nerdctl
nerdctl copied to clipboard
containerd
[build] x509: certificate signed by unknown authority
Running:
lima nerdctl --insecure-registry=true compose --file=docker-compose.local.yml up --build
I got this error:
error: failed to solve: company.registry.com/golang:1.16-stretch: failed to do request: Head "https://company.registry.com/v2/golang/manifests/1.16-stretch": x509: certificate signed by unknown authority
Dockerfile.local
FROM company.registry.com/golang:1.16-stretch
ARG WORKSPACE
ENV VAULT_VERSION=1.8.2
RUN sed -i -e 's/^deb-src/#deb-src/' /etc/apt/sources.list \
&& export DEBIAN_FRONTEND=noninteractive \
&& apt-get update -y -q && apt-get upgrade -y -q \
&& apt-get install --no-install-recommends -y -q \
wait-for-it \
curl \
unzip \
&& curl -sSL -o /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip \
&& unzip /tmp/vault.zip 'vault' -d /usr/local/bin \
&& rm /tmp/vault.zip
COPY ./certs/* /usr/local/share/ca-certificates/
RUN update-ca-certificates
WORKDIR ${WORKSPACE}
COPY go.mod go.sum ${WORKSPACE}/
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go mod download -x
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go install github.com/go-delve/delve/cmd/dlv@latest
COPY . ${WORKSPACE}
RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -race \
-gcflags "all=-N -l" \
-trimpath \
-o /usr/local/bin/our-api \
main.go
EXPOSE 40000
EXPOSE 3000
ENTRYPOINT ["./scripts/docker-local-entrypoint.sh"]
Weird this is that the pull command works:
❯ lima nerdctl --insecure-registry=true pull company.registry.com/golang:1.16-stretch
WARN[0000] skipping verifying HTTPS certs for "company.registry.com"
company.registry.com/golang:1.16-stretch: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:78bc17c372a67b203f1e6f7005482ba0c46d7123f8d9586862e0e42e364fc087: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:eac5030e5669ba90a47a4dfc91655c14bbc4afbec0905ff8e264c82a76a5a520: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:797cbb623b616c82047c57ca6db3740b0d60f3d6d62d6765a3f381129a930c6e: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:06a1ec819ae274d76b79b00b06b87b4c80e093b94e376c857d5c6a91f47c5902: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4b5f175d1abbc6d4a7774bd2912a927aa78b90fb04fb43d591e3dda317c9bb96: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:7885553ee256f7f9d1dd3016c0fd0c72fcd46217439371e3e1f610af0d159004: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1c05d83e138cea8cb6ddd17442ab2138423db80e58408d93059f2ea25065952e: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:884ea03617543fd3eb6727d5dab474bcb8b11b5c36ff2783d442f32550770ff2: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:394ee1959bac9492a9fc64334844549eccd4274280678d81d6b5b19af703e2a6: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:22e09491e250a0b39b29730b3824ae3d3d87b50beca5ac2c13a654a3de356f7b: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 95.1s total: 283.9 (3.0 MiB/s)
Currently, --insecure-registry does not apply to build operations, because they are handled by buildkitd, not by containerd.
The solution is to create ~/.config/buildkit/buildkitd.toml (/etc/buildkit/buildkitd.toml for root) like this
# registry configures a new Docker register used for cache import or output.
[registry."docker.io"]
mirrors = ["yourmirror.local:5000"]
http = true
insecure = true
ca=["/etc/config/myca.pem"]
[[registry."docker.io".keypair]]
key="/etc/config/key.pem"
cert="/etc/config/cert.pem"
# optionally mirror configuration can be done by defining it as a registry.
[registry."yourmirror.local:5000"]
http = true
https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md
I am using Rancher Desktop (0.7.1) on Windows 10 Enterprise (under a big company). My command (test example) is:
nerdctl build -t nginx:nerd .
with this Docker file
# Dockerfile
FROM nginx:alpine
RUN echo 'Hello Nerdctl from containerd'
Despite, I created the ~/.config/buildkit/buildkitd.toml file with the proposed content, I still get the same error:
[+] Building 0.7s (3/3) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 31B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> ERROR [internal] load metadata for docker.io/library/nginx:alpine 0.6s
------
> [internal] load metadata for docker.io/library/nginx:alpine:
------
error: failed to solve: failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head https://registry-1.docker.io/v2/library/nginx/manifests/alpine: x509: certificate signed by unknown authority
FATA[0000] unrecognized image format
I want to notice also that when I pull or run the image, it works fine.
Signing out from my company VPN fixed the issue. VPN was messing up the cert.
--insecure-registry does apply to nerdctl pull but not apply to nerdctl build operations
try to add buildkitd.toml for buildkitd as following
/etc/buildkit/buildkitd.toml
[registry."your-container-registry.com"]
http = true
insecure = true
and don't forget to run systemctl restart buildkit
