How can I modify registries in buildah container?

[TeslaCN]

using camel-k:1.0.0-RC2.

After Java code compiled. The pod camel-k-kit-bpp3c3g3g14ct1jabkqg-builder is running, and its logs:

STEP 1: FROM adoptopenjdk/openjdk8:slim
Getting image source signatures
Copying blob sha256:b6b53be908de2c0c78070fff0a9f04835211b3156c4e73785747af365e71a0d7
Copying blob sha256:de83a2304fa1f7c4a13708a0d15b9704f5945c2be5cbb2b3ed9b2ccb718d0b3d
Copying blob sha256:f9a83bce3af0648efaa60b9bb28225b09136d2d35d0bed25ac764297076dec1b
Copying blob sha256:4d679ae892a6eb412427ad0c21b73f14de1311f5ad671b9cf7c66ee24b4b67e8
Copying blob sha256:423ae2b273f4c17ceee9e8482fa8d071d90c7d052ae208e1fe4963fceb3d6954
Copying blob sha256:881b78aa6eae20710f3491bde3110259ae7a3ced4676a061357b37fd4860cc67
Copying blob sha256:741d43bb9b48d55ea245e4b34190a28e301b4e6c26647ed34fdd728f804697c5


error creating build container: The following failures happened while trying to pull image specified by "adoptopenjdk/openjdk8:slim" based on search registries in /etc/containers/registries.conf:
* "localhost/adoptopenjdk/openjdk8:slim": Error initializing source docker://localhost/adoptopenjdk/openjdk8:slim: error pinging docker registry localhost: Get http://localhost/v2/: dial tcp 127.0.0.1:80: connect: connection refused
* "docker.io/adoptopenjdk/openjdk8:slim": Error writing blob: error storing blob to file "/var/tmp/storage273321107/5": read tcp 10.240.0.67:44828->104.18.124.25:443: read: connection reset by peer
* "registry.fedoraproject.org/adoptopenjdk/openjdk8:slim": Error initializing source docker://registry.fedoraproject.org/adoptopenjdk/openjdk8:slim: Error reading manifest slim in registry.fedoraproject.org/adoptopenjdk/openjdk8: manifest unknown: manifest unknown
* "registry.access.redhat.com/adoptopenjdk/openjdk8:slim": Error initializing source docker://registry.access.redhat.com/adoptopenjdk/openjdk8:slim: Error reading manifest slim in registry.access.redhat.com/adoptopenjdk/openjdk8: name unknown: Repo not found
* "registry.centos.org/adoptopenjdk/openjdk8:slim": Error initializing source docker://registry.centos.org/adoptopenjdk/openjdk8:slim: Error reading manifest slim in registry.centos.org/adoptopenjdk/openjdk8: manifest unknown: manifest unknown
* "quay.io/adoptopenjdk/openjdk8:slim": Error initializing source docker://quay.io/adoptopenjdk/openjdk8:slim: Error reading manifest slim in quay.io/adoptopenjdk/openjdk8: unauthorized: access to the requested resource is not authorized
level=error msg="exit status 1"

kamel install args:

kamel install --registry hyper-sia.lo:5000 --registry-insecure --build-timeout 1h --maven-settings=configmap:maven-settings/settings.xml --save -n camel-k

I found a file named /etc/containers/registries.conf in the builder pod:

# For more information on this configuration file, see containers-registries.conf(5).
#
# There are multiple versions of the configuration syntax available, where the
# second iteration is backwards compatible to the first one. Mixing up both
# formats will result in an runtime error.
#
# The initial configuration format looks like this:
#
# Registries to search for images that are not fully-qualified.
# i.e. foobar.com/my_image:latest vs my_image:latest
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'quay.io']

# Registries that do not use TLS when pulling images or uses self-signed
# certificates.
[registries.insecure]
registries = []

# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry.  If you specify
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
# registries.  Blocked Registries is deprecated because other container runtimes and tools will not use it.
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
# registries you want to allow users to pull and push from.  policy.json gives greater flexibility, and
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
[registries.block]
registries = []

