From ebe9a415015e6c75949bf03ac6be0253b21a8f93 Mon Sep 17 00:00:00 2001 From: epistemophiliac Date: Tue, 16 Jun 2026 19:57:43 -0400 Subject: [PATCH] Document and harden registry push against 413 Payload Too Large. Use ephemeral docker login config; document Cloudflare bypass via Jenkins extra_hosts. --- docs/JENKINS.md | 15 +++++++++++++++ scripts/ci/jenkins-push-image.sh | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/docs/JENKINS.md b/docs/JENKINS.md index 7ccb4a0..5d3a68d 100644 --- a/docs/JENKINS.md +++ b/docs/JENKINS.md @@ -62,6 +62,21 @@ The bootstrap stage installs the **buildx** CLI plugin into `.ci-bin/docker-conf Set `DOCKER_GID` on the Jenkins Coolify service to the host docker group GID (`stat -c '%g' /var/run/docker.sock`), redeploy Jenkins. +### Registry push `413 Payload Too Large` + +Docker image layers are often **>100MB**. If `git.aexoradao.com` is behind **Cloudflare proxy** (orange cloud), uploads fail with `413`. + +**Fix (recommended for same-host Jenkins):** Jenkins container `extra_hosts`: + +```yaml +extra_hosts: + - 'git.aexoradao.com:host-gateway' +``` + +Pushes then go to **local Traefik** (Let's Encrypt on origin), not Cloudflare. + +**Alternative:** Cloudflare DNS → **DNS only** (grey cloud) for `git.aexoradao.com`, or use Docker Hub as `REGISTRY_IMAGE`. + ### Registry push 401/403 - Token needs **write:package** (or full repo scope including packages) diff --git a/scripts/ci/jenkins-push-image.sh b/scripts/ci/jenkins-push-image.sh index 7d6a594..4ad0bff 100755 --- a/scripts/ci/jenkins-push-image.sh +++ b/scripts/ci/jenkins-push-image.sh @@ -14,8 +14,14 @@ if [ -z "${REGISTRY_USER:-}" ] || [ -z "${REGISTRY_PASSWORD:-}" ]; then exit 1 fi +# Ephemeral docker config — do not persist registry password in workspace +PUSH_DOCKER_CONFIG="$(mktemp -d)" +trap 'rm -rf "$PUSH_DOCKER_CONFIG"' EXIT +export DOCKER_CONFIG="$PUSH_DOCKER_CONFIG" + echo "$REGISTRY_PASSWORD" | $DOCKER login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin +echo "Pushing ${REGISTRY_IMAGE}:${IMAGE_TAG} (large layers need Cloudflare bypass — Jenkins extra_hosts git.aexoradao.com:host-gateway)" $DOCKER push "${REGISTRY_IMAGE}:${IMAGE_TAG}" $DOCKER push "${REGISTRY_IMAGE}:main"