I am trying to encrypt the docker images using this tutorial.
I have images stored in Azure Container Registry and I want to encrypt them .
As images from Azure CR are not supported in ctr-enc environment so I am pulling image from Azure CR, tagging it to local registry(sudo docker tag "azure-cr-image-name" localhost:5000/test:0.1) and pushing it(sudo docker push localhost:5000/test:0.1) and then pulling it in ctr-enc from local registry.
All the steps works fine. The image runs successfully so I exported it to a tar file.
The error comes when I try to import the tar file in any other device.
The error is as follows
unpacking localhost:5000/test:0.1 (sha256:7b60c337c1d319c682369508673f8da65ce027cd95917d80abec71c753f90341)...INFO[0119] apply failure, attempting cleanup error="failed to extract layer sha256:0447c1aa276497ad5424dd1f8597b7f667126d868489277bab7aea547a4aa982: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount138280154: archive/tar: invalid tar header: unknown" key="extract-395814385-sMwu sha256:0447c1aa276497ad5424dd1f8597b7f667126d868489277bab7aea547a4aa982"
ctr: failed to extract layer sha256:0447c1aa276497ad5424dd1f8597b7f667126d868489277bab7aea547a4aa982: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount138280154: archive/tar: invalid tar header: unknown
All I want to know is will this flow work and am I missing something or this entire flow is wrong. I don't have much idea about it so any help will be appreciated.
I resolved the error with the help of following steps.
Tried re-creating the flow and I used this link to setup my local repository.
Pulled image from acr, encrypted it and pushed it to the local registry and started pulling the encrypted image from local registry to the other devices
I got following error in the device
unpacking linux/arm64/v8 sha256:cfd940f7d5d6a6817e8d4f4a811a27263fa11dc00507ebf638ff24be703e5320...
INFO[0293] apply failure, attempting cleanup error="failed to extract layer sha256:0447c1aa276497ad5424dd1f8597b7f667126d868489277bab7aea547a4aa982: call to DecryptLayer failed: missing private key needed for decryption\n: unknown" key="extract-20510027-zCdy sha256:0447c1aa276497ad5424dd1f8597b7f667126d868489277bab7aea547a4aa982"
ctr: failed to extract layer sha256:0447c1aa276497ad5424dd1f8597b7f667126d868489277bab7aea547a4aa982: call to DecryptLayer failed: missing private key needed for decryption
: unknown
After providing the secret key in the pull command itself the image got downloaded and it ran without any errors.
Pull command example: sudo ctr-enc images pull --plain-http=true --key mykey.pem registry.local.com:5000/encrypted-image/test:0.1
Key Points:
1] Add following line in the hosts file in the device where you are setting up the repository as well as the device in which you want to run the encrypted image. Replace it with your actual IP
Ex:- 192.168.0.1 repository.local.com
2] Add following line in the /docker/daemon.json file for the devices where you are planning to run encrypted image
"insecure-registries":["registry.local.com:5000"]
Related
I'm getting this error when pulling and running the yottadb/yottadb-debian latest docker image. I'm using the one-liner for docker on the vendor's site with no success.
Is this result expected based on my warning message? Is there something I need to do differently?
% docker run -it --rm -v $(pwd)/ydb-data:/data yottadb/yottadb-debian:latest-master
Unable to find image 'yottadb/yottadb-debian:latest-master' locally
latest-master: Pulling from yottadb/yottadb-debian
e756f3fdd6a3: Pull complete
46aff8aeff03: Pull complete
85c3e3e2f9eb: Pull complete
148d9d91d050: Pull complete
696701bd209c: Pull complete
650e51801ed7: Pull complete
e152d63a4881: Pull complete
Digest: sha256:2455efef59cf561bb1b97e8ede571a0b4533390754c4fa74b51e27b41a0a18b8
Status: Downloaded newer image for yottadb/yottadb-debian:latest-master
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Error file is at /tmp/ydb_env_1_u6fTQt/err
%YDB-E-YDBDISTUNVERIF, Environment variable $ydb_dist (/opt/yottadb/current) could not be verified against the executables path (/opt/yottadb/current/yottadb)
Sourcing /opt/yottadb/current/ydb_env_set returned status 253
YottaDB docker images are all x86_64, and won't run on ARM64.