# The second version of the configuration format allows to specify registry
# mirrors:
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
# unqualified-search-registries = ["example.com"]
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
# # (only) the TOML table with the longest match for the input image name
# # (taking into account namespace/repo/tag/digest separators) is used.
# #
# # If the prefix field is missing, it defaults to be the same as the "location" field.
# prefix = "example.com/foo"
#
# # If true, unencrypted HTTP as well as TLS connections with untrusted
# # certificates are allowed.
# insecure = false
#
# # If true, pulling images with matching names is forbidden.
# blocked = false
#
# # The physical location of the "prefix"-rooted namespace.
# #
# # By default, this equal to "prefix" (in which case "prefix" can be omitted
# # and the [[registry]] TOML table can only specify "location").
# #
# # Example: Given
# #   prefix = "example.com/foo"
# #   location = "internal-registry-for-example.net/bar"
# # requests for the image example.com/foo/myimage:latest will actually work with the
# # internal-registry-for-example.net/bar/myimage:latest image.
# location = internal-registry-for-example.com/bar"
#
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
# #
# # The mirrors are attempted in the specified order; the first one that can be
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
# # the primary location specified by the "registry.location" field, or using the unmodified
# # user-specified reference, is tried last).
# #
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
# # as if specified in the [[registry]] TOML table directly:
# # - location
# # - insecure
# [[registry.mirror]]
# location = "example-mirror-0.local/mirror-for-foo"
# [[registry.mirror]]
# location = "example-mirror-1.local/mirrors/foo"
# insecure = true
# # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/myimage:latest
# # in order, and use the first one that exists.

How can I modify the registries?

[TeslaCN]

I modified the /etc/containers/registries.conf and commit to a new buildah image. An error occurred:

STEP 1: FROM openjdk:8
Getting image source signatures
Copying blob sha256:dd8c6d374ea51e3dd671f71b28d025a7794ebea181b00838987d0b4d8a51372f
Copying blob sha256:55769680e8277a4ff083d05f0993d1483b3d26b93a8814cf3c6f04fe5975ffa0
Copying blob sha256:50e431f790939a2f924af65084cc9d39c3d3fb9ad2d57d183b7eadf86ea46992
Copying blob sha256:c85513200d847a64a6e8f2cb714e2169f559b24b7736c586ff7b9aaedf71f410
Copying blob sha256:5943eea6cb7c64e2000d0817410b37368b8307b639909cd590069738adee74d5
Copying blob sha256:e27ce2095ec233759347c30234b114a10cfdd9871c8338738025aba71fe11701
Copying blob sha256:3ed8ceae72a639e8b56c5a0022433947ff1c253ced28a3640fb81c641c3344f3
Copying config sha256:cdf26cc71b50331364eb8081229b11ab90806546f3c7e618b7a4defb4d11726d
Writing manifest to image destination
Storing signatures
level=error msg="Error while applying layer: ApplyLayer exit status 1 stdout:  stderr: permission denied"
error creating build container: The following failures happened while trying to pull image specified by "openjdk:8" based on search registries in /etc/containers/registries.conf:
* "localhost/openjdk:8": Error initializing source docker://localhost/openjdk:8: error pinging docker registry localhost: Get http://localhost/v2/: dial tcp 127.0.0.1:80: connect: connection refused
* "hyper-sia.lo:5000/openjdk:8": Error committing the finished image: error adding layer with blob "sha256:50e431f790939a2f924af65084cc9d39c3d3fb9ad2d57d183b7eadf86ea46992": ApplyLayer exit status 1 stdout:  stderr: permission denied
level=error msg="exit status 1"

[astefanutti]

The registry configuration is stored in a secret, that's mounted into the builder pod, and referenced using the REGISTRY_AUTH_FILE environment variable. The kamel install registry options are used to automate the creation of a secret called camel-k-registry-secret, that's later used for the builds.

Could you checked the secret is there and mounted in the builder pod? It seems your private registry requires authentication, so you may have to provide the required information in the secret as well.

[TeslaCN]

@astefanutti Thanks for your reply.

I deploy the Registry with the following command and I can execute docker push normally.

docker run -d -p 5000:5000 --restart always --name registry registry:2

I think this way does not require authentication.