0

I am trying to run "pack build" (using Paketo as buildpacks provider) in an environment where I do not have direct access to "registry-1.docker.io". Access to the external docker registry is provided via an internal proxy endpoint. When running the command

pack build paketo-demo-app --builder my-dockerhub-proxy.company.com/paketobuildpacks/builder:base

I see that it fails to load the run-image because registry location reverts back to the default. See logs below

base: Pulling from paketobuildpacks/builder
10a039f4d1c5: Pull complete
281985c8fc9f: Pull complete
72ad9888618d: Pull complete
4f4fb700ef54: Pull complete
....
Digest: sha256:07fe9a8fca80c2259062f1400ccc856caa896428d93d5d8c60b6b6fd2480c07e
Status: Downloaded newer image for my-dockerhub-proxy.company.com/paketobuildpacks/builder:base
ERROR: failed to build: invalid run-image 'index.docker.io/paketobuildpacks/run:base-cnb': Error response from daemon: Get https://registry-1.docker.io/v2/: EOF

Is there a Paketo configuration parameter that can override the docker registry location ?

Rocky
  • 365
  • 1
  • 5
  • 15
  • Try `pack config registry-mirrors add index.docker.io --mirror my-dockerhub-proxy.company.com`, then build again. Or you can replace `index.docker.io` with `*` and it'll use the mirror for everything (like `gcr.io/..` too). You shouldn't need to prefix your company's address on the `--builder` argument either, after you make this change. The change should persist in your local pack config. – Daniel Mikusa Apr 08 '22 at 12:38
  • Adding the pack config helped get the past the registry issue. However ran into https connectivity issue : `failed to fetch dependency: failed to make request: Get "https://deps.paketo.io/python/python_3.9.10_linux_x64_bionic_1bf91483.tgz": x509: certificate signed by unknown author`. I do have `https_proxy` and `http_proxy` set correctly. – Rocky Apr 09 '22 at 16:19
  • You may be behind a corp proxy that rewrites TLS certificates. If that's the case, you'd need to tell the buildpacks to trust the root/intermediate CA certificates that your company uses. If you look at the URL in question in your browser and inspect the TLS certificate chain, you should be able to see if your company is doing this & I think Chrome/Firefox let you download the certs too, so you can get a copy of them. Then https://paketo.io/docs/howto/configuration/#ca-certificates – Daniel Mikusa Apr 11 '22 at 20:45

0 Answers0