(nx-tools/container) Only push to specified image repositories

[juventus18]

I'm trying to push my built images to a private container repository. The action keeps failing because it attempts to push to a docker.io registry in addition to my AWS ECR. I don't have a docker.io repo and do not wish to create one. I only want to push to my AWS ECR. Here's the relevant part from my Nx project.json

"container": {
  "executor": "@nx-tools/nx-container:build",
  "dependsOn": [
    "@my-project/source:ecr-login"  // this is a root target that logs in to AWS ECR, it works fine.
  ],
  "options": {
    "engine": "docker",
    "push": true,
    "metadata": {
      "images": [
        "my-project/my-app", // I tried just using "my-app", but it still attempts to push to docker.io
        "$AWS_CONTAINER_IMAGE_REGISTRY/my-project/my-app"
      ],
      "load": true,
      "tags": [
        "latest",
        "type=schedule",
        "type=ref,event=branch",
        "type=ref,event=tag",
        "type=ref,event=pr",
        "type=semver,pattern={{version}}",
        "type=semver,pattern={{major}}.{{minor}}",
        "type=semver,pattern={{major}}",
        "type=sha,prefix=sha-"
      ]
    }
  }
}

The task fails when attempting to push to docker.io (but I don't want it to push there). Here's some of the console output:

#19 exporting to image
#19 exporting layers done
#19 writing image sha256:3a77a93b...be25fcfd959f
#19 writing image sha256:3a77a93b...be25fcfd959f 0.1s done
#19 naming to docker.io/my-project/my-app:master
#19 naming to docker.io/my-project/my-app:master 0.1s done
#19 naming to docker.io/my-project/my-app:latest 0.1s done
#19 naming to docker.io/my-project/my-app:sha-e2ed498
#19 naming to docker.io/my-project/my-app:sha-e2ed498 0.1s done
#19 naming to 39...23.dkr.ecr.us-west-2.amazonaws.com/my-project/my-app:master
#19 naming to 39...23.dkr.ecr.us-west-2.amazonaws.com/my-project/my-app:master 0.1s done
#19 naming to 39...23.dkr.ecr.us-west-2.amazonaws.com/my-project/my-app:latest
#19 naming to 39...23.dkr.ecr.us-west-2.amazonaws.com/my-project/my-app:latest 0.1s done
#19 naming to 39...23.dkr.ecr.us-west-2.amazonaws.com/my-project/my-app:sha-e2ed498
#19 naming to 39...23.dkr.ecr.us-west-2.amazonaws.com/my-project/my-app:sha-e2ed498 0.2s done
#19 DONE 0.9s

#20 pushing my-project/my-app:master with docker
#20 pushing layer 93...d7
#20 pushing layer d1...cc
#20 pushing layer 64...60
#20 pushing layer 4c...71
#20 pushing layer 8a...7e
#20 pushing layer 7c...9d 0.0s
#20 pushing layer d4...3a 0.0s
#20 pushing layer 93...d7 1.7s done
#20 pushing layer d1...cc 1.7s done
#20 pushing layer 64...60 1.7s done
#20 pushing layer 4c...71 1.7s done
#20 pushing layer 8a...7e 1.7s done
#20 pushing layer 7c...9d 1.7s done
#20 pushing layer d4...3a 1.7s done
#20 ERROR: denied: requested access to the resource is denied
------
 > pushing my-project/my-app:master with docker:
------
ERROR: denied: requested access to the resource is denied

If I omit the base image name, the task properly pushes to my AWS ECR, but I no longer have the simple name available in my Docker Desktop (i.e. the image name is prefixed with the AWS ECR URL):

"container": {
  "executor": "@nx-tools/nx-container:build",
  "dependsOn": [
    "@my-project/source:ecr-login"  // this is a root target that logs in to AWS ECR, it works fine.
  ],
  "options": {
    "engine": "docker",
    "push": true,
    "metadata": {
      "images": [
        "$AWS_CONTAINER_IMAGE_REGISTRY/my-project/my-app"
      ],
      "load": true,
      "tags": [
        "latest",
        "type=schedule",
        "type=ref,event=branch",
        "type=ref,event=tag",
        "type=ref,event=pr",
        "type=semver,pattern={{version}}",
        "type=semver,pattern={{major}}.{{minor}}",
        "type=semver,pattern={{major}}",
        "type=sha,prefix=sha-"
      ]
    }
  }
}

Is there any way to skip attempting to push to docker.io?

