buildkit
buildkit copied to clipboard
Login to a private registry using command line arguments
Right now the dockerfile.v0
frontend reads the docker config file. This means I either need to generate it using docker login
, or manually, which is not great.
Perhaps I just didn't find the flag, but this is what README.md
says as well.
@AkihiroSuda Any suggestions?
Overall we should move away from the text files and use os keychain logic. It would be easy to provide a script for this well.
docker login
has cli arguments -u XX -p YY
. Why not support the same thing?
The same problem. What should I do now? To login to my private registry by buidlctl without run "docker login". OS:centos7.2
img login
can be used as well as docker login
It should be also easy to port over img login
to buildctl https://github.com/genuinetools/img/blob/master/login.go
Does this issue still relevant? Would like to try implementing this
For buildkit
, -u and -p should not create or store credentials, right?
It only used for a single execution by storing it as variables in authprovider
, is this approach correct?
buildkit can access multiple registries for a single build so if we are talking about cli flags that would fill in authprovider
they need to be a combination of host+user+pw/token
.
It doesn't need to store the credentials into file or os keychain right? For handling multiple registries, how do you suggest the flags would look like? We can use multiple --username, --host and --password or using comma separated
Hi there, @walbertus are you still working on this issue? If not, would it be alright if I tried to take on this issue with a group of fellow students from UT Austin? We are taking a Virtualization class and would like to contribute to this issue, as it's a part of our course requirement.
@chang-andrew Please go ahead
@chang-andrew Any progress? @tonistiigi Is there any kind of workaround for this until it is implemented?
Thank you.
@chang-andrew Any progress? @tonistiigi Is there any kind of workaround for this until it is implemented?
Thank you.
you can create secret and mount it. buildkit will pick it up
@tuananh can you provide a snippet?
You can do docker login from any machine. Then create secret from that docker config json. Then mount it in buildkit container
On Sun, 20 Dec 2020 at 08:26 João Silva [email protected] wrote:
@tuananh https://github.com/tuananh can you provide a snippet?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/moby/buildkit/issues/565#issuecomment-748549074, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEZETVQCR7U2WMYIWIVZ6DSVVHDPANCNFSM4FOSR6IQ .
You can do docker login from any machine. Then create secret from that docker config json. Then mount it in buildkit container
Does this create a requirement that the frontend image is only local? I would like to be able to specify a syntax image from a private registry:
# syntax=privateregistry.example/ns/repo:1.2
FROM alpine
# ...
How can I mount this secret in the buildkit container so that it has access to privateregistry.example
? Docker in docker?
Stating this as a separate concern, but motivation for the above:
With docker registry pull limits, it becomes difficult to adopt new frontend syntaxes if the act of building the image (even targeting a private registry or local) is throttled.
Since this is not implemented yet sharing my script to generate config.json for Azure acr identity without docker installed:
azAcrLogin=$(az acr login --name zylab -t) && mkdir -p ~/.docker && echo "{\"auths\": {$(echo $azAcrLogin| jq '.loginServer'): {\"auth\": \"MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwOg==\",\"identitytoken\": $(echo $azAcrLogin| jq '.accessToken')}}}" > ~/.docker/config.json
trap "rm -f ~/.docker/config.json" EXIT
You only need az and jq and of course running in a context of an azure identity
Using this successfully in my buildkit GitLab CI template:
BASE64_AUTH=`echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64`
mkdir -p ~/.docker
echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
Same but for AWS, a bit of a beginner to BASH so improvements are most welcome
#!/usr/bin/env bash
set -euo pipefail
pwd=$(AWS_PROFILE=<aws-profile> aws --region=eu-west-1 ecr get-login-password)
pwd_base64=$(printf "AWS:%s" $pwd | tr -d '\n' | base64)
if [ -f ~/.docker/config.json ] && [ -s ~/.docker/config.json ]; then
config_json=$(jq -r --arg pass $pwd_base64 ' del(.credsStore) | .auths += {"<Account-id>.dkr.ecr.eu-west-1.amazonaws.com": {"auth": $pass}}' < ~/.docker/config.json)
else
config_json=$(jq -r --arg pass $pwd_base64 ' .auths += {"<Account-id>.dkr.ecr.eu-west-1.amazonaws.com": {"auth": $pass}}' <<< '{"auths":{}}')
fi
jq -r '.' <<< $config_json > ~/.docker/config.json.temp && mv ~/.docker/config.json.temp ~/.docker/config.json
jesus,If I use the image moby/buildkit:v0.10.4, then I have to mount the login information of the docker in the host when running the container?
For what it's worth, slightly tidier jq perhaps:
mkdir -p ~/.docker
registry="$(aws ecr describe-registry --query=registryId --output=text).dkr.ecr.eu-west-1.amazonaws.com"
auth="$(echo -n "AWS:$(aws ecr get-login-password)" | base64 --wrap=0)"
jq -n "{auths:{\"$registry\": {auth: \"$auth\"}}}" > ~/.docker/config.json
Is it correct that we have to mount dockerconfigjson into the buildx builder, after its creation, in order to provide docker credentials different to the hosts default config?