we made a setup of a private docker registry on our premises (not docker hub).
Configuration uses certificate and key issued by the corporation. Verification:
- Push/pull is possible from the developer machine by WSL.
- openssl s_client shows proper certificate for the registry
torizoncore-builder fails during “bundle” stage.
What I have already tried to extend the torizoncore-builder image as below.
- adding corporate CA to the torizon-builder image (dockerfile)
ADD certs/XXX.crt /usr/local/share/ca-certificates/
- adding corporate CA to the python cert storage (dockerfile)
RUN cat /etc/ssl/certs/XXX.pem >> /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem
- adding corporate CA to docker config in torizoncore-builder image (changes overlay)
When I run interactively the torizoncore-builder image - I can see proper certificates of the registry (e.g. via curl).
When I use insecure-registry as “dind_param” it works, however it is not a production solution.
Have you got any proposition? I am running out of ideas.
Building image as per configuration file 'tcbuild.yaml'... =>> Handling input section Unpacking Toradex Easy Installer image. Copying Toradex Easy Installer image. Unpacking TorizonCore Toradex Easy Installer image. Importing OSTree revision 0c834097c0c3e79ebb47cb9f7f09cc3241dfa8445bea61bdb37cce6869162dd1 from local repository... 1088 metadata, 12667 content objects imported; 407.0 MB content written Unpacked OSTree from Toradex Easy Installer image: Commit checksum: 0c834097c0c3e79ebb47cb9f7f09cc3241dfa8445bea61bdb37cce6869162dd1 TorizonCore Version: 5.6.0+build.13 =>> Handling customization section => Handling device-tree subsection => Selecting custom device-tree 'device-trees/dts-arm32/XXXX' 'XXXXX' compiles successfully. warning: removing currently applied device tree overlays Device tree XXXX successfully applied. =>> Handling output section Applying changes from STORAGE/dt. Applying changes from WORKDIR/changes1. XXX has been generated for changes and is ready to be deployed. Deploying commit ref: tcbuilder-20220523215952 Pulling OSTree with ref tcbuilder-20220523215952 from local archive repository... Commit checksum: XXX TorizonCore Version: 5.6.0+build.13-tcbuilder.20220523215952 Default kernel arguments: quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3 1088 metadata, 12682 content objects imported; 407.1 MB content written Pulling done. Deploying OSTree with checksum ..... Deploying done. Copy files not under OSTree control from original deployment. Packing rootfs... Packing rootfs done. Updating TorizonCore image in place. Bundling images to directory XXXX Starting DIND container Using Docker host "tcp://127.0.0.1:22376" Connecting to Docker Daemon at "tcp://127.0.0.1:22376" Fetching container image XXXX Stopping DIND container Removing output directory 'XXXX' due to build errors Error: Error: container images download failed: 500 Server Error for https://127.0.0.1:22376/v1.40/images/create?tag=1.0.0&fromImage=XXXX: Internal Server Error ("Get https://XXXXXX: x509: certificate signed by unknown authority")