Pre-provisioned image from local docker

Hello,

i am trying to bundle the torizon image with a pre-provisioned image.
I have it loaded in my local registry using docker load. however when using the
torizoncore-builder bundle --dind-param="--insecure-registry=172.31.129.225" docker-compose.yml
command the tool always tries to connect to tcp://172.17.0.3:22376 even though this is not set anywhere.
Creating Docker Container bundle...
Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.3:22376"
Fetching container image localhost:5000/myimage
Stopping DIND container
Error: container images download failed: 500 Server Error for https://172.17.0.3:22376/v1.40/images/create?tag=latest&fromImage=localhost%3A5000%2Fmyimage: Internal Server Error ("Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused")

It seems the bundle command ignores the IP i told him to look into. Am i making a mistake?

How can i bundle the image with a local docker image? i have searched, but none of the approaches i found work with the torizon-builder bundle command. I have a .tar of the image i want to pre-provision. Can i not refer to that for the tcbuild.yml, as i am assuming during the build process it also just downloads the .tar from docker.

If not, do i have to create a full private registry on a server or is it possible to use the local registry on my machine?

Thank you so much for your support


my docker-compose.yml:

services:
myimage:
image: localhost:5000/myimage
ports:
- 23113:23113/tcp
restart: always
devices:
- /dev/apalis-uart3:/dev/apalis-uart3
- /dev/apalis-uart4:/dev/apalis-uart4
- /dev/gpiochip0:/dev/gpiochip0
volumes:
- source: /etc/sudoers.d
target: /etc/sudoers.d
type: bind
- source: /sys/class/rtc/rtc1
target: /sys/class/rtc/rtc1
type: bind
- source: /sys/power
target: /sys/power
type: bind
- source: /usr/local/bin
target: /usr/local/bin
type: bind
- source: /var/lib
target: /var/lib
type: bind
build: .
version: ‘2.4’

Greetings @busssard,

I believe there are some misconceptions here. This message you saw Connecting to Docker Daemon at "tcp://172.17.0.3:22376", has nothing to do with your registry. It’s just where the tool is trying to connect to the Docker Daemon at, not where it’s trying to fetch your image.

As seen in your logs it’s trying to fetch your image from the correct location: Fetching container image localhost:5000/myimage but you provided the wrong IP in your bundle command so it fails: "Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused".

So you need to amend your command to something like this: torizoncore-builder bundle --dind-param="--insecure-registry=localhost:5000" docker-compose.yml

I just tried this on my side and it seems to work.

Best Regards,
Jeremias

Hello Jeremias,

thank you for the comment. Sadly that is not the solution.
using the docker-compose.yml from above i still get for the bundle command:
username@computer:~/tcbworkdir/docker_pre_prep$ torizoncore-builder bundle --dind-param="--insecure-registry=localhost:5000" docker-compose.yml
Creating Docker Container bundle...
Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.4:22376"
Fetching container image localhost:5000/myimage:latest
Stopping DIND container
Error: container images download failed: 500 Server Error for https://172.17.0.4:22376/v1.40/images/create?tag=latest&fromImage=localhost%3A5000%2Fmyimage: Internal Server Error ("Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused")

But the image should be on the local registry as can be seen when pulling:
username@computer:~/tcbworkdir/docker_pre_prep$ docker pull localhost:5000/myimage
Using default tag: latest
latest: Pulling from myimage
Digest: sha256:865fc1abfb4e6860ff8aa16614db94ccb5c1b03816952a46e9676a7322b19e6a
Status: Image is up to date for localhost:5000/myimage:latest
localhost:5000/myimage:latest

Validating that the registry is really up and listening to port 5000:
username@computer:~/tcbworkdir/docker_pre_prep$ docker ps | grep registry
ca1499b50fc4 registry:2.7 "/entrypoint.sh /etc…" 20 hours ago Up 3 hours 0.0.0.0:5000->5000/tcp registry

the images are loaded (even though this is not important, i can remove them here. they are on the registry, and i can pull them again even if i do docker rmi localhost:5000/myimage) :
username@computer:~/tcbworkdir/docker_pre_prep$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/myimage latest d7dac4c4a939 5 days ago 78.6MB
myimage latest d7dac4c4a939 5 days ago 78.6MB

