spring-boot icon indicating copy to clipboard operation
spring-boot copied to clipboard
verified publisher icon spring-projects

Image building does not validate that image registry host matches publish registry URL

Open liyuan-rey opened this issue 3 years ago • 4 comments

hello,

Envronment: System: Windows 10 Home x64 21H2 JDK: 11.0.13 Spring Boot: 2.6.2 Docker Desktop 4.3.2 (WSL 2 based)

We built a private docker repositories with Sonatype Nexus at http://172.2.3.5:9000/.

Try build image for a simple Spring REST WebApp.

build.gradle

plugins {
    id 'java'
    id 'org.springframework.boot' version '2.6.2'
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
}

...

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web'
}

bootBuildImage {
    imageName = "mycompany/mygroup/myproject:1.0.1"
    publish = true
    docker {
        publishRegistry {
            url = "http://172.2.3.5:9000/"
            username = "user"
            password = "pass"
        }
    }
}

Run .\gradlew.bat bootBuildImage, got outputs like:

...
> Task :bootBuildImage
- Building image 'docker.io/mycompany/mygroup/myproject:1.0.1'

 > Pulling builder image 'docker.io/paketobuildpacks/builder:base' ......
...
 > Pulling run image 'docker.io/paketobuildpacks/run:base-cnb' ......
...
 > Running creator
...

- Successfully built image 'docker.io/mycompany/mygroup/myproject:1.0.1'

- > Pushing image 'docker.io/mycompany/mygroup/myproject:1.0.1' .......

...

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':bootBuildImage'.
> Error response received when pushing image: unauthorized: incorrect username or password

...

Notice that the red lines always output 'docker.io/' even if 'docker.publishRegistry.url' is specified, so I guess the task might try to push the image to ‘docker.io’ instead of '172.2.3.5:9000', and it fails.

Please let me know if there is any misunderstanding, thank you.

liyuan-rey avatar Jan 06 '22 13:01 liyuan-rey

You haven't provided a domain when specifying the image name so it defaults to docker.io. If you set imageName to 172.2.3.5:9000/mycompany/mygroup/myproject:1.0.1 it should work.

I wonder if we can make this easier. It'd be nice to not have to duplicate the domain in the image name and in the publish registry URL.

wilkinsona avatar Jan 06 '22 14:01 wilkinsona

@wilkinsona Yes, it works when I add host:port to imageName. Thank you for your help! 😄

I'm not sure if there are additional jobs to track, so I leave this issue as "open". It can be closed if necessary.

liyuan-rey avatar Jan 07 '22 01:01 liyuan-rey

It'd be nice to not have to duplicate the domain in the image name and in the publish registry URL.

The docker.publishRegistry.url must contain the full URL to the registry, including the scheme part, whereas the image name just contains the registry host. I'm not sure how we'd keep from duplicating the registry host without assuming things about the rest of the URL.

Another option would be to do more validation to ensure that the registry part of the built image and the host part of the registry URL match before attempting to push an image. If additional tags are applied to the built image, and publishing is requested in the build configuration, it is also required that all image tags have the same registry part. We should probably validate that this is the case before publishing also.

scottfrederick avatar Jun 15 '22 19:06 scottfrederick

The documentation should also clarify that the value of docker.publishRegistry.url has no effect on where a built image gets pushed. It is optional, which is currently mentioned in the documentation.

#31820 has been created to cover the documentation change.

scottfrederick avatar Jul 20 '22 16:07 scottfrederick