buildkit
buildkit copied to clipboard
moby
Login to a private registry using command line arguments
Right now the dockerfile.v0 frontend reads the docker config file. This means I either need to generate it using docker login, or manually, which is not great.
Perhaps I just didn't find the flag, but this is what README.md says as well.
@AkihiroSuda Any suggestions?
Overall we should move away from the text files and use os keychain logic. It would be easy to provide a script for this well.
docker login has cli arguments -u XX -p YY. Why not support the same thing?
The same problem. What should I do now? To login to my private registry by buidlctl without run "docker login". OS:centos7.2
img login can be used as well as docker login
It should be also easy to port over img login to buildctl https://github.com/genuinetools/img/blob/master/login.go
Does this issue still relevant? Would like to try implementing this
For buildkit, -u and -p should not create or store credentials, right?
It only used for a single execution by storing it as variables in authprovider, is this approach correct?
buildkit can access multiple registries for a single build so if we are talking about cli flags that would fill in authprovider they need to be a combination of host+user+pw/token .
It doesn't need to store the credentials into file or os keychain right? For handling multiple registries, how do you suggest the flags would look like? We can use multiple --username, --host and --password or using comma separated
Hi there, @walbertus are you still working on this issue? If not, would it be alright if I tried to take on this issue with a group of fellow students from UT Austin? We are taking a Virtualization class and would like to contribute to this issue, as it's a part of our course requirement.
@chang-andrew Any progress? @tonistiigi Is there any kind of workaround for this until it is implemented?
Thank you.
@chang-andrew Any progress? @tonistiigi Is there any kind of workaround for this until it is implemented?
Thank you.
you can create secret and mount it. buildkit will pick it up
You can do docker login from any machine. Then create secret from that docker config json. Then mount it in buildkit container
On Sun, 20 Dec 2020 at 08:26 João Silva [email protected] wrote:
@tuananh https://github.com/tuananh can you provide a snippet?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/moby/buildkit/issues/565#issuecomment-748549074, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEZETVQCR7U2WMYIWIVZ6DSVVHDPANCNFSM4FOSR6IQ .
You can do docker login from any machine. Then create secret from that docker config json. Then mount it in buildkit container
Does this create a requirement that the frontend image is only local? I would like to be able to specify a syntax image from a private registry:
# syntax=privateregistry.example/ns/repo:1.2
FROM alpine
# ...
How can I mount this secret in the buildkit container so that it has access to privateregistry.example? Docker in docker?
Stating this as a separate concern, but motivation for the above:
With docker registry pull limits, it becomes difficult to adopt new frontend syntaxes if the act of building the image (even targeting a private registry or local) is throttled.
Since this is not implemented yet sharing my script to generate config.json for Azure acr identity without docker installed:
azAcrLogin=$(az acr login --name zylab -t) && mkdir -p ~/.docker && echo "{\"auths\": {$(echo $azAcrLogin| jq '.loginServer'): {\"auth\": \"MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwOg==\",\"identitytoken\": $(echo $azAcrLogin| jq '.accessToken')}}}" > ~/.docker/config.json
trap "rm -f ~/.docker/config.json" EXIT
You only need az and jq and of course running in a context of an azure identity
Using this successfully in my buildkit GitLab CI template:
BASE64_AUTH=`echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64`
mkdir -p ~/.docker
echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
Same but for AWS, a bit of a beginner to BASH so improvements are most welcome
#!/usr/bin/env bash
set -euo pipefail
pwd=$(AWS_PROFILE=<aws-profile> aws --region=eu-west-1 ecr get-login-password)
pwd_base64=$(printf "AWS:%s" $pwd | tr -d '\n' | base64)
if [ -f ~/.docker/config.json ] && [ -s ~/.docker/config.json ]; then
config_json=$(jq -r --arg pass $pwd_base64 ' del(.credsStore) | .auths += {"<Account-id>.dkr.ecr.eu-west-1.amazonaws.com": {"auth": $pass}}' < ~/.docker/config.json)
else
config_json=$(jq -r --arg pass $pwd_base64 ' .auths += {"<Account-id>.dkr.ecr.eu-west-1.amazonaws.com": {"auth": $pass}}' <<< '{"auths":{}}')
fi
jq -r '.' <<< $config_json > ~/.docker/config.json.temp && mv ~/.docker/config.json.temp ~/.docker/config.json
jesus,If I use the image moby/buildkit:v0.10.4, then I have to mount the login information of the docker in the host when running the container?
For what it's worth, slightly tidier jq perhaps:
mkdir -p ~/.docker
registry="$(aws ecr describe-registry --query=registryId --output=text).dkr.ecr.eu-west-1.amazonaws.com"
auth="$(echo -n "AWS:$(aws ecr get-login-password)" | base64 --wrap=0)"
jq -n "{auths:{\"$registry\": {auth: \"$auth\"}}}" > ~/.docker/config.json
Is it correct that we have to mount dockerconfigjson into the buildx builder, after its creation, in order to provide docker credentials different to the hosts default config?
