docker-maven-plugin icon indicating copy to clipboard operation
docker-maven-plugin copied to clipboard
verified publisher icon fabric8io

buildx overwrites local docker config.json

Open steve-thousand opened this issue 2 years ago • 3 comments

I am trying to use the buildx config and am pointing it to my local ~/.docker directory. I want it to use this location because that is where my config.json has credential information allowing me to push/pull against private registries. Unfortunately it looks like the code that makes use of the configured docker state directory tries to overwrite the config file with a temp file that it later deletes.

I am referring to this bit from the BuildXService. When I configure the plugin to use my local ~/.docker directory as the dockerStateDir my config.json is overwritten and I receive auth errors when I need to push/pull private registries

    private <C> void useBuilder(ProjectPaths projectPaths, ImageConfiguration imageConfig, String configuredRegistry, AuthConfig authConfig, C context, Builder<C> builder) throws MojoExecutionException {
        BuildDirs buildDirs = new BuildDirs(projectPaths, imageConfig.getName());

        Path configPath = getDockerStateDir(imageConfig.getBuildConfiguration(),  buildDirs);
        List<String> buildX = Arrays.asList("docker", "--config", configPath.toString(), "buildx");

        String builderName = createBuilder(configPath, buildX, imageConfig, buildDirs);
        Path configJson = configPath.resolve("config.json");
        try {
            createConfigJson(configJson, authConfig);
            builder.useBuilder(buildX, builderName, buildDirs, imageConfig,  configuredRegistry, context);
        } finally {
            removeConfigJson(configJson);
        }
    }

Output:

[INFO] DOCKER> ERROR: failed to solve: redacted.private.repo.com/redacted-image: pulling from host redacted.private.repo.com failed with status code [manifests redacted-image]: 401 Unauthorized
[ERROR] DOCKER> Error status (1) when building

I created a local branch with the following changes. Running the build and push steps with this code has no auth issues and no longer overwrites/deletes my config.json file

        //if we point to an existing, persistent config.json, then we should not create/delete one for this build step
        boolean createTempConfigJson = Files.notExists(configJson);
        try {
            if(createTempConfigJson) {
                createConfigJson(configJson, authConfig);
            }
            builder.useBuilder(buildX, builderName, buildDirs, imageConfig,  configuredRegistry, context);
        } finally {
            if(createTempConfigJson) {
                removeConfigJson(configJson);
            }
        }

I am testing with the latest 0.42.0 release, and my test branch that addressed the issue was branched off of commit c1f1080751c9736061dd0d5f3ed4d1c5ba99566d (0.43-SNAPSHOT). And the following are my docker/buildx versions

➜ ~ docker version
Client:
 Version:           20.10.21-rd
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        ac29474
 Built:             Tue Nov 22 22:21:43 2022
 OS/Arch:           darwin/arm64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.20
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       03df974ae9e6c219862907efdd76ec2e77ec930b
  Built:            Wed Oct 19 02:58:31 2022
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          v1.6.8
  GitCommit:        9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
 runc:
  Version:          1.1.4
  GitCommit:        5fd4c4d144137e991c4acebb2146ab1483a97925
 docker-init:
  Version:          0.19.0
  GitCommit:
➜ ~ docker buildx version
github.com/docker/buildx v0.9.1 ed00243a0ce2a0aee75311b06e32d33b44729689

Aside from that, I also tried pushing my changes in a branch to open a PR but am unable to due to permissions. I wonder if maybe there is some instructional information I am missing in the CONTRIBUTING.MD that I should be following

steve-thousand avatar Mar 04 '23 20:03 steve-thousand

The purpose of the clean up is to remove any auth credentials that are in clear text. The auth credentials are extracted from one of the many credential locations supported by docker-maven-plugin (https://dmp.fabric8.io/#authentication) and written to the per-project config directory. Specifying ~/.docker for <configDir> is probably not a good idea. Does buildx find your credentials if you do not provide a configDir?

chonton avatar Mar 05 '23 02:03 chonton

I was not aware of the DOCKER_CONFIG setting allowing us to specify the location of the config.json. This may actually be a good solution if it allows us to use a temporary .docker directory for buildx info but also specify a stateful config.json

steve-thousand avatar Mar 31 '23 02:03 steve-thousand

We're also running into this issue and it breaks other parts of the build since the buildx builder logic removes a perfectly valid (and workspace-based) docker config.json :(

peschee avatar Oct 30 '23 07:10 peschee