However, YottaDB supports ARM64 (aka AArch64) on Debian. You have to install it manually using the ydbinstall script. Post back if you need more help.
I have a Docker image in .tar format. When I load it using sudo docker load < image.tar, it works fine.
I used tar -xf image.tar to un-archive the file. I then un-archived each layer file so I could edit some scripts and update some libraries manually. Once I was done with this, I used tar -cf on each layer and then the entire image.
When I load the modified image the same way I loaded the original, it does not work. I get this error:
open /var/lib/docker/tmp/docker-import-742628246/image-edited/json: no such file or directory
What could I have done wrong to cause this error and how can I properly load the modified .tar file into Docker?
P.S.: The problem appeared on Docker 20.10.12, running on Kali Linux 2021.4 inside VMWare Workstation Player.
I am modifying some image tarball and trying to load it back to docker daemon, and saw the same error. I tried this: sha256sum the layer.tar in each layer, and search the config json file(the other json file at the same level as manifest.json, with a long sha value as filename) for the original hash, replace with the new sha256 value, then this error disappears.
But then again, another error like /var/lib/docker/tmp-xxxx/xxxxx cannot open file appears, then I think nothing should/can be modified in the layer tar, as we cannot bypass docker checking the integrity of image in any easy way.
I am planning to adding another layer to the image using Google jib tool, where I copy some script to the container which does the modification I want, so that original layers keep intact.
I am trying to follow these instructions to log correctly from java to logback to cloudrun...
https://cloud.google.com/logging/docs/setup/java
If I used jdk8, I get alpn missing jetty issues so I moved to a Docker image openjdk:10-jre-slim
and my DockerFile is simple
FROM openjdk:10-jre-slim
RUN mkdir -p ./webpieces
COPY . ./webpieces/
COPY config/logback.cloudrun.xml ./webpieces/config/logback.xml
WORKDIR "/webpieces"
ENTRYPOINT ./bin/customerportal -http.port=:$PORT -hibernate.persistenceunit=cloud-production
AND the only difference is I switched the image from openjdk:8-jdk-alpine which worked fine!!!
When I deploy to google cloud I get this error...
Deploying container to Cloud Run service [staging-customerportal] in project [orderly-gcp] region [us-west1]
⠏ Deploying... Cloud Run error: Invalid argument error. Invalid ENTRYPOINT. [name: "gcr.io/orderly-gcp/customerportal2#sha256:6c1c2e7531684d8f50a3120f1de60cade841ab1d9069b
704ee3fd8499c5b7779"
error: "Invalid command \"/bin/sh\": file not found"
].
X Deploying... Cloud Run error: Invalid argument error. Invalid ENTRYPOINT. [name: "gcr.io/orderly-gcp/customerportal2#sha256:6c1c2e7531684d8f50a3120f1de60cade841ab1d9069b
704ee3fd8499c5b7779"
error: "Invalid command \"/bin/sh\": file not found"
].
. Routing traffic...
Deployment failed
ERROR: (gcloud.run.deploy) Cloud Run error: Invalid argument error. Invalid ENTRYPOINT. [name: "gcr.io/orderly-gcp/customerportal2#sha256:6c1c2e7531684d8f50a3120f1de60cade841ab1d9069b704ee3fd8499c5b7779"
error: "Invalid command \"/bin/sh\": file not found"
].
However, when I run locally to test, I get this error on project ID being required so it seems it is working. SIDE QUESTION: How to simulate this project ID so I can still run locally?
