#Can't pull from local Docker registry

Hello, I'm trying to pull an image that I've pushed to my local Docker registry; but I get the following error:

#1 resolve image config for localhost:5000/local-jdk8:v1
panic: input:1: container.from failed to do request: Head "http://localhost:5000/v2/local-jdk8/manifests/v1": dial tcp 127.0.0.1:5000: connect: connection refused

Please visit https://dagger.io/help#go for troubleshooting guidance.

goroutine 1 [running]:
main.main()
        C:/Projects/x/x/x.go:63 +0x785
exit status 2

I've tried doing a docker login on the host where I run the Go pipeline. As well as from within the pipeline itself, its the same result either way.

@devout heath I confirm that I have this issue as well.

repro:

docker run -d -p 5001:5000 --restart=always --name myregistry registry:2
docker pull golang:latest
docker tag golang:latest localhost:5001/golang:latest
docker push localhost:5001/golang:latest
go run main.go

main.go

package main

import (
    "context"
    "fmt"
    "os"

    "dagger.io/dagger"
)

func main() {
    if err := build(context.Background()); err != nil {
        fmt.Println(err)
    }
}

func build(ctx context.Context) error {
    fmt.Println("Building with Dagger")

    // initialize Dagger client
    client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stdout))
    if err != nil {
        return err
    }
    defer client.Close()

    golang := client.Container().From("localhost:5001/golang:latest")

    golang = golang.WithExec([]string{"go", "version"})

    _, err = golang.Stdout(ctx)
    if err != nil {
        return err
    }

    return nil
}

error:

go ➤ go run main.go
Building with Dagger
#1 resolve image config for localhost:5001/golang:latest
input:1: container.from failed to do request: Head "http://localhost:5001/v2/golang/manifests/latest": dial tcp 127.0.0.1:5001: connect: connection refused

Please visit https://dagger.io/help#go for troubleshooting guidance.

I think this is the same problem here (just pulling instead of pushing): https://github.com/dagger/dagger/issues/4579#issuecomment-1444761172

Basically, the dagger engine is in its own container that's isolated from the localhost where the registry is running. The workaround where you run the registry in the network of the engine will work for this too

Got it. So use the same docker network in my case (Docker Desktop)?

Yeah the commands in my comment on that issue should work on docker desktop too (afaik, let me know if not as I only tried it on linux docker)

In the longer run I guess the nice solution to this will be to have host<->container network proxying: https://github.com/dagger/dagger/issues/4080
But now until then hopefully the workaround suffices

hmmm

docker run -d -p 5001:5000 --restart=always --network container:dagger-engine-57eff2cd90629414 --name myregistry registry:2
docker: Error response from daemon: conflicting options: port publishing and the container type network mode.

had to drop -p option

Oh right, thanks! I'll update my comment too

but then I can't docker push to the registry from my local terminal (unless I need a flag or something). Guess I'll need to Publish from Dagger.

docker push localhost:5000/golang:latest
The push refers to repository [localhost:5000/golang]
Get "http://localhost:5000/v2/": dial tcp [::1]:5000: connect: connection refused

Yeah that's another downside. Only solution will be the host<->container proxying I think

Use 127.0.0.1 instead of localhost

It's resolving to an ipv6 instead of ipv4 and I guess the registry isn't listening on ipv6

might be doing wrong...

go ➤ docker tag golang:latest 127.0.0.1:5000/golang:latest
go ➤ docker push 127.0.0.1:5000/golang:latest
The push refers to repository [127.0.0.1:5000/golang]
Get "http://127.0.0.1:5000/v2/": dial tcp 127.0.0.1:5000: connect: connection refused

