Support the equivalent of 'docker login ...' to authenticate with docker repos for pulling dependencies

Question

Support the equivalent of 'docker login ...' to authenticate with docker repos for pulling dependencies

kdvolder opened this issue 2 years ago · 4 comments

When building images locally using

docker build .

We can do a few docker login <some-repo> beforehand which allows us to be authenticated as a specific user with the repo.

This is not just useful but often necessary to do things such as:

authenticating to dockerhub to avoid nasty errors around pull limits (when trying to fetch images used in 'FROM' in dockerfile)
authenticating with any repo to be able to pull private images.

Without support for this basically the oci-build-task can't be used by us at the moment to build anything. Even building images that purely depend on public images in dockerhub end up failing 90% of the time because they are hitting dockerhub's pull limits on anonymous access. (A shared CI host tends to hit those limit really quickly).

Answer 1 · 2022-06-17T20:07:15.000Z

You can use the registry-image resource to download images from Docker Hub or a private registry, then pass them to the task using IMAGE_ARG_* params.

Answer 2 · 2022-06-18T17:51:28.000Z

You can use the registry-image resource to download images from Docker Hub or a private repository, then pass them to the task using IMAGE_ARG_* params.

Thanks for the tip. That seems like a workaround that could actually work. But it sounds a bit painful so I wouldn't consider that as a 'proper' or at least not a 'convenient' or 'intuitive' way to deal with docker builds that require being authenticated as a specific user.

In fact... another workaround is to create your own 'docker runner' image in which you simply install and run the docker daemon, and then just build docker images with 'simple' bash scripts (i.e workaround = do not use 'oci-build-task'). That seems like it would be far less hassle than dancing around the fact that oci-build-task doesn't support a way to 'login' to docker repos.

I will also say that in a corporate environment pulling images from private repos tends to be the norm rather than the exception.

Answer 3 · 2022-08-12T10:04:34.000Z

If I have to pull images using a registry for every image I update in my Dockerfile it means that I cannot update my dockerfile to pull in new images unless I update my pipeline.
this seems counterintuitive for a CI system as I cannot make that type of change as a PR.

Answer 4 · 2022-08-23T21:00:29.000Z

@Bengreen @kdvolder

What we ended up doing is to simply populate ~/.docker/config.json before running build. Buildkit reads that.

      params:
        DOCKER_CONFIG_JSON: ((gcr.docker_config))
      run:
        args:
        - -c
        - |-
          mkdir ~/.docker
          echo $DOCKER_CONFIG_JSON > ~/.docker/config.json
          build
        path: /bin/sh