buildx: Unable to pull from insecure registry
I have an insecure registry setup on my local network and I am trying to pull from that registry as part of building my image with buildx.
I have the following setup.
In /etc/docker/daemon.json
{
"experimental": true,
"insecure-registries": [ "192.168.189.102:5000" ]
}
In my buildx instance
$ docker buildx inspect buildx_instance
Name: buildx_instance
Driver: docker-container
Nodes:
Name: buildx_instance0
Endpoint: unix:///var/run/docker.sock
Driver Options: network="host" env.BUILDKIT_STEP_LOG_MAX_SIZE="-1" env.BUILDKIT_STEP_LOG_MAX_SPEED="-1"
Status: running
Flags: --allow-insecure-entitlement security.insecure --debug
Buildkit: v0.10.5
Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/amd64/v4, linux/386
And finally, my buildx command line
docker buildx build -t local_image:test --pull --output=type=docker --cache-from=type=registry,ref=192.168.189.102:5000/image:test,registry.insecure=true --allow security.insecure --progress plain docker
However, in the output of that command I see
#10 importing cache manifest from 192.168.189.102:5000/image:test
#10 ERROR: failed to do request: Head "https://192.168.189.102:5000/v2/image/manifests/test": http: server gave HTTP response to HTTPS client
and docker logs says
time="2022-10-24T03:35:02Z" level=debug msg=resolving host="192.168.189.102:5000"
time="2022-10-24T03:35:02Z" level=debug msg="do request" host="192.168.189.102:5000" request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=buildkit/v0.10 request.method=HEAD url="https://192.168.189.102:5000/v2/image/manifests/test"
time="2022-10-24T03:35:02Z" level=info msg="trying next host" error="failed to do request: Head \"https://192.168.189.102:5000/v2/image/manifests/test\": http: server gave HTTP response to HTTPS client" host="192.168.189.102:5000"
time="2022-10-24T03:35:02Z" level=debug msg="error while importing cache manifest from cmId=192.168.189.102:5000/image:test: failed to do request: Head \"https://192.168.189.102:5000/v2/image/manifests/test\": http: server gave HTTP response to HTTPS client"
What am I missing here? Why does docker/buildx insist on treating my insecure registry as a secure registry?
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15 (3 by maintainers)
I think I am still missing something.
One the machine that hosts the registry I have this
buildkit.toml(192.168.189.102is that machines IP address – should be roughly equivalent to127.0.1.1)I think create a buildx instance as
and
docker buildx inpsect buildx_instanceshowsand then building the image with this command
shows
However, when I try to build the same image on a different machine on the same network (192.168.189.102 is accessible from this machine), I get
and the logs for the buildx container shows
So it appears that the buildkit config worked, but it can’t find the manifest for
test_cacheeven though the registry machine could find it? I also tried todocker push 192.168.189.102:5000/image:test_cache(in case it was built on the registry machine but not pushed to the registry) but it saysOn another note, does docker/buildx look at
/etc/hostson the host machine? I have entries in there so I can use a name rather than the IP address, but whenever I use the name in thedocker buildx buildcommand line I get errors saying that a lookup on1.1.1.1for the name failed.When using a
docker-containerbuilder you have to set the registry configuration for the BuildKit daemon: https://github.com/docker/buildx/blob/master/docs/guides/custom-registry-config.mdIn your case the configuration will look like this:
@tonistiigi @jedevc I wonder if could read
DockerAPI.Info(ctx).RegistryConfig.InsecureRegistryCIDRsand automatically set the registry config (if not already populated) in the container when creating adocker-containerbuilder?