Torizoncore-builder --login-to not Working

Technical Support
, , ,
1

Hello

I try to setup Torizon Platform, together with GitHub repositories and actions that will push the builds to Platform. As an excercise I’d like to do this all private as that is common requirement in the industry.

Now let’s start with my setup. I’m using:

  • Verdin i.MX8MM 2GB WB IT V1.1A
  • TorizonCore 6.8.1 (with some customizations)
  • The application container is being built with docker buildx

First of all the application container is being built on GitHub and pushed to its own registry, which is private. I create a (classic) token and I verified this one to work using docker login ... and docker pull ...

Then I push the respective docker-compose.yml to Torizon Platform using the following command:

torizoncore-builder platform push \
            --credentials credentials.zip \
            --package-name ClimateProdTestApp \
            --package-version "7d6de5d5" \
            --login-to ghcr.io impuls-ing <my github packages token (classic)> \
            docker-compose.yml

I can see the push to be successful. When I select the image to be installed on my device I see in the aktualizr log, that that it tries to pull my application but that fails with error “unauthorized”. Please see the log attached.

aktualizr_authentication_failure.txt (7.5 KB)

What I tried to debug the issue: I uploaded the same docker-compose.yml to the device

torizon@verdin-imx8mm-06760541:~$ docker-compose -f docker-compose.yml up 
WARN[0000] /home/torizon/docker-compose.yml: `version` is obsolete 
[+] Running 1/1
 ✘ climateprodtestapp Error Head "https://ghcr.io/v2/impuls-ing/climateprodtestapp/manifests/7d6de5d5": unauthorized                                                                                            0.4s 
Error response from daemon: Head "https://ghcr.io/v2/impuls-ing/climateprodtestapp/manifests/7d6de5d5": unauthorized
torizon@verdin-imx8mm-06760541:~$ docker login ghcr.io                                                                                                                                                              
Username: impuls-ing
Password: 
WARNING! Your password will be stored unencrypted in /home/torizon/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
torizon@verdin-imx8mm-06760541:~$ docker-compose -f docker-compose.yml up                                                                                                                                           
WARN[0000] /home/torizon/docker-compose.yml: `version` is obsolete 
[+] Running 20/20
 ✔ climateprodtestapp Pulled                                                                                                                                                                                   24.5s 
   ✔ 92c3b3500be6 Pull complete                                                                                                                                                                                 8.5s 
   ✔ 6d10cd063909 Pull complete                                                                                                                                                                                 9.8s 
   ✔ 38de08bd494d Pull complete                                                                                                                                                                                10.0s 
   ✔ 2f88c5727c46 Pull complete                                                                                                                                                                                10.1s 
   ✔ f3bb3403e8b9 Pull complete                                                                                                                                                                                10.4s 
   ✔ a05f8870c1b6 Pull complete                                                                                                                                                                                10.6s 
   ✔ fa7f96a6a20e Pull complete                                                                                                                                                                                10.9s 
   ✔ af7ddf09a87e Pull complete                                                                                                                                                                                11.0s 
   ✔ 9ecb9131a73e Pull complete                                                                                                                                                                                11.2s 
   ✔ 68c3de42df08 Pull complete                                                                                                                                                                                11.4s 
   ✔ bdfa20e97fc3 Pull complete                                                                                                                                                                                11.6s 
   ✔ 061ecec88232 Pull complete                                                                                                                                                                                19.5s 
   ✔ 2216f8074f82 Pull complete                                                                                                                                                                                21.3s 
   ✔ a9ba6c163096 Pull complete                                                                                                                                                                                21.5s 
   ✔ 649af67811d0 Pull complete                                                                                                                                                                                22.8s 
   ✔ 92abc78819ea Pull complete                                                                                                                                                                                23.0s 
   ✔ 604cc86d191f Pull complete                                                                                                                                                                                23.3s 
   ✔ 15d6b12f14d3 Pull complete                                                                                                                                                                                23.5s 
   ✔ 4f4fb700ef54 Pull complete                                                                                                                                                                                23.7s 
[+] Running 2/1
 ✔ Container torizon-climateprodtestapp-1                                        Created                                                                                                                        4.8s 
 ! climateprodtestapp Published ports are discarded when using host network mode                                                                                                                                0.0s 
Attaching to climateprodtestapp-1

So you can see that my token clearly works on the device but somehow the option --login-to does not work.

Please let me know if I’m doing something wrong.

Thanks in advance and Best Regards,
Philippe

2

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:

Hello Philippe,

Thank you for reaching out with your question. It seems you’re encountering an issue with pulling your application container from a private registry using Torizon Platform, despite being able to manually log in and pull the container on the device. This suggests a problem with how the credentials are being handled by the Torizon Platform.

Here are some steps to troubleshoot and resolve this issue:

  1. Verify Credentials: Double-check that the credentials used with the --login-to option are correct and have the necessary permissions to access the private registry. Ensure the token’s scope and permissions on GitHub are set appropriately.

  2. Credential Deployment: The Torizon Platform requires credentials to be accessible during automated updates. You can use the TorizonCore Builder tool to embed these credentials into the TorizonCore image. This involves using docker login on a device to create a config.json file in /etc/docker, then capturing this configuration with TorizonCore Builder to create a custom image.

  3. Custom TorizonCore Image: Once you have a custom TorizonCore image with the embedded credentials, deploy this image to your devices. This ensures that all devices have the necessary credentials pre-provisioned.

  4. Check Aktualizr Logs: Review the logs from Aktualizr for any additional error messages or clues that might indicate why the authentication is failing. This can provide insights into whether the issue is with the credentials or the network configuration.

  5. Network Configuration: Ensure there are no network restrictions or firewall settings that might be blocking access to the registry from the device.

By following these steps, you should be able to resolve the unauthorized error and successfully pull your application container from the private registry using Torizon Platform. If the issue persists, consider revisiting the credential setup and deployment process to ensure all steps are correctly followed.

I hope this helps! Please feel free to reach out if you have any more questions.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Torizon cloud update fails, docker login fails.

3

Hi @philschenker

I think there is some confusion here.

The torizoncore-builder platform push ... docker-compose.yml command is used to push the application docker-compose on the platform, but it doesn’t push your token to the cloud nor to the device.

The token is used to fetch the digest hash of your image, which is used as an integrity check.

You still need to have the tokens on the device side for it to work.
Check these guides to see how you can pass the tokens to the device “at scale”.

4

Hi Allan,

Thanks for your help! I was reading these pages but somehow missed the step that I am responsible of deploying the registry credentials.

The help text of torizoncore-builder states

  --login-to REGISTRY USERNAME PASSWORD
                        Request that the tool logs in to registry REGISTRY using specified USERNAME and PASSWORD (can be employed multiple times).

So for me reading this “the tool” means Torizon (as a whole product) and I was assuming that this will magically work and credentials are kind of stored along with the docker-compose.yml

But in this case I will check out the “at scale” documentation. Thanks for your help!

Kind Regards,
Philippe