Pre-provisioned image from local docker

Hello,

i am trying to bundle the torizon image with a pre-provisioned image.
I have it loaded in my local registry using docker load. however when using the
torizoncore-builder bundle --dind-param="--insecure-registry=172.31.129.225" docker-compose.yml
command the tool always tries to connect to tcp://172.17.0.3:22376 even though this is not set anywhere.
Creating Docker Container bundle...
Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.3:22376"
Fetching container image localhost:5000/myimage
Stopping DIND container
Error: container images download failed: 500 Server Error for https://172.17.0.3:22376/v1.40/images/create?tag=latest&fromImage=localhost%3A5000%2Fmyimage: Internal Server Error ("Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused")

It seems the bundle command ignores the IP i told him to look into. Am i making a mistake?

How can i bundle the image with a local docker image? i have searched, but none of the approaches i found work with the torizon-builder bundle command. I have a .tar of the image i want to pre-provision. Can i not refer to that for the tcbuild.yml, as i am assuming during the build process it also just downloads the .tar from docker.

If not, do i have to create a full private registry on a server or is it possible to use the local registry on my machine?

Thank you so much for your support


my docker-compose.yml:

services:
myimage:
image: localhost:5000/myimage
ports:
- 23113:23113/tcp
restart: always
devices:
- /dev/apalis-uart3:/dev/apalis-uart3
- /dev/apalis-uart4:/dev/apalis-uart4
- /dev/gpiochip0:/dev/gpiochip0
volumes:
- source: /etc/sudoers.d
target: /etc/sudoers.d
type: bind
- source: /sys/class/rtc/rtc1
target: /sys/class/rtc/rtc1
type: bind
- source: /sys/power
target: /sys/power
type: bind
- source: /usr/local/bin
target: /usr/local/bin
type: bind
- source: /var/lib
target: /var/lib
type: bind
build: .
version: ‘2.4’

Greetings @busssard,

I believe there are some misconceptions here. This message you saw Connecting to Docker Daemon at "tcp://172.17.0.3:22376", has nothing to do with your registry. It’s just where the tool is trying to connect to the Docker Daemon at, not where it’s trying to fetch your image.

As seen in your logs it’s trying to fetch your image from the correct location: Fetching container image localhost:5000/myimage but you provided the wrong IP in your bundle command so it fails: "Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused".

So you need to amend your command to something like this: torizoncore-builder bundle --dind-param="--insecure-registry=localhost:5000" docker-compose.yml

I just tried this on my side and it seems to work.

Best Regards,
Jeremias

Hello Jeremias,

thank you for the comment. Sadly that is not the solution.
using the docker-compose.yml from above i still get for the bundle command:
username@computer:~/tcbworkdir/docker_pre_prep$ torizoncore-builder bundle --dind-param="--insecure-registry=localhost:5000" docker-compose.yml
Creating Docker Container bundle...
Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.4:22376"
Fetching container image localhost:5000/myimage:latest
Stopping DIND container
Error: container images download failed: 500 Server Error for https://172.17.0.4:22376/v1.40/images/create?tag=latest&fromImage=localhost%3A5000%2Fmyimage: Internal Server Error ("Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused")

But the image should be on the local registry as can be seen when pulling:
username@computer:~/tcbworkdir/docker_pre_prep$ docker pull localhost:5000/myimage
Using default tag: latest
latest: Pulling from myimage
Digest: sha256:865fc1abfb4e6860ff8aa16614db94ccb5c1b03816952a46e9676a7322b19e6a
Status: Image is up to date for localhost:5000/myimage:latest
localhost:5000/myimage:latest

Validating that the registry is really up and listening to port 5000:
username@computer:~/tcbworkdir/docker_pre_prep$ docker ps | grep registry
ca1499b50fc4 registry:2.7 "/entrypoint.sh /etc…" 20 hours ago Up 3 hours 0.0.0.0:5000->5000/tcp registry

the images are loaded (even though this is not important, i can remove them here. they are on the registry, and i can pull them again even if i do docker rmi localhost:5000/myimage) :
username@computer:~/tcbworkdir/docker_pre_prep$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/myimage latest d7dac4c4a939 5 days ago 78.6MB
myimage latest d7dac4c4a939 5 days ago 78.6MB

Here we see what happens when we do not define the registry to pull from:
username@computer:~/tcbworkdir/docker_pre_prep$ docker pull myimage
Using default tag: latest
Error response from daemon: pull access denied for myimage, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

