fix: build registry auth and Docker image OCI compatibility #59
+48
−36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add 10.100.x.x subnet to allowed VM networks for registry auth fallback (remote servers use 10.100.x.x while IP fallback only allowed 10.102.x.x) - Convert Docker v2 mediatypes to OCI equivalents in image unpacking (umoci requires OCI mediatypes but Docker Hub images use Docker mediatypes) - Explicitly set DOCKER_CONFIG env var for buildctl to ensure it finds auth config - Update documentation to use docker buildx with oci-mediatypes=true
rgarcia
approved these changes
Jan 16, 2026
| // Check if it's from the VM network (10.102.x.x) | ||
| return strings.HasPrefix(ip, "10.102.") | ||
| // Check if it's from the VM network (10.100.x.x or 10.102.x.x) | ||
| return strings.HasPrefix(ip, "10.100.") || strings.HasPrefix(ip, "10.102.") |
Contributor
There was a problem hiding this comment.
this feels a little fragile ... should it depend on config (e.g. config.go has subnet / bridge config that determines this prefix)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
10.100.x.xsubnet to allowed VM networks for registry auth fallbackDOCKER_CONFIGenv var for buildctldocker buildxwithoci-mediatypes=trueProblem
Registry auth failing with 401: Remote servers configured with
10.100.x.xsubnet, but IP fallback only allowed10.102.x.x, causing builds to fail when pushing to registry.Docker images incompatible: Images from Docker Hub use Docker-specific mediatypes (e.g.,
application/vnd.docker.container.image.v1+json), but umoci requires OCI mediatypes for layer unpacking, causing "config blob is not correct mediatype" errors.Changes
lib/middleware/oapi_auth.golib/images/oci.goAdded
convertToOCIMediaType()to convert Docker v2 mediatypes to OCI equivalents.lib/builds/builder_agent/main.goExplicitly set
DOCKER_CONFIG=/home/builder/.dockerfor buildctl.Test plan
10.102.x.xsubnet/health,/registry,/) responded correctlyNote
Focuses on OCI compatibility and registry auth reliability.
lib/images/oci.goso umoci layer unpacking worksDOCKER_CONFIG=/home/builder/.dockerwhen runningbuildctl-daemonless.shto use registry credentials10.100.x.xfor/v2/*registry requestsdocker buildxwithoci-mediatypes=trueand switch example image names toonkernel/*Written by Cursor Bugbot for commit 223351d. This will update automatically on new commits. Configure here.