I’ve tried with both tcb 3.5.0 and 3.5.1.
I have a docker-compose that contains private images (on docker hub).
The issue appears only when doing a push with --canonicalize.
Enabling all the logs on tcb reports an " 401 Unauthorized" when executing set_images_hash in tcbuilder/backend/platform.py.
I haven’t found any other command-line option to pass the credential for login to a platform push command. Have I missed it or is it still not implemented?
I’ve done a couple of tries to pass the $HOME/.docker/config.json into the tcb container as volume (credential are stored in clear) and if I install docker inside the tcb image I can see that the credentials are recognized (docker info) and doing a docker pull from the private registry works just fine like on the host.
“platform push” seems to ignore those and cannot access the private registry anyway.
Thank you
PS. I cannot add the tags “torizoncore-builder” and “torizon-ota”
As you noticed if you specify the --canonicalize with push this requires access to the actual container registry. This is due to the canonicalization process replacing the container image tags with hashes, which can only be done with registry access.
Anyways, I believe this is a known limitation at the moment. It should hopefully be addressed in a future release/fix of TorizonCore Builder. While canonicalization is best practice it isn’t strictly required so this shouldn’t be blocking you at the moment. Or is this issue affecting/blocking you in some other way?
PS. I cannot add the tags “torizoncore-builder” and “torizon-ota”
Strange we’ll look into this. The tagging system on this site can be a bit difficult to work with sometimes.
No it’s not blocking to us.
Our build script updates the docker-compose.yml file adding the tags of the image versions to use, but it happened already in the past that multiple people forget to change the build tag and the “tagged” image points to a new image. This can’t happen when using hashes.
I’ll keep an eye on the updates, when/if you implement this feature for private registries I’ll be very happy to test it.
A workaround that may help your use case is using the bundle command as an intermediary. When you run the bundle command it produces a new docker-compose file that is essentially canonicalized as well. Furthermore, the bundle command does already have the extra arguments and features to access private registries.
It’d be extra step, but basically you’d use bundle to create a canonicalized compose file and access your private registry. Then just use the compose file produced by bundle in the push command.
This workaround doesn’t seem to work with offline updates sadly. Platform push keeps telling me it can’t determine digest for an image that is located in a private repository, but I’m already using the canonicalized output of the bundle command.
I can push it fine if I don’t use the ‘–canonicalize’ argument, but it seems that Torizon OTA then marks this as non-canonical, because I cannot use the docker-compose package to create a lockbox.
Unfortunately, more advanced registry configurations, like private registries, are not supported with the Offline Updates feature at the moment. This is due to the initial limited feature release of Offline Updates. We do have a plan to allow the use of private registries with Offline Updates in the future, but I do not have an exact timeline of when this will be available.
I’ll just chime in here that we are also looking to use a private registry for our containers, and would like to see the --login option added to the platform push to support this. Also not blocking us due to the bundle workaround posted above but of course without the workaround the build process will be faster/cleaner.
EDIT:
Apparently there’s also an early access version of the torizoncore builder, that implements this functionality. It is not yet marked as a stable version but feel free to try it.
You can use the tag early-access. https://hub.docker.com/r/torizon/torizoncore-builder/tags
