Hi,
we made a setup of a private docker registry on our premises (not docker hub).
Configuration uses certificate and key issued by the corporation. Verification:
- Push/pull is possible from the developer machine by WSL.
- openssl s_client shows proper certificate for the registry
Problem:
torizoncore-builder fails during “bundle” stage.
What I have already tried to extend the torizoncore-builder image as below.
- adding corporate CA to the torizon-builder image (dockerfile)
ADD certs/XXX.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates - adding corporate CA to the python cert storage (dockerfile)
RUN cat /etc/ssl/certs/XXX.pem >> /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem - adding corporate CA to docker config in torizoncore-builder image (changes overlay)
/etc/docker/certs.d/XXXX:443/ca.crt
When I run interactively the torizoncore-builder image - I can see proper certificates of the registry (e.g. via curl).
When I use insecure-registry as “dind_param” it works, however it is not a production solution.
Have you got any proposition? I am running out of ideas.
Logs
Building image as per configuration file 'tcbuild.yaml'...
=>> Handling input section
Unpacking Toradex Easy Installer image.
Copying Toradex Easy Installer image.
Unpacking TorizonCore Toradex Easy Installer image.
Importing OSTree revision 0c834097c0c3e79ebb47cb9f7f09cc3241dfa8445bea61bdb37cce6869162dd1 from local repository...
1088 metadata, 12667 content objects imported; 407.0 MB content written
Unpacked OSTree from Toradex Easy Installer image:
Commit checksum: 0c834097c0c3e79ebb47cb9f7f09cc3241dfa8445bea61bdb37cce6869162dd1
TorizonCore Version: 5.6.0+build.13
=>> Handling customization section
=> Handling device-tree subsection
=> Selecting custom device-tree 'device-trees/dts-arm32/XXXX'
'XXXXX' compiles successfully.
warning: removing currently applied device tree overlays
Device tree XXXX successfully applied.
=>> Handling output section
Applying changes from STORAGE/dt.
Applying changes from WORKDIR/changes1.
XXX has been generated for changes and is ready to be deployed.
Deploying commit ref: tcbuilder-20220523215952
Pulling OSTree with ref tcbuilder-20220523215952 from local archive repository...
Commit checksum: XXX
TorizonCore Version: 5.6.0+build.13-tcbuilder.20220523215952
Default kernel arguments: quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3
1088 metadata, 12682 content objects imported; 407.1 MB content written
Pulling done.
Deploying OSTree with checksum .....
Deploying done.
Copy files not under OSTree control from original deployment.
Packing rootfs...
Packing rootfs done.
Updating TorizonCore image in place.
Bundling images to directory XXXX
Starting DIND container
Using Docker host "tcp://127.0.0.1:22376"
Connecting to Docker Daemon at "tcp://127.0.0.1:22376"
Fetching container image XXXX
Stopping DIND container
Removing output directory 'XXXX' due to build errors
Error: Error: container images download failed: 500 Server Error for https://127.0.0.1:22376/v1.40/images/create?tag=1.0.0&fromImage=XXXX: Internal Server Error ("Get https://XXXXXX: x509: certificate signed by unknown authority")