Push to private registry

[telapo]

I am using the rooless docker image ( moby/buildkit:rootless v0.16.0), and I am trying to build and push an image to a private registry that uses http and has a self-signed certificate.

I have tried multiple solutions that I have found a bit everywhere including:

• adding a buildkitd.toml to ~/.config/buildkit with:

debug = true
insecure-entitlements = [ "network.host", "security.insecure" ]

[registry."my-repo:80"]
  http = true
  insecure = true
  ca = ["/home/user/self-signed-cert.crt"]

I have tried with and without the port in the url, with and without the certificate, and with and without the insecure-entitlements.

• adding the same content in the same location but inside a file called config.toml
• passing the flag: --registry-auth-tlscontext host=http://my-repo,insecure=true,ca=/home/user/self-signed-cert.crt
• trying the flag --config, but it does not exist anymore, apparently
• passing the argument registry-insecure --output type=image,name=my-repo/name/image:0.0.1,push=true,registry.insecure=true

At the end, I think that the configuration is simply ignored as I always get (except for the config flag):

error: failed to solve: failed to push my-repo/name/image:0.0.1: failed to do request: Head "https://my-repo/v2/name/image/blobs/sha256:etc": tls: failed to verify certificate: x509: certificate signed by unknown authority

Notice that the error mentions https and not http, that's why I think my configuration is ignored.

The command I pass is (plus the various options I mentioned above):

buildctl build \
    --frontend=dockerfile.v0 \
    --local context=. \
    --local dockerfile=. \
    --opt build-arg:http_proxy=${http_proxy} \
      --opt build-arg:https_proxy=${https_proxy} \
      --opt build-arg:HTTP_PROXY=${HTTP_PROXY} \
      --opt build-arg:HTTPS_PROXY=${HTTPS_PROXY} \
      --opt build-arg:no_proxy=${no_proxy} \
      --opt build-arg:NO_PROXY=${NO_PROXY} \
	  --output type=image,name=my-repo/name/image:0.0.1,push=true,registry.insecure=true

Do you have any suggestion?

[tonistiigi]

http and has a self-signed certificate.

That is not a realistic combination. If you are using HTTP then there is no certificate. If you have a self-signed certificate then you are using HTTPS.

[telapo]

Thank you for your reply @tonistiigi , sorry my bad, I tried so many combinations that I was lost at a certain point.

I tried again with:

debug = true

[registry."my-repo:80"]
  http = true

and with:

debug = true
insecure-entitlements = [ "network.host", "security.insecure" ]

[registry."my-repo"]
  insecure = true
  ca = ["/home/user/self-signed-cert.crt"]

and I got in both:

error: failed to solve: failed to push my-repo/name/image:0.0.1: failed to do request: Head "https://my-repo/v2/name/image/blobs/sha256:etc": tls: failed to verify certificate: x509: certificate signed by unknown authority

and with --output type=image,name=my-repo/name/image:0.0.1,push=true,registry.insecure=true as it seemed to work on #4458, and I got a different error, which I think means that the HEAD call succeeded, but the GET one failed:

error: failed to solve: failed to push my-repo/name/image:0.0.1: failed to authorize: failed to fetch anonymous token: Get "https://my-repo:443/artifactory/api/docker/name/v2/token?scope=repository%3Aname%2Fimage%3Apull%2Cpush&service=service-name%3A443": tls: failed to verify certificate: x509: certificate signed by unknown authority

I have also added a .docker/config.json file with the auths information to login.

Anything else I can try?

[gitfxx]

If you only push to an HTTP registry, there's no need to configure it in a file; you can simply add the parameter registry.insecure=true.