Monday 28 June 2021

Docker Content Trust and the Case of the PEBCAK

 I'm doing some work with trusted/signed container images at present, and am using IBM Container Registry (ICR) as my ... container registry.

I'm doing the actual build/tag/push from an Ubuntu 20.04 VM, having logged into ICR: -

docker login us.icr.io --username iamapikey

and having set my Bash variables to enable Docker Content Trust (DCT): -

export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://us.icr.io:4443/

I then built / tagged: -

docker build --no-cache -t us.icr.io/foobarsnafu/hello_world_nginx_dct_june_2021:latest -f Dockerfile .

and pushed my image: -

docker push us.icr.io/foobarsnafu/hello_world_nginx_dct_june_2021:latest

Whilst this appeared to work, it ultimately failed: -

The push refers to repository [us.icr.io/foobarsnafu/hello_world_nginx_dct_june_2021]
d0471711ab1a: Pushed 
5dbe8c3d30af: Pushed 
67780d477478: Pushed 
5db88766b0e0: Pushed 
36dfa50192c8: Pushed 
8506b073cd53: Pushed 
468af79aab10: Pushed 
fbf82c12d86e: Pushed 
4dc20fbc0e8d: Pushed 
b831cc3ae47e: Pushed 
ace0eda3e3be: Pushed 
latest: digest: sha256:bfcadd198529d842b97dcd633f7b0b65fbcdca4599886a172a31eff0543f3f9d size: 2610
Signing and pushing trust metadata
unable to reach trust server at this time: 301.

I checked and re-checked my steps, and then turned to my faithful friend, Google .... and found this: -


in which the person raising the issue said this: -

After a day and a half of debugging and redoing everything from scratch several times I've figured out that the problem was the trailing slash in the notary server url.

That was revelatory .... notice that I'd previously typed: -

export DOCKER_CONTENT_TRUST_SERVER=https://us.icr.io:4443/

Once I changed my DCT URL to: -

export DOCKER_CONTENT_TRUST_SERVER=https://us.icr.io:4443

( i.e. no trailing slash )

everything was copacetic 😹

Easy when you know how now

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...