Skoofy
April 2, 2021, 11:32am
1
Hi,
I am trying to build docker image using kaniko. I have configured my job according to documentation (Use kaniko to build Docker images | GitLab ).
My .gitlab-ci.yml file:
build:gcr.io/kaniko-project/executor:debug
ERROR: /sh: eval: line 107: can’t create /kaniko/.docker/config.json: Permission denied
I seems like CI job user doesn’t have permissions under /kaniko path.
Gitlab runner is running on openshift and is configured with openshift gitlab runner operator.
Any idea how to solve this?
Thank you and best regards,
Skoofy
April 7, 2021, 1:55pm
2
Hi,
I have solved permission denied issue by building custom kaniko docker image like this: dockerfiles/kaniko-openshift at master · ContainerSolutions/dockerfiles · GitHub
No I have issue with accessing container registry inside the project I am running the pipeline inside.
mkdir -p /kaniko/.docker
echo “{“auths”:{”$CI_REGISTRY":{“username”:"$CI_REGISTRY_USER",“password”:"$CI_REGISTRY_PASSWORD"}}}" > /kaniko/.docker/config.json
/kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME --skip-tls-verify --skip-tls-verify-pull -v trace
/kaniko/.docker/config.json has correct values inside.
ERROR:
$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME --skip-tls-verify --skip-tls-verify-pull -v trace
28 DEBU[0000] Copying file /builds/…/Dockerfile to /kaniko/Dockerfile
29 TRAC[0000] Adding /var/run to initialIgnoreList
30 E0407 13:40:00.301507 20 aws_credentials.go:77] while getting AWS credentials NoCredentialProviders: no valid providers in chain. Deprecated.
31 For verbose messaging see aws.Config.CredentialsChainVerboseErrors
32 error checking push permissions – make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for “gitlab.XXXX:5050/…”: creating push check transport for gitlab.XXXX:5050 failed: GET https://gitlabXXXX/jwt/auth?scope=repository …%2Cpull&service=container_registry: DENIED: access forbidden
If anybody could point me to the right direction to solve this I would appreciate it very much.
Thank you all and best regards,
The custom kaniko image you built using your script set home dir to /.
opened 06:12PM - 23 Mar 19 UTC
area/behavior
priority/p2
**Actual behavior**
It seems that **kaniko** is trying to use the latest metada… ta "**FROM registry.fedoraproject.org/fedora-minimal**" in the Dockerfile:
```
error pushing image: failed to push to destination docker-registry-default.apps.minishift.inmyopenshift.cloud/quarkus-knative/quarkus-knative:latest: no token in bearer response:
{"details":"repository name \"fedora-minimal\" invalid: it must be of the format \u003cproject\u003e/\u003cname\u003e"}
```
**To Reproduce**
I'm testing quarkus project with Knative in OpenShift (Kubernetes) with following Dockerfile.
[https://github.com/quarkusio/quarkus-quickstarts/tree/master/getting-started-knative](https://github.com/quarkusio/quarkus-quickstarts/tree/master/getting-started-knative
)
```
FROM gcr.io/cloud-builders/mvn as builder
COPY . /project
WORKDIR /project
RUN mvn -Duser.home=/builder/home -B install
FROM swd847/centos-graal-native-image-rc12 as nativebuilder
COPY --from=builder /project/target /project/
WORKDIR /project
RUN /opt/graalvm/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager \
-J-Dcom.sun.xml.internal.bind.v2.bytecode.ClassTailor.noOptimize=true \
-H:InitialCollectionPolicy='com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime' \
-jar quarkus-quickstart-knative-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 \
-H:+PrintAnalysisCallTree -H:EnableURLProtocols=http \
-H:-SpawnIsolates -H:-JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace \
&& cp -v quarkus-quickstart-knative-runner /tmp/quarkus-knative-runner
FROM registry.fedoraproject.org/fedora-minimal
RUN mkdir -p /work
COPY --from=nativebuilder /tmp/quarkus-knative-runner /work/application
RUN chmod -R 775 /work
EXPOSE 8080
WORKDIR /work/
ENTRYPOINT ["./application","-Dquarkus.http.host=0.0.0.0"]
```
Kaniko image used (current latest):
```
# docker inspect 025ab64f8cc8
[
{
"Id": "sha256:025ab64f8cc830417dc6d85b1f2cbdff9030d1ba1bd781a44f3191f53450214b",
"RepoTags": [
"gcr.io/kaniko-project/executor:latest"
],
"RepoDigests": [
"gcr.io/kaniko-project/executor@sha256:d9fe474f80b73808dc12b54f45f5fc90f7856d9fc699d4a5e79d968a1aef1a72"
],
"Parent": "",
"Comment": "",
"Created": "2019-02-08T22:46:03.455249332Z",
```
Pod info:
```
build-step-docker-push:
Container ID: docker://6ee98816c9fd2d5642893aa0dc0d8452c65175b09f99ca774aa45d473967dc58
Image: gcr.io/kaniko-project/executor
Image ID: docker-pullable://gcr.io/kaniko-project/executor@sha256:d9fe474f80b73808dc12b54f45f5fc90f7856d9fc699d4a5e79d968a1aef1a72
Port: <none>
Host Port: <none>
Args:
--context=/workspace/getting-started-knative
--dockerfile=/workspace/getting-started-knative/Dockerfile
--destination=docker-registry-default.apps.minishift.inmyopenshift.cloud/quarkus-knative/quarkus-knative
--skip-tls-verify
State: Terminated
Reason: Error
Exit Code: 1
Started: Sat, 23 Mar 2019 15:51:59 +0100
Finished: Sat, 23 Mar 2019 16:04:57 +0100
Ready: False
Restart Count: 0
Environment:
HOME: /builder/home
DOCKER_CONFIG: /builder/home/.docker
Mounts:
/builder/home from home (rw)
/builder/home/.m2 from m2-cache (rw)
/cache from kaniko-cache (rw)
/var/run/secrets/kubernetes.io/serviceaccount from build-bot-token-d4mk7 (ro)
/workspace from workspace (rw)
```
It seems like kaniko reads docker authentication infromation from ${HOME}/.docker folder.
However even with this problem solved, I don’t think it’s possible to build docker image using kaniko as non-root users.
opened 12:09AM - 17 Apr 18 UTC
area/usability
kind/feature-request