Here we see what happens when we do not define the registry to pull from:
username@computer:~/tcbworkdir/docker_pre_prep$ docker pull myimage
Using default tag: latest
Error response from daemon: pull access denied for myimage, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

→ This is the same error output i get when trying to bundle with a docker-compose.yml where image: myimage:
username@computer:~/tcbworkdir/docker_pre_prep$ torizoncore-builder bundle --dind-param="--insecure-registry=localhost:5000" docker-compose.yml
Creating Docker Container bundle...
Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.4:22376"
Fetching container image myimage:latest
Stopping DIND container
Error: container images download failed: 404 Client Error for https://172.17.0.4:22376/v1.40/images/create?tag=latest&fromImage=roverbrain: Not Found ("pull access denied for roverbrain, repository does not exist or may require 'docker login': denied: requested access to the resource is denied")


So i have the assumption that i am still missing a definition of the location for the bundle command somewhere?
Or i am not fully understanding what is going on in the bundle command.
What i dont understand is why i cannot hand a .tar directly to the tcbuild.yml to bundle the image with. i am assuming the bundle command also just stores the docker image locally for the builder to combine them correct?

Dear @busssard,

Thanks for the feedback. If I understand correctly, you are using a secure private registry that requires authorization. Your error message says “repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied”. Could you please run the bundle command using the login credentials as it is explained here: Pre-provisioning Docker Containers onto a TorizonCore image | Toradex Developer Center

Please let me know if that helps :slight_smile:

1 Like

According to SO, this message is misleading and usually means that the image is not found.
I do not have a certificate as the registry is just my local docker registry. i am not running a dedicated server or registry.
i was following this answer here in the hope that then the docker-compose would find the image

Sadly it gives me the output shown in my last post.
As i said i have a local myimage.tar file and just want that to be included in the torizon image so that the docker container does not have to be put on every board individually. I take any solution you can give me at this point.

Wait a minute I just noticed something in your logs you have this line: Connecting to Docker Daemon at "tcp://172.17.0.3:22376". Normally TorizonCore Builder is configured to use the host network, in this case the address in this line should be 127.0.0.1 for localhost network.

In the case TorizonCore Builder isn’t running on the host network it will use an address like the one seen in your logs. By default TorizonCore Builder should use this host network. Are you configuring TorizonCore Builder to not use the host network? Or are you running TorizonCore Builder on a Windows machine?

In either case you want to do the following:

  • Push your image to your local registry tagged as <registry IP address>:5000/myimage. So if your registry has the address “172.31.129.225” for example then you want to tag and push your image as 172.31.129.225:5000/myimage
  • Then in your compose file also change the “image:” property to 172.31.129.225:5000/myimage
  • Finally you can run the bundle command with --dind-param="--insecure-registry=172.31.129.225:5000" and it should work.

This is because your TorizonCore Builder appears to not be running on the host network so it needs the exact IP address of the registry container and not just “localhost”.

Best Regards,
Jeremias

1 Like

using the external IP worked.

The problem is that docker creates an internal network.

Hi @busssard,

Thanks for the feedback! I’m glad that it works for you.

So it does work to put the pre-provisioned docker on the SoM…
However the container is now called <IP.Address-ofRegistry>:5000/Myimage
So actually it is not really a good solution.
I cannot have the main image be referred to by an ip that might change in case we have another production image some point down the line.
Is there no way to rename it after its bundled? Because so far the only way to make it work is to tag it with the ip of the registry.

Or to take a step back: Is there no way to add a myimage.tar to the tcbuild.yaml directly? If i use bundle i am sure the code also just uses a form of docker save to make its docker-storage.tar.xz so is there no way to do it without pushing it to a registry first where bundle then takes it down?

I cannot have the main image be referred to by an ip that might change in case we have another production image some point down the line.

So wait is your main issue the “non-static” IP?

Why not just give your registry a static IP then? Or, configure your registry to have a proper domain name to be referred to instead of IP? Or use a pre-configured registry technology like DockerHub, or Gitlab, or the other container registries offered out there? Or even configure TorizonCore Builder to run on your host network so it can connect to your registry using “localhost” instead of the IP address.

Is there no way to add a myimage.tar to the tcbuild.yaml directly? If i use bundle i am sure the code also just uses a form of docker save to make its docker-storage.tar.xz so is there no way to do it without pushing it to a registry first where bundle then takes it down?

