Configuring Docker Daemon for Insecure Registries in Bitbucket Cloud Pipelines
プラットフォームについて: Cloud のみ - この記事は、 クラウド プラットフォームのアトラシアン製品にのみ適用されます。
要約
The Atlassian-provided Cloud Runners currently do not support Insecure Registries for Pipeline Builds. This KB article guides users on leveraging Linux self-hosted runners to set up a Docker Daemon, allowing connection to insecure registries.
環境
Bitbucket Cloud Pipelines
診断
When attempting to perform a "push" or "pull" from a docker insecure registry within a Bitbucket Pipeline build, Docker returns an error indicating that the certificate is not valid.
例:
docker: Error response from daemon: Get "<your custom registry path>": x509: certificate signed by unknown authority.
原因
By default, Docker does not trust an insecure registry without a valid signed certificate. To use insecure registries, configuring the Docker daemon is necessary.
For security reasons, the Docker daemon cannot be configured in Pipelines Cloud Runners. However, Linux self-hosted runners allow custom configuration to the Docker daemon, enabling the use of insecure registries.
ソリューション
1. Create a custom Docker-in-Docker (dind) Docker image and use it in the Bitbucket Pipeline as follows:
# custom-dind-image
FROM docker:dind
ENTRYPOINT [ "sh", "-c", "dockerd-entrypoint.sh $DOCKER_OPTS" ]
2. Once the custom "dind" image is pushed into the registry, use it as a custom image in the Bitbucket Pipeline to set up insecure registries.
An example pipeline configuration:
pipelines:
default:
- step:
runs-on:
- 'self.hosted'
- 'linux'
name: 'Build using custom dind image service'
services:
- custom-dind
script:
- export DOCKER_BUILDKIT=0
- docker info
- echo $DOCKER_PASSWORD | docker login -u $DOCKER_USER --password-stdin <your custom registry URL>
definitions:
services:
custom-dind:
image:
name: <your custom registry>/custom-dind-image
username: $DOCKER_USER
password: $DOCKER_PASSWORD
type: docker
variables:
DOCKER_OPTS: "--insecure-registry=<your custom registry URL>"