Torizoncore-builder bundle with Insecure Registry: Error x509 Certificate signed by unknown authority

anthonyabboud · February 6, 2023, 10:47pm

Hi all,

I am currently working on a Windows 10 machine and WSL2 using Ubuntu 20.04.

I’ve been following the website steps to create my own custom TorizonCore image for an iMX6 using the TorizonCore Extension for Visual Studio Code. I managed to build my Release Container from my Qt5 application. Once built, it is now shown on my Docker Desktop list of images.

Now, to link this to the TorizonCore-Builder tool, I’m understanding that I need to push this image to a Registry. Since I want to keep it private. I’ve been executing the following steps to create a Private Insecure Registry (for now).

On Win10 Powershell

Pull the registry image:

docker pull registry

Run local registry container:

docker run -d -p 5000:5000 -v C:/localhub/registry:/var/lib/registry --restart=always --name hub.local registry

I can see that my registry container is running using docker ps
Push my image on Docker to my registry:

docker push <laptop's IP address>:5000/my-custom-image

Confirm my image is in the repository by navigating to 127.0.0.1:5000/v2/_catalog

Now that the registry is setup and contains my desired image, I go set it on Docker Desktop as an Insecure Registry like so:

Now I want to go build my image. I will use WSL2 using Ubuntu-20.04 on that same machine. Before calling my Build command with TorizonCore-Builder, I want to call my Bundle command to fetch my image from my Insecure Registry. I’m understanding from the documentation to use a command line similar to the following:

torizoncore-builder bundle --dind-param="--insecure-registry=10.67.3.52:5000" files/docker-compose.yml

The IP matches the machine’s IP as per Windows 10 (ipconfig command) and my docker-compose.yml has been exported from the Dev Container on VSCode as explained in the step-by-step guide:

# docker-compose.yml
services:
  my-custom-image:
    depends_on:
    - weston
    device_cgroup_rules:
    - c 226:* rmw
    devices:
    - /dev/ttymxc1
    - /dev/ttymxc3
    - /dev/fb0
    - /dev/mmcblk0p1
    - /mnt
    - /media
    image: my-custom-image
    ports: []
    volumes:
    - /tmp:/tmp:rw
    - /dev/dri:/dev/dri:rw
  weston:
    cap_add:
    - CAP_SYS_TTY_CONFIG
    device_cgroup_rules:
    - c 4:0 rmw
    - c 4:7 rmw
    - c 13:* rmw
    - c 226:* rmw
    image: torizon/weston:2
    network_mode: host
    volumes:
    - source: /tmp
      target: /tmp
      type: bind
    - source: /dev
      target: /dev
      type: bind
    - source: /run/udev
      target: /run/udev
      type: bind
version: '2.4'

Executing the bundle command with these gives me the following output:

I’m not sure what tcp://172.17.0.4:22376 is. I can’t seem to understand why I am getting a certificate error if I am trying to access an Insecure Registry that’s on the same machine. Does anyone have any idea what I’m missing here?

NOTE: I am able to execute docker login/pull commands from WSL2.

Thanks!

jeremias.tx · February 6, 2023, 11:25pm

Greetings @anthonyabboud,

I believe the issue here is more or less what is described in this comment here: Pre-provisioned image from local docker - #6 by jeremias.tx

Basically for the --dind-param you need to pass the IP address of the container that is running the local registry. Not the IP address of your laptop itself. Though you’ll also need to push your container image to the registry with the name pattern <registry container IP address>:5000/my-custom-image.

Best Regards,
Jeremias

anthonyabboud · February 7, 2023, 1:11am

Hey @jeremias.tx ,

Thanks for the quick response.

So from my understanding, I now went into my registry container, and identified its own IP address as being: 172.17.0.2. So I updated my docker insecure-registries value accordingly and also added 172.17.0.2:5000 to my names in the docker-compose.yml.

So now I want to push to this registry using (like you mentioned) before trying to bundle it:

docker push 172.17.0.2:5000/my-custom-image

and then same for the dependent image (torizon/weston:2)

docker push 172.17.0.2:5000/torizon/weston:2

which gives me the following output for both commands:

anthonyabboud · February 7, 2023, 4:38pm

I managed to solve my issue by doing the following:

Following the steps under this link: Deploy a registry server | Docker Documentation

Create a registry BUT if your port 5000 is already being used (might have been the case for me), set it to e.g. 5001.

docker run -d -p 5001:5000 --restart=always --name registry registry:2

Tag the images

docker tag my-custom-image localhost:5001/my-custom-image
docker tag torizon/weston:2 localhost:5001/torizon/weston:2

Push both my images to the local registry. You can confirm the push was successful by viewing the registry’s images by navigating on a browser to http://localhost:5001/v2/_catalog

docker push localhost:5001/my-custom-image
docker push localhost:5001/torizon/weston:2

Remove the locally-cached images

docker image remove my-custom-image
docker image remove localhost:5001/my-custom-image
docker image remove torizon/weston:2
docker image remove localhost:5001/torizon/weston:2

Set this local registry as an Insecure Registry. I used my Windows 10 machine’s IP address and not the Registry’s internal IP address. Add the following to the docker daemon.json

{
  "insecure-registries" : ["<Win10 IP Address:5001"]
}

In WSL2, prepare torizoncore-builder tool (source command).
In the docker-compose.yml file, for the “image:” properties, insert the address of the registry with the image name:

image: <Win10 IP Address>:5001/my-custom-image
image: <Win10 IP Address>:5001/torizon/weston:2

Execute the following command in WSL2:

torizoncore-builder bundle --dind-param="--insecure-registry=<Win10 IP Address>:5001" docker-compose.yml

TorizonCore-Builder was then able to fetch my images from the local registry on the same machine.

Takeaways, based on what just worked for me:

Use the Windows 10 IP Address (ipconfig command on Powershell) as the Registry’s IP address identifier
If access to the registry does not work, reroute to a port other than 5000.

jeremias.tx · February 7, 2023, 7:59pm

Glad you were able to find a solution. Yeah sometimes the networking on Windows and with WSL can get a bit strange to deal with.

Best Regards,
Jeremias