No there is no way to do this, the tool takes the compose file and downloads from the locations specified by the compose file. And no the method that is used for docker-storage.tar.xz is not quite docker save compatible. Since it’s our Easy Installer tool that unpacks the tarball during installation and Easy Installer does not use docker load/save

Best Regards,
Jeremias

Same problem occures on actual build while using WSL2 and try to build a image with local docker-container for Verdim iMX8mm.

$ ip a
1: lo: … inet 127.0.0.1/8 scope host lo
2: eth0: … inet 172.20.202.49/20 brd 172.20.207.255 scope global eth0
3: docker0: … inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
59: veth0e5c99e@if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default

Pull image from external-IP fails:
$ docker pull 172.17.0.3:5000/test
Using default tag: latest
Error response from daemon: Get “https://172.17.0.3:5000/v2/”: dial tcp 172.17.0.3:5000: connect: no route to host

$ docker pull 172.17.0.1:5000/test
Using default tag: latest
Error response from daemon: Get “https://172.17.0.1:5000/v2/”: http: server gave HTTP response to HTTPS client

$ docker pull 172.20.202.49:5000/test
Using default tag: latest
Error response from daemon: Get “https://172.20.202.49:5000/v2/”: http: server gave HTTP response to HTTPS client

So which setting have to be done to push/pull images to external IP? Registry entries?

Hi @CGO,

Could you please open a new thread as this one is quite old and may not fully apply to you anymore.

That said, looking at your errors I think I know what’s wrong. These error messages:

server gave HTTP response to HTTPS client

These occur when you are trying to access an insecure docker registry. I assume this 172.20.202.49:5000 registry you’re trying to access here is insecure and can’t handle HTTPS requests. Hence the error you are getting.

You should configure docker on the device you are trying to run docker pull to recognize that your registry is insecure. You can do this by creating the file /etc/docker/daemon.json with the following contents:

{
   "insecure-registries" : ["<ip address:port>"]
}

Then restart the device/docker and try again.

Best Regards,
Jeremias

Adding: insecure-registries
inside WSL2 → Ubuntu does not work as describted before with: /etc/docker/daemon.json

Following line should be add inside: etc/default/docker
DOCKER_OPTS=“–insecure-registry=a.example.com --insecure-registry=172.20.202.49”

After Docker daemon has restart: $ sudo service docker restart
Showing details with: $ docker info return:
Insecure Registries:
b.example.com
172.20.202.49
127.0.0.0/8

But that do not fix the problem descripted before.

$ torizoncore-builder bundle --dind-param=“–insecure-registry=172.20.202.49:5000” docker-compose.yml
Creating Docker Container bundle…

Starting DIND container
Connecting to Docker Daemon at “tcp://172.17.0.4:22376”
Fetching container image bruker
Stopping DIND container
Error: container images download failed: 404 Client Error for https://172.17.0.4:22376/v1.40/images/create?tag=latest&fromImage=bruker: Not Found (“pull access denied for bruker, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied”)

@CGO Here’s what I did on Windows WSL and it works for me:

  • I created an insecure registry container: docker run -d -p 5000:5000 --restart always --name registry registry:2
  • I pushed a container image to this registry docker push <IP ADDRESS>:5000/myimage.
    • You want the IP address here to be the IP address of your Windows machine.
  • Create a docker-compose.yml like this:
version: "2.4"
services:
  myimage:
    image: <IP ADDRESS>:5000/myimage
  • Then I run the bundle command:
torizoncore-builder bundle --force --dind-param="--insecure-registry=<IP ADDRESS>:5000" docker-compose.yaml
Creating Docker Container bundle...

Starting DIND container
Connecting to Docker Daemon at "tcp://172.17.0.4:22376"
Fetching container image <IP ADDRESS>:5000/myimage
  Pulling from myimage
  c1ec31eb5944: Pull complete
  Digest: sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7
  Status: Downloaded newer image for <IP ADDRESS>:5000/myimage:latest
Saving Docker Compose file
Exporting storage
Storing container bundle into "bundle"
Stopping DIND container
Successfully created Docker Container bundle in "bundle"!

Based on your error it seems like you don’t have the right address set.

Alternatively if you push your container image to a proper container registry like Dockerhub. Then you don’t have to worry about trying to correctly configure and handle this stuff.

Best Regards,
Jeremias