You have to push from dagger in this setup, won't work from local terminal

ah, cool. That tracks better 😆 Thought you found a cheat code

Haha no I am out of cheat codes for this

localhost worked fine from within Dagger

#3 exporting to image
#3 pushing layers 4.1s done
#3 pushing manifest for localhost:5000/golang:latest@sha256:6a3be77e43502b1d91ecba372f34fb7f522d967f454622a1d832c8c5439e5f9f done
#3 DONE 4.1s

as did

#3 pushing layers 0.0s done
#3 pushing manifest for 127.0.0.1:5000/golang:latest@sha256:f79e82e40b49fe1290304c4c180a391e8b560ebf3d94ef063cd7ef1c18228732 done
#3 DONE 0.1s

Ah okay cool, the resolution of ipv4 vs ipv6 depends on a bunch of things, including some randomness, so I guess I rushed to blaming it

example:

package main

import (
    "context"
    "fmt"
    "os"

    "dagger.io/dagger"
)

func main() {
    if err := build(context.Background()); err != nil {
        fmt.Println(err)
    }
}

func build(ctx context.Context) error {
    fmt.Println("Building with Dagger")

    // initialize Dagger client
    client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stdout))
    if err != nil {
        return err
    }
    defer client.Close()

    golang := client.Container().From("golang:latest")
    _, err = golang.Publish(ctx, "127.0.0.1:5000/golang:latest")
//    golang = golang.WithExec([]string{"go", "version"})

    _, err = golang.Stdout(ctx)
    if err != nil {
        return err
    }

    return nil
}

Hope that helps @hybrid acorn

The upshot being that you should run your local registry like this: https://github.com/dagger/dagger/issues/4579#issuecomment-1444761172

And that we'll be looking into DX improvements here. Thanks for raising this!

Thanks for this; Jeremy + Erik.

@olive lintel , if I'm reading the above the way it was intended; I essentially need to have:

• A separate Go file that builds my image - then pushes/publishes it to my local registry (the one I've setup with the --network container:<DAGGER> parameter) by .Publish(ctx, "127.0.0.1:5000/<image>:<image-version>"). This ensures that the registry is available on the same network as the Dagger engine.
• My CI pipeline can then pull down this image by: .From("127.0.0.1/<image>:<image-version") .

Once you've set up your local registry with --network container:<DAGGER>, yes, you can use Publish() and Container().From() just like that. You can have everything in one Dagger Go SDK file/program or in separate ones depending on what makes most sense 🙂

Why does this not require the registry's container name to be used once the buildkit and registry container are connected via --network? Also back in the day the buildkit container would run with --network host, is that not the case anymore?

The --network flag results in the registry container and the dagger engine container to be in the same network namespace and thus share a loopback interface (i.e. localhost), so they can talk to each other over that.

Also back in the day the buildkit container would run with --network host, is that not the case anymore?
No that changed in v0.3, the default dagger engine container in docker doesn't specify --network in docker run so it ends up with the default configuration. You can provision the engine yourself still and use whatever settings you want (have some internal docs if needed) but it's overall better for us to default to an isolated network namespace where we can manipulate network settings without breaking the host.

ah I didnt know about 'container:<name|id>' , that will be handy at some point, thanks. I would have put the two in the same network and use the container name (alias) for resolution.
And yes, running without --network host is definitly better. That was problematic back then.

Good to see you @vestal jasper 👋

I tried using a network alias. But I am getting error regarding http and https

input:1: container.from.withFile.withEntrypoint.withWorkdir.publish failed to solve: failed to push local-registry:5000/hello: failed to do request: Head "https://local-registry:5000/v2/hello/blobs/sha256:1487bff95222881565c7c063129c2c2ce3d6fc4d14796ac7627bd1f167bc5621": http: server gave HTTP response to HTTPS client

can you share your pipeline please?

at a glance looks like you're calling Publish to a non-https registry. Buildkit has a way to apply this global config to allow non-https endpoints per registry, but we don't expose this through the Publish step. It'd be great if we could though. @devout heath do you know by memory if the LLB push operation supports this?

yes, the registry is running in a docker network. I have used docker network connect ... to join the containers

its running without any special config,so thats why its http

yeah.. I think that's why. There's a way to override the engine.toml to allow pushing to an insecure registry, but that requires some manual operational work