"Life is all about sharing. If we are good at something, pass it on." - Mary Berry

plugins/docker failed to resolve Keycloak hostname?

visitor badge

2021-01-27

Categories: DevOps

After integrating Docker registry with Keycloak, the publishing step failed to authenticate with Docker Registry.

The full error message is:

1time="2021-01-26T13:44:18.485121053Z" level=error msg="Handler for POST /v1.40/auth returned error: Get https://docker.domain.com/v2/: Get https://sso.domain.com/auth/realms/application/protocol/docker-v2/auth?account=******&client_id=docker&offline_token=true&service=aws-docker-registry: dial tcp: lookup sso.domain.com on 127.0.0.11:53: no such host"

sso.domain.com is a local hostname which can be resolved on the host. How can I make it resolvable inside the plugins/docker container?

I found some similar issues:

but they are slightly differences.

Look at this: http://plugins.drone.io/drone-plugins/drone-docker/

custom_dns will be passed to the Docker daemon inside plugins/docker, something like this:

1/usr/local/bin/dockerd --data-root /var/lib/docker --host=unix:///var/run/docker.sock --dns 10.100.101.5 --dns 8.8.8.8

while add_host will be passed to the docker build steps:

1$ docker build -h
2Flag shorthand -h has been deprecated, please use --help
3
4Usage:  docker build [OPTIONS] PATH | URL | -
5
6Build an image from a Dockerfile
7
8Options:
9      --add-host list           Add a custom host-to-IP mapping (host:ip)

They are the latter steps. Our case failed early when authenticating with docker registry.

I tried to add network_mode: host:

 1- name: publish
 2  image: plugins/docker:19.03
 3  settings:
 4    debug: true
 5    network_mode: host
 6    registry: docker.domain.com
 7    repo: docker.domain.com/owner/repo
 8    tags:
 9    - ${DRONE_SOURCE_BRANCH}
10    username:
11      from_secret: docker_username
12    password:
13      from_secret: docker_password

but it didn’t help, the error still stands:

1dial tcp: lookup sso.domain.com on 127.0.0.11:53: no such host"

Why plugins/docker still uses embedded DNS?

OK, I tried to debug locally by using drone exec and still got the same error message.

Then I tried again with a simple example to see what happens:

1steps:
2  - name: alpine
3    image: alpine:3.13
4    network_mode: host
5    commands:
6      - cat /etc/resolv.conf
1$ drone exec
22021/01/27 10:34:12 linter: untrusted repositories cannot configure network_mode
3
4$ drone exec --trusted
5[alpine:0] + cat /etc/resolv.conf
6[alpine:1] # This file is fetched from the host via vpnkit-bridge
7[alpine:2] nameserver 192.168.65.1

But wait. Why drone linter does not force me to trust the build when running publish step? Turned out that network_mode is put in wrong place. It’s a service configuration, not plugins/docker’s settings:

 1- name: publish
 2  image: plugins/docker:19.03
 3  network_mode: host
 4  settings:
 5    debug: true
 6    registry: docker.domain.com
 7    repo: docker.domain.com/owner/repo
 8    tags:
 9      - ${DRONE_SOURCE_BRANCH}
10    username:
11      from_secret: docker_username
12    password:
13      from_secret: docker_password

Tags: drone ci docker dns

Edit on GitHub

Related Posts: