Hi guys, I am new to drone and CI in general.
I am running drone on a private air-gapped server and have setup a private docker registry. Authentication for the private registry has been setup via DRONE_DOCKER_CONFIG in the runner. Both drone and drone-runner are running in docker containers. Verified that runner is connected to server.
The .drone.yml file looks like this:
kind: pipeline
type: docker
name: default
steps:
- name: build
image: registry.domain.com/test/python:3
commands:
- echo "Hello world!"
- python app.py
App.py is essential print(“Hello”)
The problem is that whenever I attempt to build it fails because drone is always attempting to connect to the docker hub public repository.
I have tested that the image referenced in .drone.yml is available in my private repository by pulling it from outside of the drone docker container.
I checked that my private registry address is pingable from both the drone server and runner containers. by manually checking it via docker exec -ti drone ash and then ping registry.domain.com. Root CA certificates have been installed in both containers.
I have also attempted to add the docker login config.json file as a secret with Allow Pull Request Checked but to no avail. Drone is not even attempting to connect to my private registry so authentication would an issue if it was able to make contact. I have attempted various combinations of adding the authentication info without mounting config.json on the runner with/without pull requests etc. No success.
For the docker host itself, I have set NO_PROXY for private registry domain but no success.
The primary issues is that drone is only attempting to connect to the public docker hub registry and not the private registry as per documentation at https://docs.drone.io/pipeline/docker/syntax/images/#pulling-private-images
What am I missing? Appreciate your help.
I’m assuming that drone only needs the image provided in the step. I suspect that if drone requires some other publicly available image then this might be the cause of the error.
Drone does not attempt to pull images from the registry. Drone connects to your host machine Docker daemon via the mounted Docker socket using the Docker Engine API, and requests that the Docker daemon pull the image. All network calls to the registry are coming from the Docker daemon, not from Drone.
I recommend debugging this issue by checking your daemon logs since Docker is the one pulling the image. I was unable to reproduce any issues with custom registries (I just tested with gcr.io) so perhaps your daemon logs will provide you with more details.
Thanks @ashwilliams1. Looking at the daemon logs right now but there’s a lot of chatter. Any suggestions for how I can isolate and view events initiated via by drone activity. Haven’t worked with daemon logs before so any suggestions that might help would be great.
Actually docker daemon logs in debug mode show attempt to pull an image called drone/git so there is a dependency on a public image.
Relevant log messages from docker daemon log:
Calling POST /v1.33/images/create?fromImage=drone%2Fgit&tag=latest
Trying to pull drone/git from https://registry-1.docker.io v2
Resolved by manually downloading the image on the air-gapped docker host.
See Drone-runner-kube images in private registry and air-gapped environment
edit: If you are using the Docker runner you need to use this variable to replace the clone image with a clone image from your own registry. The kubernetes and docker runners both expose this setting, but they use different environment variable names.
Thanks @bradrydzewski is the DRONE_CLONE_IMAGE applicable to docker as well? I saw the option is mentioned under kubernetes documentation but not for docker on drone docs.
I’m stuck on the next challenge where the git container is having trouble with SSL certificate verification test.git/': SSL certificate problem: unable to get local issuer certificate.
Is there a quick way to pass git config --global http.sslVerify false or git config --system http.sslCAPath /absolute/path/to/git/certificates to the git instance within the container? I don’t really need a custom image so was wondering if there’s a config option for it.
great! lol did I miss that or you just updated the documentation?
is the DRONE_CLONE_IMAGE applicable to docker as well? I saw the option is mentioned under kubernetes documentation but not for docker on drone docs.
the same setting is available, but it does in fact use a different environment variable name.
https://docs.drone.io/runner/docker/configuration/reference/drone-runner-clone-image/
Is there a quick way to pass git config --global http.sslVerify false or git config --system http.sslCAPath /absolute/path/to/git/certificates to the git instance within the container?
Yes, see http://discuss.harness.io/t/how-to-get-rid-of-skip-verify-true-during-cloning/6901
@bradrydzewski you are awesome!