Docker Remote Builder cannot push to private Cloudron Registry – no basic auth credentials due to read-only HOME / missing Docker config

miednr

Hello Cloudron team and community,

I would like to report an issue I ran into with the Docker Remote Builder, which appears to be a structural limitation rather than a configuration mistake. I’m posting this both to make you aware of it and to ask whether there is a recommended solution or workaround.

Summary

When using the Docker Remote Builder to build and push an image to a private Cloudron Docker Registry, the build succeeds, but the push consistently fails with:

no basic auth credentials

From extensive debugging, this appears to be caused by the fact that Docker cannot persist or access registry credentials, because:

• both /root and /home/cloudron are read-only
• DOCKER_CONFIG cannot be set via environment variables
• the builder does not bridge /app/data/docker.json into a Docker-readable config.json
  As a result, Docker has no place to read credentials from when executing docker push.

---

Environment

• Cloudron (latest stable)
• Docker Remote Builder (latest available via Cloudron App Store)
• Cloudron Docker Registry
• Private registry user: managed by Cloudron user management
• Cloudflare proxy disabled (DNS-only) for builder. and registry. subdomains

---

What works

• cloudron build login succeeds (token accepted)
• Image builds successfully:

Successfully built <image-id>
Successfully tagged registry.example.org/user/image:tag

• Registry is reachable
• Credentials are correct (verified manually)

---

What fails

Push always fails immediately:

The push refers to repository [registry.example.org/user/image]
Preparing <layer-id>
no basic auth credentials

Builder logs confirm the same.

Key findings from debugging

1. The builder runs as user cloudron:

exec gosu cloudron:cloudron /app/code/app.js

2. Both of these locations are read-only:

   • /root/.docker
   • /home/cloudron/.docker

3. Attempting manual login confirms this:

docker login registry.example.org -u <user>
# Error: mkdir /root/.docker: read-only file system

4. Setting DOCKER_CONFIG=/app/data/.dockerdoes work when done manually in the container, but:

   • there is no supported way to inject environment variables
   • /app/code/start.sh does not source an env.sh
   • therefore the build service process itself never sees DOCKER_CONFIG

5. /app/data/docker.json (in both formats tried):

   • Cloudron registry format
   • Docker auths format
     …is not consumed by Docker during the push step.

---

Conclusion

In this setup, the Docker Remote Builder:

• knows the registry credentials
• but cannot provide them to Docker in a usable way
• resulting in an unavoidable authentication failure during docker push
  This makes it impossible (or at least unreliable) to use the Remote Builder to push images to a private Cloudron registry in this configuration.

---

Questions

1. Is this a known limitation of the current Docker Remote Builder?

2. Is there a supported way to:

   • set DOCKER_CONFIG, or
   • make a writable Docker config available to the builder process?

3. Is the recommended approach instead to:

   • build externally (local / CI)
   • push to the Cloudron registry
   • and use Cloudron only for deployment?

I’d be happy to provide more logs or details if helpful.

Thank you for Cloudron overall – it’s a great platform, and I hope this feedback helps improve the build workflow.

Best regards
miednr

james

Hello @miednr
I have tried to reproduce your described issue and could not do so.

I have installed the @build-service and @docker-registry and set it up according to the documentation https://docs.cloudron.io/packages/docker-builder and https://docs.cloudron.io/packages/docker-registry.

One difference that might be noteworthy.
I have used an App Password for the docker registry app and used that in the /app/data/docker.json in the build-service app.
After restarting the build service everything worked as expected.

miednr

Thank you @james!

I started using an App Password. But, if I try 1. and 2. I do receive these error messages:

1. cloudron build
   --set-build-service https://domain.com
   --build-service-token "TOKEN_HERE"
   --set-repository registry.domain.com/user/org.domain.app
   --tag ur-001

Failed to build app. See log output above.

2. cloudron build --set-build-service

Failed to upload app for building: Invalid token. Use cloudron build login again.

james

Hello @miednr
What token did you use for the --build-service-token?
When you open the Cloudron Build Service App you should be able to get the Setup Instructions directly from the app.

miednr

@james I generated one in the builder, that was stored in tokendb.json.

miednr

I am using a registry app and a builder app. As far as I can see, the tarball is uploaded successfully to the builder. It seems to be an issue with the registry. I am not sure. Could you please provide some commands to check, where the problem's cause is?

BTW: I am using Gitea (as a Git-Clone). It there a way, to directly use Gitea for building? I am building locally and am pulling the repository from Gitea to push it to the builer. Is this the recommended workflow?

james

Hello @miednr

@miednr said in Docker Remote Builder cannot push to private Cloudron Registry – no basic auth credentials due to read-only HOME / missing Docker config:

Could you please provide some commands to check, where the problem's cause is?

I have set up my docker registery under dr.cloudron.dev and the build service under cbs.cloudron.dev.
I run the command from the build service once:

cloudron build login --url 'https://cbs.cloudron.dev' --build-token 4d9e63406e98c078e296f6f273d5d9adb080643d50dd1d82b687af8c414cf915

When I now build a custom app I run:

cloudron build --file ./Dockerfile  --set-repository dr.cloudron.dev/org.cloudron.copyparty --tag 0.1.0