TCB cannot do "platform push" if private docker registry

Hello community,
I’ve encountered a similar issue to Torizoncore-builder bundle with private docker registry - #8 by jeremias.tx and How to update docker-compose.yml with container images from private registry through TorizonOTA WebUI? - #6 by John but when using the “platform push” command.

I’ve tried with both tcb 3.5.0 and 3.5.1.
I have a docker-compose that contains private images (on docker hub).
The issue appears only when doing a push with --canonicalize.
Enabling all the logs on tcb reports an " 401 Unauthorized" when executing set_images_hash in tcbuilder/backend/platform.py.
I haven’t found any other command-line option to pass the credential for login to a platform push command. Have I missed it or is it still not implemented?

I’ve done a couple of tries to pass the $HOME/.docker/config.json into the tcb container as volume (credential are stored in clear) and if I install docker inside the tcb image I can see that the credentials are recognized (docker info) and doing a docker pull from the private registry works just fine like on the host.
“platform push” seems to ignore those and cannot access the private registry anyway.

Thank you

PS. I cannot add the tags “torizoncore-builder” and “torizon-ota”

Greetings @mag,

As you noticed if you specify the --canonicalize with push this requires access to the actual container registry. This is due to the canonicalization process replacing the container image tags with hashes, which can only be done with registry access.

Anyways, I believe this is a known limitation at the moment. It should hopefully be addressed in a future release/fix of TorizonCore Builder. While canonicalization is best practice it isn’t strictly required so this shouldn’t be blocking you at the moment. Or is this issue affecting/blocking you in some other way?

PS. I cannot add the tags “torizoncore-builder” and “torizon-ota”

Strange we’ll look into this. The tagging system on this site can be a bit difficult to work with sometimes.

Best Regards,
Jeremias

Thanks for the fast response @jeremias.tx .

No it’s not blocking to us.
Our build script updates the docker-compose.yml file adding the tags of the image versions to use, but it happened already in the past that multiple people forget to change the build tag and the “tagged” image points to a new image. This can’t happen when using hashes.

I’ll keep an eye on the updates, when/if you implement this feature for private registries I’ll be very happy to test it.

Thank you again
Have a nice day

A workaround that may help your use case is using the bundle command as an intermediary. When you run the bundle command it produces a new docker-compose file that is essentially canonicalized as well. Furthermore, the bundle command does already have the extra arguments and features to access private registries.

It’d be extra step, but basically you’d use bundle to create a canonicalized compose file and access your private registry. Then just use the compose file produced by bundle in the push command.

Best Regards,
Jeremias

Hi @jeremias.tx,
that’s a very good idea.
I’ll definitely try that, we are already creating the bundle anyway.

Thank you
Regards

Glad to hear my suggestion works out for you!

Hi,

This workaround doesn’t seem to work with offline updates sadly. Platform push keeps telling me it can’t determine digest for an image that is located in a private repository, but I’m already using the canonicalized output of the bundle command.

I can push it fine if I don’t use the ‘–canonicalize’ argument, but it seems that Torizon OTA then marks this as non-canonical, because I cannot use the docker-compose package to create a lockbox.

Kind regards,

Ernest

Greetings @Ernest,

Unfortunately, more advanced registry configurations, like private registries, are not supported with the Offline Updates feature at the moment. This is due to the initial limited feature release of Offline Updates. We do have a plan to allow the use of private registries with Offline Updates in the future, but I do not have an exact timeline of when this will be available.

Best Regards,
Jeremias

Hi @jeremias.tx,

That’s unfortunate indeed. Thanks for the fast reply!

Kind regards,
Ernest