I'm doing some work with trusted/signed container images at present, and am using IBM Container Registry (ICR) as my ... container registry.
I'm doing the actual build/tag/push from an Ubuntu 20.04 VM, having logged into ICR: -
docker login us.icr.io --username iamapikey
and having set my Bash variables to enable Docker Content Trust (DCT): -
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://us.icr.io:4443/
I then built / tagged: -
docker build --no-cache -t us.icr.io/foobarsnafu/hello_world_nginx_dct_june_2021:latest -f Dockerfile .
and pushed my image: -
docker push us.icr.io/foobarsnafu/hello_world_nginx_dct_june_2021:latest
Whilst this appeared to work, it ultimately failed: -
The push refers to repository [us.icr.io/foobarsnafu/hello_world_nginx_dct_june_2021]
d0471711ab1a: Pushed
5dbe8c3d30af: Pushed
67780d477478: Pushed
5db88766b0e0: Pushed
36dfa50192c8: Pushed
8506b073cd53: Pushed
468af79aab10: Pushed
fbf82c12d86e: Pushed
4dc20fbc0e8d: Pushed
b831cc3ae47e: Pushed
ace0eda3e3be: Pushed
latest: digest: sha256:bfcadd198529d842b97dcd633f7b0b65fbcdca4599886a172a31eff0543f3f9d size: 2610
Signing and pushing trust metadata
unable to reach trust server at this time: 301.
I checked and re-checked my steps, and then turned to my faithful friend, Google .... and found this: -
in which the person raising the issue said this: -
After a day and a half of debugging and redoing everything from scratch several times I've figured out that the problem was the trailing slash in the notary server url.
That was revelatory .... notice that I'd previously typed: -
export DOCKER_CONTENT_TRUST_SERVER=https://us.icr.io:4443/
Once I changed my DCT URL to: -
export DOCKER_CONTENT_TRUST_SERVER=https://us.icr.io:4443
( i.e. no trailing slash )
everything was copacetic 😹
Easy when you know how now
No comments:
Post a Comment