03:10:08,650 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - Naming appender as [CLOUD]
03:10:09,868 |-ERROR in ch.qos.logback.core.joran.spi.Interpreter#14:13 - RuntimeException in Action for tag [appender] java.lang.IllegalArgumentException: A project ID is required for this service but could not be determined from the builder or the environment. Please set a project ID using the builder.
at java.lang.IllegalArgumentException: A project ID is required for this service but could not be determined from the builder or the environment. Please set a project ID using the builder.
at at com.google.common.base.Preconditions.checkArgument(Preconditions.java:142)
at at com.google.cloud.ServiceOptions.<init>(ServiceOptions.java:285)
at at com.google.cloud.logging.LoggingOptions.<init>(LoggingOptions.java:98)
at at com.google.cloud.logging.LoggingOptions$Builder.build(LoggingOptions.java:92)
at at com.google.cloud.logging.LoggingOptions.getDefaultInstance(LoggingOptions.java:52)
at at com.google.cloud.logging.logback.LoggingAppender.getLoggingOptions(LoggingAppender.java:246)
at at com.google.cloud.logging.logback.LoggingAppender.getProjectId(LoggingAppender.java:209)
at at com.google.cloud.logging.logback.LoggingAppender.start(LoggingAppender.java:194)
at at ch.qos.logback.core.joran.action.AppenderAction.end(AppenderAction.java:90)
at at ch.qos.logback.core.joran.spi.Interpreter.callEndAction(Interpreter.java:309)
at at ch.qos.logback.core.joran.spi.Interpreter.endElement(Interpreter.java:193)
at at ch.qos.logback.core.joran.spi.Interpreter.endElement(Interpreter.java:179)
at at ch.qos.logback.core.joran.spi.EventPlayer.play(EventPlayer.java:62)
at at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:165)
at at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:152)
at at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:110)
The Java 10 version is EOL, and the official images has been removed. More detail here
Prefer a Java 11 version.
Anyway, when you use version, some are optimized and does not install bash by default (for reducing their size) and you have to install it by yourselves.
For a local run, I don't recommend to use a JSON key file (in general, don't use JSON key file, except for automated system out of GCP) due to security constraint, key rotation, secure storage,...
For setting the project, simply perform this command gcloud config set project MY_PROJECT. You don't need credential for this.
Since your current question is how to simulate the project ID for local testing:
You should download service account key file from https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=MY_PROJECT, make it accessible inside docker container and activate it via
gcloud auth activate-service-account --key-file my_service_account.json
gcloud config set project MY_PROJECT
This problem may be due to the fact that alpine doesn't have bash:
"/bin/sh" therefore a solution could be to remove the dependency on bash itself by not using bash or by using exec instead of bash.
in my case I solved the problem by using a more complete base image, instead of alpine for instance.
HTH
After cloning a project from Gitlab on ubuntu, I tried to run it through docker, I opened a terminal, got to the directory where the .yml file was and wrote down:
I was greeted with this message:
The image for the service you're trying to recreate has been removed.
If you continue, volume data could be lost. Consider backing up your
data before continuing.
Continue with the new image?
I pressed y.
Then for a few seconds, I got:
Pulling "name of the module here"
Then I was greeted with this message:
ERROR: pull access denied for "name of the module here", the repository does not exist or may require 'docker login'
pedroesteves#pedro:~/Desktop/project$
Any help would be very appreciated. I already looked to some similar posts but none was able to help me.
You can pull image from a private registry, but You will get an error on the new version of Docker related to certificated, during pull image on the client side.
First, you to modify docker daemon file on the client side
create the file if not exist
/etc/docker/daemon.json
Add the following
{ "insecure-registries":["gitlab.my-site.com:5000"] }
Then you are good to go
docker login gitlab.my-site.com:5000
I am getting an error while try to pull an image from local registry
failed to write digest data: open ..... no such file or directory
i have tried to pull after removing the docke root directry solved the problem. But still what if i dont want tpo remove my docker root directory?