buildx: Custom registry, push error on self-signed cert
‘buildx’ errors, while ‘docker build’ succeeds:
cat <<'EOD' > Dockerfile
FROM alpine
RUN touch /test
EOD
docker buildx build \
-t img.service.consul/alpine:test \
--platform=linux/amd64,linux/arm64,linux/arm \
--push \
.
[+] Building 2.1s (12/12) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 65B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [linux/arm/v7 internal] load metadata for docker.io/library/alpine:latest 1.5s
=> [linux/amd64 internal] load metadata for docker.io/library/alpine:latest 1.3s
=> [linux/arm64 internal] load metadata for docker.io/library/alpine:latest 1.3s
=> CACHED [linux/arm64 1/2] FROM docker.io/library/alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 0.0s
=> => resolve docker.io/library/alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 0.0s
=> [linux/arm64 2/2] RUN touch /test 0.1s
=> CACHED [linux/amd64 1/2] FROM docker.io/library/alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 0.0s
=> => resolve docker.io/library/alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 0.0s
=> [linux/amd64 2/2] RUN touch /test 0.1s
=> CACHED [linux/arm/v7 1/2] FROM docker.io/library/alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 0.0s
=> => resolve docker.io/library/alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 0.0s
=> [linux/arm/v7 2/2] RUN touch /test 0.2s
=> ERROR exporting to image 0.4s
=> => exporting layers 0.2s
=> => exporting manifest sha256:879ac4adf9493121ff9bb12f8566ed993fa7079c59ae02b516a9287d6de7daea 0.0s
=> => exporting config sha256:42c2e158eb64d21ea6832e4842a3c11c9fd70c89afbf2fd0fbe2f16dd2698453 0.0s
=> => exporting manifest sha256:64b17d691e5c5ab257ad37b622c9ed219e50ea637bf5f7aa25e2f65f0bd0c26d 0.0s
=> => exporting config sha256:14af510e076d60389743c6fc7c99e2777ba56bdad11cbbffacb438e7c68f6321 0.0s
=> => exporting manifest sha256:2e87dbf064ba1c829a9d18525fa38e77baa26b654c04659b0fa3e75d6ea34ea5 0.0s
=> => exporting config sha256:f1b89d61d625bff13e65a679d2bdb1c513289999789ec2e13fe7acefca39adfd 0.0s
=> => exporting manifest list sha256:53f07aa12e20079138de3650629277928313e7bfdc59c3f22c93834fe11ba9f3 0.0s
=> => pushing layers 0.0s
------
> exporting to image:
------
failed to solve: rpc error: code = Unknown desc = failed to do request: Head https://img.service.consul/v2/alpine/blobs/sha256:8dc302c06141b7124ea05ccf2fdde10013ce594c28e5fe980047b0740891e398: x509: certificate signed by unknown authority
x509: certificate signed by unknown authority, but certificate chain is ok.
test:
: |openssl s_client -connect img.service.consul:443 […] Verify return code: 0 (ok)
docker build + push works also:
docker build \
-t img.service.consul/x86_64/alpine:test \
.
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM alpine
---> 055936d39205
Step 2/2 : RUN touch /test
---> Using cache
---> 7bd5dcd02d4c
Successfully built 7bd5dcd02d4c
Successfully tagged img.service.consul/x86_64/alpine:test
docker push img.service.consul/x86_64/alpine:test
The push refers to repository [img.service.consul/x86_64/alpine]
b13e8440598c: Pushed
f1b5933fe4b5: Pushed
test: digest: sha256:e9c2e8f188d0bedc6d3c26b39a6a75c36be5b4cbeedb9defc4f3b48953b4ef45 size: 734
buildx imagetools inspect again works:
docker buildx imagetools inspect img.service.consul/x86_64/alpine:test
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 1645,
"digest": "sha256:7bd5dcd02d4c340892fe431a40a39badf5695af58b669a33bd21b61159f4ffe5"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2757034,
"digest": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 97,
"digest": "sha256:6e0d312d9ebb1961db61366af2a5a323ad84155db2018457d2c5168c4f86e410"
}
]
}
perhaps related to https://github.com/docker/buildx/issues/57#issuecomment-491244171
tested:
- docker beta-4 + 20190517171028-f4f33ba16d nightly,
- ‘buildx’ release + current master.
uname -mrov
4.19.44 #1-NixOS SMP Thu May 16 17:41:32 UTC 2019 x86_64 GNU/Linux
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 16
- Comments: 23 (2 by maintainers)
A marginally more robust work-around, but still not pretty (no error checking etc):
BUILDER=$(sudo docker ps | grep buildkitd | cut -f1 -d’ ') sudo docker cp YOUR-CA.crt $BUILDER:/usr/local/share/ca-certificates/ sudo docker exec $BUILDER update-ca-certificates sudo docker restart $BUILDER
A possible solution/suggestion would be to allow for something like: docker secret create a-ca-secret my-ca-file.crt docker buildx create —name builder --driver-opt private-ca-cert=/run/secrets/a-ca-secret …and then have the e.g. the docker-container builder pull in the cert and call update-ca-certificates when it starts.
I managed to work-around this - by adding my own CA’s cert to the generated container, and restarting it.
It aint pretty, but it works!
Considering this issue has been open for over two years, I was just curious if there is an update and/or plans to address?
as I just bumped into this issue, I’d like to add one more option instead of mangling an existing builder container.
driver-opthas aimageoption (fordocker-containerdriver).I went with the option to have a 2 line Dockerfile that adds my internal CAs to
moby/buildkitand use that image when creating the builder.can we make buildx skip verify private registry cert like docker ( /etc/docker/daemon.json insecure-registries) ? then we have no need to provide CA cert for buildx instance.
Reboot fixed it for me, I’m not sure why…
can we make buildx skip verify private registry cert like docker ( /etc/docker/daemon.json insecure-registries) ? then we have no need to provide CA cert for buildx instance.
Finally, we solved this issue. And there are two steps we need to confirm before we use to build:
ca.crtwas created by Harbor(we found the correct pah of it is/home/harbor/ca/ca.crt), (it is not the one that is related to Harbor’s domain).All things are good to go.
Tried that, but it didn’t work.
can we make buildx skip verify private registry cert like docker ( /etc/docker/daemon.json insecure-registries) ? then we have no need to provide CA cert for buildx instance.