Quan Tong
plugins/docker failed to resolve Keycloak hostname?
2021-01-27
Categories: DevOps
After integrating Docker registry with Keycloak, the publishing step failed to authenticate with Docker Registry.
The full error message is:
1time="2021-01-26T13:44:18.485121053Z" level=error msg="Handler for POST /v1.40/auth returned error: Get https://docker.domain.com/v2/: Get https://sso.domain.com/auth/realms/application/protocol/docker-v2/auth?account=******&client_id=docker&offline_token=true&service=aws-docker-registry: dial tcp: lookup sso.domain.com on 127.0.0.11:53: no such host"
sso.domain.com is a local hostname which can be resolved on the host. How can I make it resolvable inside the plugins/docker container?
I found some similar issues:
- https://discourse.drone.io/t/dns-lookup-fails-inside-plugins-docker-build/501/5
- https://github.com/drone-plugins/drone-docker/issues/193
but they are slightly differences.
Look at this: http://plugins.drone.io/drone-plugins/drone-docker/
custom_dns will be passed to the Docker daemon inside plugins/docker, something like this:
1/usr/local/bin/dockerd --data-root /var/lib/docker --host=unix:///var/run/docker.sock --dns 10.100.101.5 --dns 8.8.8.8
while add_host will be passed to the docker build steps:
1$ docker build -h 2Flag shorthand -h has been deprecated, please use --help 3 4Usage: docker build [OPTIONS] PATH | URL | - 5 6Build an image from a Dockerfile 7 8Options: 9 --add-host list Add a custom host-to-IP mapping (host:ip)
They are the latter steps. Our case failed early when authenticating with docker registry.
I tried to add network_mode: host:
1- name: publish 2 image: plugins/docker:19.03 3 settings: 4 debug: true 5 network_mode: host 6 registry: docker.domain.com 7 repo: docker.domain.com/owner/repo 8 tags: 9 - ${DRONE_SOURCE_BRANCH} 10 username: 11 from_secret: docker_username 12 password: 13 from_secret: docker_password
but it didn’t help, the error still stands:
1dial tcp: lookup sso.domain.com on 127.0.0.11:53: no such host"
Why plugins/docker still uses embedded DNS?
OK, I tried to debug locally by using drone exec and still got the same error message.
Then I tried again with a simple example to see what happens:
1steps: 2 - name: alpine 3 image: alpine:3.13 4 network_mode: host 5 commands: 6 - cat /etc/resolv.conf
1$ drone exec 22021/01/27 10:34:12 linter: untrusted repositories cannot configure network_mode 3 4$ drone exec --trusted 5[alpine:0] + cat /etc/resolv.conf 6[alpine:1] # This file is fetched from the host via vpnkit-bridge 7[alpine:2] nameserver 192.168.65.1
But wait. Why drone linter does not force me to trust the build when running publish step?
Turned out that network_mode is put in wrong place. It’s a service configuration, not plugins/docker’s settings:
1- name: publish 2 image: plugins/docker:19.03 3 network_mode: host 4 settings: 5 debug: true 6 registry: docker.domain.com 7 repo: docker.domain.com/owner/repo 8 tags: 9 - ${DRONE_SOURCE_BRANCH} 10 username: 11 from_secret: docker_username 12 password: 13 from_secret: docker_password
Related Posts:
- How to run a pipeline step only when pushing to a new branch?
- How to perform integration testing in Go?
- How to trigger build steps based on modified directory?
- Drone build is not triggered after pushing code to Gitea?
- Docker rootless keeps restarting?