Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Registry insecure flag #3333

Open
marcotuna opened this issue May 13, 2022 · 6 comments · May be fixed by #4890
Open

Registry insecure flag #3333

marcotuna opened this issue May 13, 2022 · 6 comments · May be fixed by #4890
Assignees
@demophoon
Labels
bug Something isn't working good first issue Good for newcomers plugin/docker

Comments

@marcotuna
Copy link

marcotuna commented May 13, 2022
edited

Describe the bug
When attempting to upload a container image to a self hosted container registry using the registry container, which runs on http by default, waypoint is not able to upload the container image to it even when specifying the insecure = true flag
https://www.waypointproject.io/plugins/docker#insecure

❌ Pushing Docker image...
 │ The push refers to repository [192.168.0.38:5000/app]
! unable to stream Docker logs to terminal: Get
  "https://192.168.0.38:5000/v2/": http: server gave HTTP response
  to HTTPS client

Steps to Reproduce

  • Run the private container registry
docker run -d -p 5000:5000 --restart always --name registry registry:2
  • Configure a waypoint template file pointing to that container registry
registry {
    use "docker" {
        image    = "192.168.0.38:5000/app"
        tag      = "latest"
        insecure = true
    }
}

Expected behavior
The container image should be uploaded when insecure = true flag is enabled and using an http container registry.

Waypoint Platform Versions
Additional version and platform information to help triage the issue if
applicable:

  • Waypoint CLI Version: 0.8.1
  • Waypoint Server Platform and Version: nomad
  • Waypoint Plugin: n/a

Additional context
When using the below configuration it works successfully:

registry {
        use "docker" {
            image    = "localhost:5000/app"
            tag      = "latest"
            insecure = true
        }
}

Use case:

  • Allow to upload container images to on-prem self hosted container registries
@marcotuna marcotuna added the new label May 13, 2022
@marcotuna
Copy link
Author

marcotuna commented May 13, 2022
edited

Currently I did a workaround however ideally this shouldn't be needed.
Created the following script:

forward.sh

#!/bin/sh

socat tcp-listen:5000,reuseaddr,fork tcp:192.168.0.38:5000 &

This allows to have the remote host port on localhost, this way it doesn't complain about https.
Added the following entry to the waypoint template file.

hook {
      when    = "before"
      command = ["sh", "forward.sh"]
}

@briancain briancain added bug Something isn't working plugin/docker and removed new labels May 18, 2022
@briancain briancain added this to the 0.8.y milestone May 18, 2022
@briancain
Copy link
Member

Hey @marcotuna ! Thanks for opening an issue on Waypoint!

Do you have anything in your daemon settings file? Mine is at /etc/docker/daemon.json. On my system, I had to setup docker to allow for pushing to insecure registries:

{
  "insecure-registries" : ["myregistrydomain.com:5000"]
}

That's interesting that it works with localhost, likely a bug on our end if that works but the IP address does not. We'll leave this issue open to track it!

@briancain briancain added the good first issue Good for newcomers label May 18, 2022
@wallacepf
Copy link

Hello Guys, hitting the same issue with v0.8.2 even following your recommendation @briancain. In my case, I'm using the FQDN instead of localhost or IP and this is the error I'm getting:

Image built: waypoint.local/orcha-client:latest (amd64)
 + Running push build v11
 + Tagging Docker image: waypoint.local/orcha-client:latest => registry.service.dc1.consul:5000/orcha-client:latest
 ! Pushing Docker image...
 │ The push refers to repository [registry.service.dc1.consul:5000/orcha-client]
! unable to stream Docker logs to terminal: Get
  "https://registry.service.dc1.consul:5000/v2/": http: server gave HTTP response
  to HTTPS client

Registry block configs:

registry {
       use "docker" {
         image = "registry.service.dc1.consul:5000/orcha-client"
         tag   = "latest"
         local = false
         insecure = true
       }
     }

@krantzinator krantzinator removed this from the 0.9.y milestone Jul 13, 2022
@arbourd
Copy link

arbourd commented Sep 15, 2022

This is still very reproducible on 0.10.0. I experienced this with ODR running on Kubernetes and Git remote runners.

registry {
  use "docker" {
    image = "docker-registry:5000/busybox"
    tag = "latest"
    insecure = true
  }
}

The result is similar to @wallacepf:

❌ Building Docker image with kaniko...
! unable to negotiate with upstream: Get "https://docker-registry:5000/v2/": http:
  server gave HTTP response to HTTPS client

As a guess: I think the ai.Insecure value is not being set when passing around instructions with gRPC.

@paladin-devops
Copy link
Contributor

@arbourd are you using the docker-pull builder plugin, or the docker builder plugin here?

@arbourd
Copy link

arbourd commented Oct 3, 2022
edited

Great question @paladin-devops. I moved on from this solution and never committed it but I have a feeling I tried both? I think I started with docker-pull (pulling busybox and shipping it to the local reg to satisfy the ODR stuff for empty builds).

izeau added a commit to izeau/waypoint that referenced this issue Aug 16, 2023
@izeau
Fix registry insecure flag
0ffb375 
Fixes hashicorp#3333
@izeau izeau linked a pull request Aug 16, 2023 that will close this issue
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@demophoon demophoon

Labels
bug Something isn't working good first issue Good for newcomers plugin/docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix registry insecure flag izeau/waypoint
7 participants
@briancain @demophoon @wallacepf @marcotuna @arbourd @krantzinator @paladin-devops