-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buildkitd container doesn't load system TLS certs #1055
Comments
Hey @pdevine , Thanks. I was just about to submit an issue report for this also. I noticed that when I run When you say "exec into the buildkit container": Which container is that? Is it even running at all times? I always thought that for every build, there's going to be a ephemeral container created that performs the build and then goes away. Thanks! |
@tonistiigi , is there any workaround for this or any scheduled fix awaiting? Right now, it seems to be impossible to provide BuildKit with custom CA+USER TLS certificates. At least for my org, the most prominent use case is either It seems that it might be easier to do this if one used Am I missing something? This and related issues where one isn't able to configure the container in a straightforward way has been reported several times already. Cheers |
Support for custom tls configs was added in #1410 and is available in v0.7+ . You can set the config in toml or point to the folder containing the certs in the way docker expects them. With container driver just setting them wouldn't be enough though as container can't access files from your system so one way would be to run |
Thanks for the quick response, however, the support from #1410 is not enough, or I am really missing something. Yes, I can provide path to the CA and USER cert+key in I tried using So, I ended up testing with This is just odd :) |
Not being able to use |
Of course it's not. The issue is that it appears impossible to actually supply custom CA+USER certificate and key files to BuildKit when one is using BuildKit via #1296 is basically about the same thing |
For |
Thanks a lot for pointing to the PR, Tönis. I think I'll even give it a go and try to compile dockerd myself to see it in action :) Do I understand it that |
Well, I just compiled I looked over the PR in question, and I am not sure. Is there something else that I would have to update, besides Cheers! |
@petr-motejlek please try moby/moby#40967 |
OK, I shall :) |
This is so far above my head... I think I compiled the latest moby, copied over the binaries to my test system, but when I then try to use DOCKER_BUILDKIT=1, it either fails with the same x509 errors (ie. possibly not using the proper certificates) OR it fails with a message similar to this (I have no idea where that's coming from)
I am really not sure what's going on here. Normally, I would just wait for moby to release |
If you are using
buildx
to push to a private registry which doesn't have a public TLS certificate, it will fail with something similar to:There's currently no easy way to add in these certificates to buildkit to make it work. Ideally the cert pool would be shared between the host and the container.
The work around right now is to exec into the buildkit container and modify
/etc/ssl/certs/ca-certificates
by hand and then restart the buildkit container.The text was updated successfully, but these errors were encountered: