Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the equivalent of 'docker login ...' to authenticate with docker repos for pulling dependencies #92

Open
kdvolder opened this issue Jun 16, 2022 · 4 comments
Open

Support the equivalent of 'docker login ...' to authenticate with docker repos for pulling dependencies #92

kdvolder opened this issue Jun 16, 2022 · 4 comments

Comments

@kdvolder
Copy link

When building images locally using

docker build .

We can do a few docker login <some-repo> beforehand which allows us to be authenticated as a specific user with the repo.

This is not just useful but often necessary to do things such as:

  • authenticating to dockerhub to avoid nasty errors around pull limits (when trying to fetch images used in 'FROM' in dockerfile)
  • authenticating with any repo to be able to pull private images.

Without support for this basically the oci-build-task can't be used by us at the moment to build anything. Even building images that purely depend on public images in dockerhub end up failing 90% of the time because they are hitting dockerhub's pull limits on anonymous access. (A shared CI host tends to hit those limit really quickly).
@kberzinch
Copy link

kberzinch commented Jun 17, 2022
edited

You can use the registry-image resource to download images from Docker Hub or a private registry, then pass them to the task using IMAGE_ARG_* params.

@kdvolder
Copy link
Author

kdvolder commented Jun 18, 2022
edited

You can use the registry-image resource to download images from Docker Hub or a private repository, then pass them to the task using IMAGE_ARG_* params.

Thanks for the tip. That seems like a workaround that could actually work. But it sounds a bit painful so I wouldn't consider that as a 'proper' or at least not a 'convenient' or 'intuitive' way to deal with docker builds that require being authenticated as a specific user.

In fact... another workaround is to create your own 'docker runner' image in which you simply install and run the docker daemon, and then just build docker images with 'simple' bash scripts (i.e workaround = do not use 'oci-build-task'). That seems like it would be far less hassle than dancing around the fact that oci-build-task doesn't support a way to 'login' to docker repos.

I will also say that in a corporate environment pulling images from private repos tends to be the norm rather than the exception.

@Bengreen
Copy link

If I have to pull images using a registry for every image I update in my Dockerfile it means that I cannot update my dockerfile to pull in new images unless I update my pipeline.
this seems counterintuitive for a CI system as I cannot make that type of change as a PR.

@simonjohansson
Copy link

@Bengreen @kdvolder

What we ended up doing is to simply populate ~/.docker/config.json before running build. Buildkit reads that.

      params:
        DOCKER_CONFIG_JSON: ((gcr.docker_config))
      run:
        args:
        - -c
        - |-
          mkdir ~/.docker
          echo $DOCKER_CONFIG_JSON > ~/.docker/config.json
          build
        path: /bin/sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simonjohansson @Bengreen @kdvolder @kberzinch