[Solved] Image push fails using inside Dagger Container | docker login inside dagger | Dagger | Page 1

deep crest Apr 10, 2025, 12:03 PM

#

have a goreleaser yaml in which I have defined a few containers which I want to build and push.
I am successful able to build the docker images, but when I try to push the image. I get this error:

 error=                                                                                                                                                     
    │ docker images: failed to publish artifacts: failed to push jammutkarsh/unkey-dagger-health:0.4.7 after 1 tries: failed to push jammutkarsh/unkey-dagg    
er-health:0.4.7: exit status 1: push access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorizati    
on failed

PS: The creds are correct, I pushed it yesterday when I executing goreleaser locally.

Here's my function:

  @func()
  release(gitdir: Directory, dockersocket: Socket, ghtoken: string, dockerUser: string, dockerSecret: Secret): Directory {
    dag.container()
    return dag.goreleaser()
      .withGoCache() // Enable Caching for Go Builds
      .withSource(gitdir) // to get info related to git tags

      .ctr() // Returning Container to mount Docker

      .withWorkdir("/mnt/go") // go.mod and goreleaser YAML is `go` dir
      .withUnixSocket("/var/run/docker.sock", dockersocket)
      .withEnvVariable("GITHUB_TOKEN", ghtoken) // Requireed by goreleaser, incase a package needs to be published
      .withSecretVariable("DOCKER_PAT", dockerSecret)
      .withRegistryAuth("docker.io", dockerUser, dockerSecret)
      .withExec(["goreleaser", "release", "--clean"])
      .directory("/mnt/go/dist") // Export the Binary Packages
  }

I have used .withRegistryAuth() , withExec() and used terminal() and manually entered the docker login to debug the issue. But in all 3 cases the error is same. I can't push.

#

In case its needed

📎 goreleaser.yaml

unique glacier Apr 10, 2025, 12:47 PM

#

deep crest In case its needed

👋 I'm not fully familiarized on how goreleaser actually makes the push but I'd assume it's using docker for that

#

@deep crest you're looking forward to use a PAT to login to your registry, don't you?

deep crest Apr 10, 2025, 12:51 PM

#

Yes, goreleaser is using docker. In the pipeline, its using DIND.

you're looking forward to use a PAT to login to your registry, don't you?
Yes

#

dagger call release --gitdir . --dockersocket /var/run/docker.sock --ghtoken abc --docker-secret env://DOCKER_PAT --docker-user $DOCKER_USER
This is the command I am executing

unique glacier Apr 10, 2025, 12:53 PM

#

deep crest `dagger call release --gitdir . --dockersocket /var/run/docker.sock --ghtoken ab...

right... but you're not doing anything with the DOCKER_PAT

#

you need to run docker login within the goreleaser container so that container is authenticated against the docker registry

#

let me try to get an example

deep crest Apr 10, 2025, 12:56 PM

#

You are suggesting, I should run withExec(["docker", "login", "-u", "username", -p "password"]) inside the container?
If yes, I tried this, but couldn't push the image.

unique glacier Apr 10, 2025, 1:01 PM

#

deep crest You are suggesting, I should run withExec(["docker", "login", "-u", "username", ...

func (m *Lolo) Test(ctx context.Context, user string, dockerPAT *dagger.Secret) *dagger.Container {
    patText, _ := dockerPAT.Plaintext(ctx)
    return dag.Container().From("docker:cli").WithExec([]string{"docker", "login", "--username", user, "--password-stdin"}, dagger.ContainerWithExecOpts{Stdin: patText})
}

#

^ that's an example on how you can authenticate within a container

deep crest Apr 10, 2025, 1:10 PM

#

With dagger.ContainerWithExecOpts{Stdin: patText} it worked. Thanks.
But can you briefly explain why it didn't work with the withRegistryAuth

#

[Solved] Image push fails using inside Dagger Container | docker login inside dagger

unique glacier Apr 10, 2025, 1:38 PM

#

deep crest With `dagger.ContainerWithExecOpts{Stdin: patText}` it worked. Thanks. But can ...

sure. WithRegistryAuth is for publishing containers from dagger directly via the container.Publish method 🙏

#

since in this particular case goreleaser is the one that's delegating the push to the docker daemon, WithRegistryAuth doesn't have any effect

deep crest Apr 10, 2025, 1:42 PM

#

With the method you mentioned, the log is printing the token in plain text, is there a way to hide?

    │ │ source: Host.__internalSocket(accessor: "2f7661722f72756e2f646f636b65722e736f636bb613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"): Socket!
    │ ): Container!
    .withEnvVariable(name: "GITHUB_TOKEN", value: "abc"): Container!
    .withExec(args: ["docker", "login", "-u", "jammutkarsh", "--password-stdin"], stdin: "dckr_pat_xxxxxxxxxxxxxxxxx"): Container!

unique glacier Apr 10, 2025, 1:44 PM

#

deep crest With the method you mentioned, the log is printing the token in plain text, is t...

oh! you're right. Seems to be an issue. We should be masking that 😬

deep crest Apr 10, 2025, 1:48 PM

#

Cool, should I create the issue or are you doing it?

unique glacier Apr 10, 2025, 1:50 PM

#

deep crest Cool, should I create the issue or are you doing it?

there you go

func (m *Lolo) Test(ctx context.Context, user string, dockerPAT *dagger.Secret) *dagger.Container {
    return dag.Container().From("docker:cli").
        WithSecretVariable("DOCKER_PAT", dockerPAT).
        WithExec([]string{"sh", "-c", "echo $DOCKER_PAT | docker login --username " + user + " --password-stdin"})
}

#

GitHub

Secret scrub OTEL logs · Issue #8475 · dagger/dagger

Currently we use the secret scrubber just for the results of withExec - this is neccessary so we don't end up accidentally caching secrets in the output. However, this isn't entirely suffic...

#[Solved] Image push fails using inside Dagger Container | docker login inside dagger