cog icon indicating copy to clipboard operation
cog copied to clipboard
verified publisher icon replicate

cog can't access docker through a proxy registry

Open danbgoldman opened this issue 1 year ago • 3 comments

For security reasons, my development environment requires a proxy registry to access docker base images. I couldn't find any info in the docs about configuring cog to access a proxy instead of docker.io. Here is the stdout/stderr from running cog in this air-gapped environment:

> cog run python
Building Docker image from environment in cog.yaml...
[+] Building 0.4s (2/2) FINISHED                                 docker:default
 => [internal] load build definition from Dockerfile                       0.1s
 => => transferring dockerfile: 162B                                       0.0s
 => ERROR resolve image config for docker-image://docker.io/docker/docker  0.2s
------
 > resolve image config for docker-image://docker.io/docker/dockerfile:1.4:
------
Dockerfile:1
--------------------
   1 | >>> #syntax=docker/dockerfile:1.4
   2 |     FROM r8.im/cog-base:python3.11
   3 |     WORKDIR /src
--------------------
ERROR: failed to solve: failed to resolve source metadata for docker.io/docker/dockerfile:1.4: failed to do request: Head "https://registry-1.docker.io/v2/docker/dockerfile/manifests/1.4": read tcp XX.XX.XX.XX:37026->3.219.239.5:443: read: connection reset by peer
ⅹ Failed to build Docker image: exit status 1

danbgoldman avatar Sep 18 '24 21:09 danbgoldman

Hi @danbgoldman. Cog wraps docker CLI invocations when building and pushing images, so it should be straight forward to use behind a proxy.

In this case specifically, it looks like the issue is that your proxy needs the BuildKit Dockerfile syntax repository to build. You should be able to load it by running these commands:

# Pull the syntax image from Docker Hub
docker pull docker/dockerfile:1.4

# Tag it for your internal registry
docker tag docker/dockerfile:1.4 your-internal-registry.example.com/docker/dockerfile:1.4

# Push it to your internal registry
docker push your-internal-registry.example.com/docker/dockerfile:1.4

The same goes for the Cog base image on the next line.

You can see the Dockerfile that Cog will use to build the image by running cog debug.

mattt avatar Sep 19 '24 11:09 mattt

Even after pushing it to my internal registry, I get exactly the same error. And, if I run cog debug the syntax line still refers to the original docker/dockerfile:1.4, not the fully-qualified name in my internal registry. So even though I have a local copy of the image, cog isn't referring to it. Is there a flag or config to force cog to prepend the full host name of the internal registry?

> cog debug
#syntax=docker/dockerfile:1.4
FROM r8.im/cog-base:python3.11
WORKDIR /src
EXPOSE 5000
CMD ["python", "-m", "cog.server.http"]
COPY . /src

danbgoldman avatar Sep 19 '24 23:09 danbgoldman

@danbgoldman Cog doesn't currently have a way to prepend host names. But you should be able to configure your internal registry as a mirror to get docker/dockerfile:1.4 resolving correctly.

If all else fails, you can eject from Cog by doing cog debug > Dockerfile, making any changes you need, running docker build, and then running cog push.

mattt avatar Sep 23 '24 13:09 mattt