0;m
�[0KUsing docker image sha256:584811aade4d2c5a37a0fdf3f69600a7bb7e44c65643c0b5876570fb9c57bbaa for 192.168.0.2:5050/dedyms/docker-with-buildx:latest with digest 192.168.0.2:5050/dedyms/docker-with-buildx@sha256:056f1f7acefacdbea17b7fca9bfd3f60ab26f641810e7976bb9e58be208b9753 ...�[0;m
�[32;1m$ export RELEASE="sid"�[0;m
�[32;1m$ docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY�[0;m
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
WARNING! Your password will be stored unencrypted in /home/docker/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores

�[32;1m$ docker buildx create --use --config buildkit-config.toml --driver-opt env.BUILDKIT_UNSAFE_HTTP=1�[0;m
optimistic_hertz
�[32;1m$ docker info�[0;m
Client:
 Version:    27.4.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.2
    Path:     /usr/lib/docker/cli-plugins/docker-buildx

Server:
 Containers: 76
  Running: 73
  Paused: 0
  Stopped: 3
 Images: 65
 Server Version: 27.3.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: fluentd
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local local-persist
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: r86fuksfkz1m8cpbnpp5pkbh0
  Is Manager: true
  ClusterID: tokof9pri5nwl34mqw6y5w2b9
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.0.2
  Manager Addresses:
   192.168.0.2:2377
 Runtimes: io.containerd.runc.v2 runc youki crun
 Default Runtime: crun
 Init Binary: docker-init
 containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
 runc version: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-28-generic
 Operating System: Ubuntu 22.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 31GiB
 Name: homelab
 ID: 2JTD:RTQI:7ACK:663S:F2DR:T5MR:BAHF:VMYN:WOAE:WWVC:HHVS:KCSN
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.0.2:5050
  192.168.0.2:6050
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.17.0.0/16, Size: 16
   Base: 172.18.0.0/16, Size: 16
   Base: 172.19.0.0/16, Size: 16
   Base: 172.20.0.0/16, Size: 16
   Base: 172.21.0.0/16, Size: 16
   Base: 172.22.0.0/16, Size: 16
   Base: 172.23.0.0/16, Size: 16
   Base: 172.24.0.0/16, Size: 16
   Base: 172.25.0.0/16, Size: 16
   Base: 172.26.0.0/16, Size: 16
   Base: 172.27.0.0/16, Size: 16
   Base: 172.28.0.0/16, Size: 16
   Base: 172.29.0.0/16, Size: 16
   Base: 172.30.0.0/16, Size: 16
   Base: 192.168.0.0/16, Size: 20

[DEPRECATION NOTICE]: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/
In future versions this will be a hard failure preventing the daemon from starting! Learn more at: https://docs.docker.com/go/api-security/
�[32;1m$ docker buildx version�[0;m
github.com/docker/buildx v0.19.2 1fc5647dc281ca3c2ad5b451aeff2dce84f1dc49
�[32;1m$ docker buildx inspect --bootstrap�[0;m
#1 [internal] booting buildkit
#1 pulling image moby/buildkit:buildx-stable-1
#1 pulling image moby/buildkit:buildx-stable-1 2.6s done
#1 creating container buildx_buildkit_optimistic_hertz0
#1 creating container buildx_buildkit_optimistic_hertz0 1.5s done
#1 DONE 4.2s
Name:          optimistic_hertz
Driver:        docker-container
Last Activity: 2024-12-25 17:55:18 +0000 UTC

Nodes:
Name:                  optimistic_hertz0
Endpoint:              unix:///var/run/docker.sock
Driver Options:        env.BUILDKIT_UNSAFE_HTTP="1"
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.18.2
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/386, linux/loong64, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         e2473fcc217a
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:            false
 Filters:        type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration:  48h0m0s
 Max Used Space: 488.3MiB
GC Policy rule#1:
 All:            false
 Keep Duration:  1440h0m0s
 Reserved Space: 9.313GiB
 Max Used Space: 81.96GiB
 Min Free Space: 20.49GiB
GC Policy rule#2:
 All:            false
 Reserved Space: 9.313GiB
 Max Used Space: 81.96GiB
 Min Free Space: 20.49GiB
GC Policy rule#3:
 All:            true
 Reserved Space: 9.313GiB
 Max Used Space: 81.96GiB
 Min Free Space: 20.49GiB
File#buildkitd.toml:
 > 
 > [registry]
 > 
 >   [registry."192.168.0.2:5050"]
 >     http = true
 >     insecure = true
 > 
�[32;1m$ docker buildx build --push --platform "$BUILD_PLATFORM" -t "$CI_REGISTRY_IMAGE" -t "$CI_REGISTRY_IMAGE:$RELEASE" . -f Dockerfile�[0;m
#0 building with "optimistic_hertz" instance using docker-container driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 253B done
#1 DONE 0.1s

#2 [auth] dedyms/debian:pull token for 192.168.0.2:5050
#2 DONE 0.0s

#3 [internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest
#3 ERROR: failed to copy: httpReadSeeker: failed open: unexpected status code https://192.168.0.2:5050/v2/dedyms/debian/blobs/sha256:abb1aee25b1cdcd650726b29752d989ad816bd03783ed948e55dacc1fcc71bc9: 400 Bad Request
------
 > [internal] load metadata for 192.168.0.2:5050/dedyms/debian:latest:
------
Dockerfile:1
--------------------
   1 | >>> FROM 192.168.0.2:5050/dedyms/debian:latest
   2 |     RUN sudo apt update && \
   3 |         sudo apt install -y --no-install-recommends iperf3 && \
--------------------
ERROR: failed to solve: 192.168.0.2:5050/dedyms/debian:latest: failed to resolve source metadata for 192.168.0.2:5050/dedyms/debian:latest: failed to copy: httpReadSeeker: failed open: unexpected status code https://192.168.0.2:5050/v2/dedyms/debian/blobs/sha256:abb1aee25b1cdcd650726b29752d989ad816bd03783ed948e55dacc1fcc71bc9: 400 Bad Request
section_end:1735149323:step_script
�[0Ksection_start:1735149323:after_script
�[0K�[0K�[36;1mRunning after_script�[0;m�[0;m
�[32;1mRunning after script...�[0;m
�[32;1m$ docker buildx stop�[0;m
�[32;1m$ docker buildx rm -f�[0;m
 removed
section_end:1735149324:after_script
�[0Ksection_start:1735149324:cleanup_file_variables
�[0K�[0K�[36;1mCleaning up project directory and file based variables�[0;m�[0;m
section_end:1735149325:cleanup_file_variables
�[0K�[31;1mERROR: Job failed: exit code 1
�[0;m

[iccfish]

Is threre any updates with this? I still on this issue with buildx 0.18.2.

[Kraust]

#Step1 # craete buildx config file on your local machine mkdir -p ~/.docker/buildx cat > ~/.docker/buildx/buildkitd.toml << EOF debug = true [registry."114.67.223.128:5080"] http = true insecure = true

[registry."http://114.67.223.128:5080"] http = true insecure = true EOF

#Step2 create builder with the config file specified docker buildx create --name mybuilder --driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760 --driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=10485760 --driver-opt env.BUILDKIT_UNSAFE_HTTP=1 --config ~/.docker/buildx/buildkitd.toml --use

You can try to fix the http request problem by specify --config param .It works for me .

Out of all of the issues that come up with Insecure Registries, this is the only solution that has helped me. Do people seriously not use insecure registries? How is this issue not resolved for years on linux, but "just works" on Docker for Windows?

[Re4zOon]

Opened #2968 to have an active issue.