→ This is the same error output i get when trying to bundle with a docker-compose.yml where image: myimage:
username@computer:~/tcbworkdir/docker_pre_prep$ torizoncore-builder bundle --dind-param="--insecure-registry=localhost:5000" docker-compose.yml
Creating Docker Container bundle...
Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.4:22376"
Fetching container image myimage:latest
Stopping DIND container
Error: container images download failed: 404 Client Error for https://172.17.0.4:22376/v1.40/images/create?tag=latest&fromImage=roverbrain: Not Found ("pull access denied for roverbrain, repository does not exist or may require 'docker login': denied: requested access to the resource is denied")


So i have the assumption that i am still missing a definition of the location for the bundle command somewhere?
Or i am not fully understanding what is going on in the bundle command.
What i dont understand is why i cannot hand a .tar directly to the tcbuild.yml to bundle the image with. i am assuming the bundle command also just stores the docker image locally for the builder to combine them correct?

Dear @busssard,

Thanks for the feedback. If I understand correctly, you are using a secure private registry that requires authorization. Your error message says “repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied”. Could you please run the bundle command using the login credentials as it is explained here: Pre-provisioning Docker Containers onto a TorizonCore image | Toradex Developer Center

Please let me know if that helps :slight_smile:

1 Like

According to SO, this message is misleading and usually means that the image is not found.
I do not have a certificate as the registry is just my local docker registry. i am not running a dedicated server or registry.
i was following this answer here in the hope that then the docker-compose would find the image

Sadly it gives me the output shown in my last post.
As i said i have a local myimage.tar file and just want that to be included in the torizon image so that the docker container does not have to be put on every board individually. I take any solution you can give me at this point.

Wait a minute I just noticed something in your logs you have this line: Connecting to Docker Daemon at "tcp://172.17.0.3:22376". Normally TorizonCore Builder is configured to use the host network, in this case the address in this line should be 127.0.0.1 for localhost network.

In the case TorizonCore Builder isn’t running on the host network it will use an address like the one seen in your logs. By default TorizonCore Builder should use this host network. Are you configuring TorizonCore Builder to not use the host network? Or are you running TorizonCore Builder on a Windows machine?

In either case you want to do the following:

  • Push your image to your local registry tagged as <registry IP address>:5000/myimage. So if your registry has the address “172.31.129.225” for example then you want to tag and push your image as 172.31.129.225:5000/myimage
  • Then in your compose file also change the “image:” property to 172.31.129.225:5000/myimage
  • Finally you can run the bundle command with --dind-param="--insecure-registry=172.31.129.225:5000" and it should work.

This is because your TorizonCore Builder appears to not be running on the host network so it needs the exact IP address of the registry container and not just “localhost”.

Best Regards,
Jeremias

1 Like

using the external IP worked.

The problem is that docker creates an internal network.

Hi @busssard,

Thanks for the feedback! I’m glad that it works for you.

So it does work to put the pre-provisioned docker on the SoM…
However the container is now called <IP.Address-ofRegistry>:5000/Myimage
So actually it is not really a good solution.
I cannot have the main image be referred to by an ip that might change in case we have another production image some point down the line.
Is there no way to rename it after its bundled? Because so far the only way to make it work is to tag it with the ip of the registry.

Or to take a step back: Is there no way to add a myimage.tar to the tcbuild.yaml directly? If i use bundle i am sure the code also just uses a form of docker save to make its docker-storage.tar.xz so is there no way to do it without pushing it to a registry first where bundle then takes it down?

I cannot have the main image be referred to by an ip that might change in case we have another production image some point down the line.

So wait is your main issue the “non-static” IP?

Why not just give your registry a static IP then? Or, configure your registry to have a proper domain name to be referred to instead of IP? Or use a pre-configured registry technology like DockerHub, or Gitlab, or the other container registries offered out there? Or even configure TorizonCore Builder to run on your host network so it can connect to your registry using “localhost” instead of the IP address.

Is there no way to add a myimage.tar to the tcbuild.yaml directly? If i use bundle i am sure the code also just uses a form of docker save to make its docker-storage.tar.xz so is there no way to do it without pushing it to a registry first where bundle then takes it down?

No there is no way to do this, the tool takes the compose file and downloads from the locations specified by the compose file. And no the method that is used for docker-storage.tar.xz is not quite docker save compatible. Since it’s our Easy Installer tool that unpacks the tarball during installation and Easy Installer does not use docker load/save

Best Regards,
Jeremias