[juventus18]

I've been digging into this for hours and, of course, I figured a workaround just minutes after posting... I can use two targets to get the desired behavior:

"build-container": {
	"executor": "@nx-tools/nx-container:build",
	"options": {
		"engine": "docker",
		"push": false,
		"metadata": {
			"images": [
				"my-project/my-app"
			],
			"load": true,
			"tags": [
				"latest",
				"type=schedule",
				"type=ref,event=branch",
				"type=ref,event=tag",
				"type=ref,event=pr",
				"type=semver,pattern={{version}}",
				"type=semver,pattern={{major}}.{{minor}}",
				"type=semver,pattern={{major}}",
				"type=sha,prefix=sha-"
			]
		}
	}
},
"publish-container": {
	"executor": "@nx-tools/nx-container:build",
	"dependsOn": [
		"@my-project/source:ecr-login",
		"build-container"
	],
	"options": {
		"engine": "docker",
		"push": true,
		"metadata": {
			"images": [
				"$AWS_CONTAINER_IMAGE_REGISTRY/my-project/my-app"
			],
			"load": false,
			"tags": [
				"latest",
				"type=schedule",
				"type=ref,event=branch",
				"type=ref,event=tag",
				"type=ref,event=pr",
				"type=semver,pattern={{version}}",
				"type=semver,pattern={{major}}.{{minor}}",
				"type=semver,pattern={{major}}",
				"type=sha,prefix=sha-"
			]
		}
	}
}

Only downside is the container has to be built twice. Even with caching it takes a little time, but it's not a big deal. Still seems unwanted behavior to push to a repo I didn't specify in the image name, but maybe that's a feature instead of bug...

[tomaszkrzyzanowski]

@juventus18 why not just use build-container and set:

1. the image name to "$AWS_CONTAINER_IMAGE_REGISTRY/my-project/my-app"
2. "dependsOn": [ "@my-project/source:ecr-login",],
3. "push": true,

And your build should be fine IMO

[sibest19]

Hey @juventus18!

To achieve what you did, we did something like this in our GH Actions deploy workflow file:

      - name: Login to Amazon ECR
        id: ecr-login
        uses: aws-actions/amazon-ecr-login@v2

      - '...'

      - name: Build and push images
        run: yarn nx affected --target=build:container
        env:
          INPUT_BUILD_ARGS: |
            A_BUILD_ARG=build_arg_value
          INPUT_YOUR_FIRST_APP_NAME_TAGS: '${{ steps.ecr-login.outputs.registry }}/first-app-name:latest'
          INPUT_YOUR_OTHER_APP_NAME_TAGS: '${{ steps.ecr-login.outputs.registry }}/other-app-name:latest'
          INPUT_GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
          INPUT_PLATFORMS: 'linux/amd64'
          INPUT_PUSH: true

Basically, you can use env variables to override target options from your projects' project.json files. Hope it helps. 🙂

[juventus18]

@juventus18 why not just use build-container and set:

1. the image name to "$AWS_CONTAINER_IMAGE_REGISTRY/my-project/my-app"
2. "dependsOn": [ "@my-project/source:ecr-login",],
3. "push": true,

And your build should be fine IMO

yeah, thats what I did. My complaint is that if I want to push the image to AWS ECR and have the image available locally, I can't do it in one step. When attempting to do so, the plugin also attempts to push to dockerhub repo (even though I didn't specify that), thus causing the task to fail.

[juventus18]

Basically, you can use env variables to override target options from your projects' project.json files. Hope it helps. 🙂

thanks for the tip, but I did get it working ok otherwise. My main complaint is that the plugin attempts to push to dockerhub even when it has not been specified in the configuration (using my first configuration, I have specified AWS ECR, but not dockerhub). I think this is unexpected behavior.