jib icon indicating copy to clipboard operation
jib copied to clipboard
verified publisher icon GoogleContainerTools

Push to Docker registry hosted on Subpath

Open udayayadav opened this issue 5 years ago • 11 comments

Environment:

  • Jib version: 2.2.0
  • Build tool: Maven
  • OS: MacOs

Description of the issue: Docker registry is hosted on subpath at example.com/myRegistry. So, the image would be example.com/myRegistry/myDockerImage. Jib seems to take example.com as the image registry URL.

Expected behavior: example.com/myRegistry to be taken as image URL.

Steps to reproduce:

  1. set to.image to example.com/myRegistry/myDockerImage

Log output: [INFO] Containerizing application to plms.tgrc.tesco.org/registry/configserver... [WARNING] Base image 'azul/zulu-openjdk:8u232' does not use a specific image digest - build may not be reproducible [INFO] Using credentials from for plms.tgrc.tesco.org/registry/configserver [WARNING] Cannot verify server at https://plms.tgrc.tesco.org/v2/. Attempting again with no TLS verification. [INFO] The base image requires auth. Trying again for azul/zulu-openjdk:8u232... [INFO] Executing tasks: [INFO] [====== ] 18.5% complete [INFO] > pulling base image manifest [INFO] > building dependencies layer [INFO] [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 4.436 s [INFO] Finished at: 2020-05-14T20:27:13+05:30 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.2.0:build (default-cli) on project config-server: Tried to retrieve authentication method for plms.tgrc.tesco.org but failed because: registry returned error code 404; possible causes include invalid or wrong reference. Actual error output follows: [ERROR] default backend - 404 [ERROR] | If this is a bug, please file an issue at https://github.com/GoogleContainerTools/jib/issues/new: 404 Not Found [ERROR] default backend - 404 [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

udayayadav avatar May 14 '20 15:05 udayayadav

Hi @udayayadav,

I don't believe plms.tgrc.tesco.org/registry/ is a Docker Registry API endpoint. What does curl --insecure https://plms.tgrc.tesco.org/registry/v2/ and curl http://plms.tgrc.tesco.org/registry/v2/ return? (Mind the trailing slash (/).) What is your registry implementation? Sonatype Nexus?

chanseokoh avatar May 14 '20 16:05 chanseokoh

Closing due to inactivity. In any case, it can't be that example.com/myRegistry is a Docker Registry API endpoint. GET /v2/ must work on example.com, as in the API doc.

chanseokoh avatar May 18 '20 16:05 chanseokoh

Apologies for being late.

I have had a workaround for the issue. However, the original issue still exists.

@chanseokoh , To answer your question:

example.com/myRegistry: I have used a reverse proxy to host the registry on /myRegistry. Hence, is the docker registry. GET /v2/ gives {} empty response.

Regarding registry implementation, I have used the image registry:2.7.1 to run the registry.

My question is more around if I set to.image to example.com/myRegistry/myDockerImage, jib picks up only example.com as registry URL but in fact, the registry URL would be example.com/myRegistry. GET /v2/ would work on example.com/myRegistry but not onexample.com.

Is there a way to specify a registry URL instead of jib parsing it from to.image?

udayayadav avatar May 19 '20 16:05 udayayadav

GET /v2/ gives {} empty response.

You mean GET /myRegistry/v2/, not GET /v2/. (The registry server host is always example.com.)

I can now understand the technical reason (your reverse proxy setting) that your Docker Registry API endpoint is served at /myRegistry/v2/ instead of /v2/. Unfortunately, this is unconventional and does not conform to the Docker Registry API specification as I mentioned earlier. The API endpoint should be GET /v2/, not GET /myRegistry/v2/. The Docker image name has a well-established convention that example.com is the registry host and that everything follows after the first slash (/) refers to an image repository on the registry (which can have a nested hierarchy). For example, if the image name is example.com/account/namespace/repository, should a Docker client try every possible path such as /v2/, /account/v2/, and /account/namespace/v2/?

For example, this is the very reason that Sonatype Nexus assigns separate ports for its hosted Docker registries that are different from the main Nexus repository port.

The docker client does not allow a context as part of the path to a registry, as the namespace and image name are embedded in the URLs it uses. This is why requests to repositories on the repository manager are served on a specific and separate port from the rest of the application instead of how most other repositories serve content via a path i.e. <nexus-hostname>/<repositoryName>/<path to content> .

chanseokoh avatar May 19 '20 17:05 chanseokoh

@chanseokoh

Thank you :)

I understand it not following the Docker Registry API specification but, Do we have any plans for adding a separate optional property to specify the Registry Endpoint in Jib?

udayayadav avatar May 21 '20 11:05 udayayadav

I'm afraid that it'll not happen. Not because we just see it's unconventional, but also because it's obvious that it will just make your life (and potential others') difficult for no good reason. If we enabled it, then Jib would be the only tool in the Docker ecosystem that can pull from or push to your registry. No one in the ecosystem (Docker CLI, docker-compose, Kubernetes, MiniKube, KIND, k3s, etc) will ever be able to consume your uploaded image, so you will have to migrate your images to another registry anyway.

chanseokoh avatar May 21 '20 14:05 chanseokoh

@chanseokoh

Thanks! That makes sense.

udayayadav avatar May 24 '20 03:05 udayayadav

@udayayadav What you want to achieve is described in this part of documentation under "prefix".

rishta avatar Sep 28 '21 14:09 rishta

@rishta ah, interesting. I thought back then that every registry must always use the endpoint /v2/, but I confirmed that it's possible to run registry with a prefix.

chanseokoh avatar Sep 28 '21 15:09 chanseokoh

@chanseokoh Back then you would have been correct.

rishta avatar Nov 30 '21 12:11 rishta

Not sure why I didn't reopen this issue. Will have this open as a feature request.

chanseokoh avatar Nov 30 '21 15:11 chanseokoh