epistemophiliac/erpnext
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix registry 413: patch host /etc/hosts before docker push.

Browse source 
docker.sock pushes use host networking; route git.aexoradao.com to 127.0.0.1 to bypass Cloudflare upload limits.
This commit is contained in:
epistemophiliac 2026-06-16 20:06:39 -04:00
parent ebe9a41501
commit 1ca8192a4c
3 changed files with 24 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
docs/JENKINS.md
View file

@ -66,16 +66,17 @@ Set `DOCKER_GID` on the Jenkins Coolify service to the host docker group GID (`s
Docker image layers are often **>100MB**. If `git.aexoradao.com` is behind **Cloudflare proxy** (orange cloud), uploads fail with `413`.
**Fix (recommended for same-host Jenkins):** Jenkins container `extra_hosts`:
**Why Jenkins `extra_hosts` alone is not enough:** with `/var/run/docker.sock` mounted, **`docker push` runs on the host dockerd**, which uses the **host's** DNS/`/etc/hosts`, not the Jenkins container's.
```yaml
extra_hosts:
- 'git.aexoradao.com:host-gateway'
**Fix applied in CI:** `jenkins-registry-bypass.sh` adds on the **Coolify host**:
```text
127.0.0.1 git.aexoradao.com
```
Pushes then go to **local Traefik** (Let's Encrypt on origin), not Cloudflare.
(via a one-shot `docker run --network host` container). Pushes then go to **local Traefik**, not Cloudflare.
**Alternative:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or use Docker Hub as `REGISTRY_IMAGE`.
**Manual fallback:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or add the same line to the host `/etc/hosts` yourself.
### Registry push 401/403

5
scripts/ci/jenkins-push-image.sh
View file

@ -14,14 +14,15 @@ if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then
exit 1
fi
# Ephemeral docker config — do not persist registry password in workspace
bash scripts/ci/jenkins-registry-bypass.sh
PUSH_DOCKER_CONFIG="$(mktemp -d)"
trap 'rm -rf "$PUSH_DOCKER_CONFIG"' EXIT
export DOCKER_CONFIG="$PUSH_DOCKER_CONFIG"
echo "$REGISTRY_PASSWORD" | $DOCKER login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin
echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG} (large layers need Cloudflare bypass — Jenkins extra_hosts git.aexoradao.com:host-gateway)"
echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG}"
$DOCKER push "${REGISTRY_IMAGE}:${IMAGE_TAG}"
$DOCKER push "${REGISTRY_IMAGE}:main"

14
scripts/ci/jenkins-registry-bypass.sh Executable file
View file

@ -0,0 +1,14 @@
#!/usr/bin/env bash
# Registry uploads use the HOST dockerd (docker.sock), not the Jenkins container network.
# Map git.aexoradao.com -> 127.0.0.1 on the HOST so pushes hit local Traefik, not Cloudflare.
set -euo pipefail
REGISTRY_HOST="${REGISTRY_HOST:-git.aexoradao.com}"
REGISTRY_BYPASS_IP="${REGISTRY_BYPASS_IP:-127.0.0.1}"
# shellcheck source=/dev/null
source .ci-bin/ci-env.sh
echo "Ensuring host /etc/hosts maps ${REGISTRY_BYPASS_IP} -> ${REGISTRY_HOST}"
$DOCKER run --rm --network host alpine:3.20 sh -c \
"grep -qE '[[:space:]]${REGISTRY_HOST}([[:space:]]|$)' /etc/hosts || echo '${REGISTRY_BYPASS_IP} ${REGISTRY_HOST}' >> /etc/hosts; grep '${REGISTRY_HOST}' /etc/hosts"