Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. Build Service
  3. Docker Remote Builder cannot push to private Cloudron Registry – no basic auth credentials due to read-only HOME / missing Docker config

Docker Remote Builder cannot push to private Cloudron Registry – no basic auth credentials due to read-only HOME / missing Docker config

Scheduled Pinned Locked Moved Build Service
5 Posts 2 Posters 30 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    M Offline
    miednr
    wrote last edited by miednr
    #1

    Hello Cloudron team and community,

    I would like to report an issue I ran into with the Docker Remote Builder, which appears to be a structural limitation rather than a configuration mistake. I’m posting this both to make you aware of it and to ask whether there is a recommended solution or workaround.

    Summary

    When using the Docker Remote Builder to build and push an image to a private Cloudron Docker Registry, the build succeeds, but the push consistently fails with:

    no basic auth credentials

    From extensive debugging, this appears to be caused by the fact that Docker cannot persist or access registry credentials, because:

    • both /root and /home/cloudron are read-only
    • DOCKER_CONFIG cannot be set via environment variables
    • the builder does not bridge /app/data/docker.json into a Docker-readable config.json
      As a result, Docker has no place to read credentials from when executing docker push.

    Environment

    • Cloudron (latest stable)
    • Docker Remote Builder (latest available via Cloudron App Store)
    • Cloudron Docker Registry
    • Private registry user: managed by Cloudron user management
    • Cloudflare proxy disabled (DNS-only) for builder. and registry. subdomains

    What works

    • cloudron build login succeeds (token accepted)
    • Image builds successfully:
    Successfully built <image-id>
Successfully tagged registry.example.org/user/image:tag
    • Registry is reachable
    • Credentials are correct (verified manually)

    What fails

    Push always fails immediately:

    The push refers to repository [registry.example.org/user/image]
Preparing <layer-id>
no basic auth credentials

    Builder logs confirm the same.

    Key findings from debugging

    1. The builder runs as user cloudron:
    exec gosu cloudron:cloudron /app/code/app.js

    1. Both of these locations are read-only:

      • /root/.docker
      • /home/cloudron/.docker

    2. Attempting manual login confirms this:

    docker login registry.example.org -u <user>
# Error: mkdir /root/.docker: read-only file system

    1. Setting DOCKER_CONFIG=/app/data/.dockerdoes work when done manually in the container, but:

      • there is no supported way to inject environment variables
      • /app/code/start.sh does not source an env.sh
      • therefore the build service process itself never sees DOCKER_CONFIG

    2. /app/data/docker.json (in both formats tried):

      • Cloudron registry format
      • Docker auths format
        …is not consumed by Docker during the push step.

    Conclusion

    In this setup, the Docker Remote Builder:

    • knows the registry credentials
    • but cannot provide them to Docker in a usable way
    • resulting in an unavoidable authentication failure during docker push
      This makes it impossible (or at least unreliable) to use the Remote Builder to push images to a private Cloudron registry in this configuration.

    Questions

    1. Is this a known limitation of the current Docker Remote Builder?

    2. Is there a supported way to:

      • set DOCKER_CONFIG, or
      • make a writable Docker config available to the builder process?

    3. Is the recommended approach instead to:

      • build externally (local / CI)
      • push to the Cloudron registry
      • and use Cloudron only for deployment?

    I’d be happy to provide more logs or details if helpful.

    Thank you for Cloudron overall – it’s a great platform, and I hope this feedback helps improve the build workflow.

    Best regards
    miednr

    1 Reply Last reply
    1
    • jamesJ Offline
      jamesJ Offline
      james
      Staff
      wrote last edited by
      #2

      Hello @miednr
      I have tried to reproduce your described issue and could not do so.

      I have installed the @build-service and @docker-registry and set it up according to the documentation https://docs.cloudron.io/packages/docker-builder and https://docs.cloudron.io/packages/docker-registry.

      One difference that might be noteworthy.
      I have used an App Password for the docker registry app and used that in the /app/data/docker.json in the build-service app.
      After restarting the build service everything worked as expected.

      1 Reply Last reply
      1
      • M Offline
        M Offline
        miednr
        wrote last edited by
        #3

        Thank you @james!

        I started using an App Password. But, if I try 1. and 2. I do receive these error messages:

        1. cloudron build
          --set-build-service https://domain.com
          --build-service-token "TOKEN_HERE"
          --set-repository registry.domain.com/user/org.domain.app
          --tag ur-001

        Failed to build app. See log output above.

        1. cloudron build --set-build-service

        Failed to upload app for building: Invalid token. Use cloudron build login again.

        1 Reply Last reply
        0
        • jamesJ Offline
          jamesJ Offline
          james
          Staff
          wrote last edited by
          #4

          Hello @miednr
          What token did you use for the --build-service-token?
          When you open the Cloudron Build Service App you should be able to get the Setup Instructions directly from the app.

          1 Reply Last reply
          0
          • M Offline
            M Offline
            miednr
            wrote last edited by miednr
            #5

            @james I generated one in the builder, that was stored in tokendb.json.

            1 Reply Last reply
            1
            Reply
            • Reply as topic
            Log in to reply
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes

            • Login
            • Don't have an account? Register
            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search