Concourse via docker-compose and private registry

Hi!

I’m currently trying to make the following setup running:
One docker-compose file for everything:

  1. Harbor docker registry (with its several services)
    My endpoint service is called “harbor” and reacts on port 8080 (no https)
  2. concourse (web, worker, db)

The setup itself is working with harbor.
If i make docker login from my host i can login and push images.

However it seems that there are DNS problems in the concourse worker.
The problem is that the hostname is not recognized and therefore concourse tries to login to docker hub.

What i am trying to do is using the docker-image resource and do a put on this private registry. I defined it like this:

  - name: image-builder
    type: docker-image
    source:
      repository: harbor:8080/library/builder-image
      username: ((registry_user))
      password: ((registry_password))
      insecure_registries: [ "harbor:8080" ]

My put step looks like this:

      - put: image-builder
        params:
          build: source/builder-image/docker/
          dockerfile: ssource/builder-image/docker/Dockerfile
          tag_as_latest: true

What works:

  • docker login localhost:8080 (on my host)
  • logging into the worker container and using ping, nslookup on the name ‘harbor’. Even netcat shows that port 8080 is open.
  • using the IP address i got from ping or nslookup for the harbor instance works and lets me login and push the image

So this setup is working:

  - name: image-builder
    type: docker-image
    source:
      repository: 192.168.123.32:8080/library/builder-image
      username: ((registry_user))
      password: ((registry_password))
      insecure_registries: [ "192.168.123.32:8080" ]

I tried playing with differen settings for the worker but it simply does not work.

CONCOURSE_GARDEN_DNS_PROXY_ENABLE: "true"
CONCOURSE_WORKER_GARDEN_DNS_PROXY_ENABLE: "true"

What am i doing wrong?

I guess seem to understand the problem here.
My harbor and concourse services run in docker containers whereas the worker containers from concourse are garden containers.
There are options like CONCOURSE_GARDEN_DNS_PROXY_ENABLE or
CONCOURSE_WORKER_GARDEN_DNS_PROXY_ENABLE but they don’t apply to my problem.

The problem is that garden containers simply don’t resolve docker hostnames as they run in a completely different environment and have nothing to do with docker.

Can someone confirm this?

For all who are interested, i found out what caused this strange behavior.

The problem with not able to login to a private docker registry like harbor was the fact that my service name within the docker-compose.yaml didn’t contain a “.”.

Therefore the docker-resource-image thinks that my name of the docker repository (“harbor:8080/library/builder-image”) must be on dockerhub. This is very strange because i stated this private registry as insecure in the insecure_registries field. Here is the piece of code that decides whether it’s a private registry or dockerhub (https://github.com/concourse/docker-image-resource/blob/f7dfbc17c2f633eb165e1fc5b7363b582af6a7e3/assets/common.sh#L124)

The quick fix for this issue for me was to add a “.” in the service name in the docker-compose file like harbor.lan.

However i’ll prepare a pull request for changing this strange behavior.