Fixes #10673. Signed-off-by: Rick Wieman <git@rickw.nl>
19 KiB
page_title: Automated Builds on Docker Hub page_description: Docker Hub Automated Builds page_keywords: Docker, docker, registry, accounts, plans, Dockerfile, Docker Hub, docs, documentation, trusted, builds, trusted builds, automated builds
Automated Builds on Docker Hub
About Automated Builds
Automated Builds are a special feature of Docker Hub which allow you to
use Docker Hub's build clusters to automatically
create images from a GitHub or Bitbucket repository containing a Dockerfile
The system will clone your repository and build the image described by the
Dockerfile
using the directory the Dockerfile
is in (and subdirectories)
as the build context. The resulting automated image will then be uploaded
to the Docker Hub registry and marked as an Automated Build.
Automated Builds have several advantages:
- Users of your Automated Build can trust that the resulting image was built exactly as specified.
- The
Dockerfile
will be available to anyone with access to your repository on the Docker Hub registry. - Because the process is automated, Automated Builds help to make sure that your repository is always up to date.
Automated Builds are supported for both public and private repositories on both GitHub and Bitbucket.
To use Automated Builds, you must have an account on Docker Hub and on GitHub and/or Bitbucket. In either case, the account needs to be properly validated and activated before you can link to it.
The first time you to set up an Automated Build, your Docker Hub account will need to be linked to a GitHub or Bitbucket account. This will allow the registry to see your repositories.
If you have previously linked your Docker Hub account, and want to view or modify that link, click on the "Manage - Settings" link in the sidebar, and then "Linked Accounts" in your Settings sidebar.
Automated Builds from GitHub
If you've previously linked your Docker Hub account to your GitHub account, you'll be able to skip to the Creating an Automated Build.
Linking your Docker Hub account to a GitHub account
Note: Automated Builds currently require read and write access since Docker Hub needs to setup a GitHub service hook. We have no choice here, this is how GitHub manages permissions, sorry! We do guarantee nothing else will be touched in your account.
To get started, log into your Docker Hub account and click the "+ Add Repository" button at the upper right of the screen. Then select Automated Build.
Select the GitHub service.
When linking to GitHub, you'll need to select either "Public and Private", or "Limited" linking.
The "Public and Private" option is the easiest to use, as it grants the Docker Hub full access to all of your repositories. GitHub also allows you to grant access to repositories belonging to your GitHub organizations.
By choosing the "Limited" linking, your Docker Hub account only gets permission to access your public data and public repositories.
Follow the onscreen instructions to authorize and link your GitHub account to Docker Hub. Once it is linked, you'll be able to choose a source repository from which to create the Automatic Build.
You will be able to review and revoke Docker Hub's access by visiting the GitHub User's Applications settings.
Note
: If you delete the GitHub account linkage that is used for one of your automated build repositories, the previously built images will still be available. If you re-link to that GitHub account later, the automated build can be started using the "Start Build" button on the Hub, or if the webhook on the GitHub repository still exists, will be triggered by any subsequent commits.
Auto builds and limited linked GitHub accounts.
If you selected to link your GitHub account with only a "Limited" link, then after creating your automated build, you will need to either manually trigger a Docker Hub build using the "Start a Build" button, or add the GitHub webhook manually, as described in GitHub Service Hooks.
Changing the GitHub user link
If you want to remove, or change the level of linking between your GitHub account and the Docker Hub, you need to do this in two places.
First, remove the "Linked Account" from your Docker Hub "Settings". Then go to your GitHub account's Personal settings, and in the "Applications" section, "Revoke access".
You can now re-link your account at any time.
GitHub organizations
GitHub organizations and private repositories forked from organizations will be made available to auto build using the "Docker Hub Registry" application, which needs to be added to the organization - and then will apply to all users.
To check, or request access, go to your GitHub user's "Setting" page, select the "Applications" section from the left side bar, then click the "View" button for "Docker Hub Registry".
The organization's administrators may need to go to the Organization's "Third party access" screen in "Settings" to Grant or Deny access to the Docker Hub Registry application. This change will apply to all organization members.
More detailed access controls to specific users and GitHub repositories would be managed using the GitHub People and Teams interfaces.
Creating an Automated Build
You can create an Automated Build from any of your
public or private GitHub repositories that have a Dockerfile
.
Once you've selected the source repository, you can then configure:
- The Hub user/org the repository is built to - either your Hub account name, or the name of any Hub organizations your account is in
- The Docker repository name the image is built to
- If the Docker repository should be "Public" or "Private" You can change the accessibility options after the repository has been created. If you add a Private repository to a Hub user, then you can only add other users as collaborators, and those users will be able to view and pull all images in that repository. To configure more granular access permissions, such as using groups of users or allow different users access to different image tags, then you need to add the Private repository to a Hub organization that your user has Administrator privilege on.
- If you want the GitHub to notify the Docker Hub when a commit is made, and thus trigger a rebuild of all the images in this automated build.
You can also select one or more
- The git branch/tag, which repository sub-directory to use as the context
- The Docker image tag name
You can set a description for the repository by clicking "Description" link in the righthand side bar after the automated build - note that the "Full Description" will be over-written next build from the README.md file. has been created.
GitHub private submodules
If your GitHub repository contains links to private submodules, you'll get an error message in your build.
Normally, the Docker Hub sets up a deploy key in your GitHub repository. Unfortunately, GitHub only allows a repository deploy key to access a single repository.
To work around this, you need to create a dedicated user account in GitHub and attach the automated build's deploy key that account. This dedicated build account can be limited to read-only access to just the repositories required to build.
Step | Screenshot | Description |
---|---|---|
1. | First, create the new account in GitHub. It should be given read-only access to the main repository and all submodules that are needed. | |
2. | This can be accomplished by adding the account to a read-only team in the organization(s) where the main GitHub repository and all submodule repositories are kept. | |
3. | Next, remove the deploy key from the main GitHub repository. This can be done in the GitHub repository's "Deploy keys" Settings section. | |
4. | Your automated build's deploy key is in the "Build Details" menu under "Deploy keys". | |
5. | In your dedicated GitHub User account, add the deploy key from your Docker Hub Automated Build. |
GitHub service hooks
The GitHub Service hook allows GitHub to notify the Docker Hub when something has been committed to that git repository. You will need to add the Service Hook manually if your GitHub account is "Limited" linked to the Docker Hub.
Follow the steps below to configure the GitHub Service hooks for your Automated Build:
Step | Screenshot | Description |
---|---|---|
1. | Log in to Github.com, and go to your Repository page. Click on "Settings" on the right side of the page. You must have admin privileges to the repository in order to do this. | |
2. | Click on "Webhooks & Services" on the left side of the page. | |
3. | Find the service labeled "Docker" (or click on "Add service") and click on it. | |
4. | Make sure the "Active" checkbox is selected and click the "Update service" button to save your changes. |
Automated Builds with Bitbucket
In order to setup an Automated Build, you need to first link your Docker Hub account with a Bitbucket account. This will allow the registry to see your repositories.
To get started, log into your Docker Hub account and click the "+ Add Repository" button at the upper right of the screen. Then select Automated Build.
Select the Bitbucket source.
Then follow the onscreen instructions to authorize and link your Bitbucket account to Docker Hub. Once it is linked, you'll be able to choose a repository from which to create the Automatic Build.
Creating an Automated Build
You can create an Automated Build from any of your
public or private Bitbucket repositories with a Dockerfile
.
Adding a Hook
When you link your Docker Hub account, a POST
hook should get automatically
added to your Bitbucket repository. Follow the steps below to confirm or modify the
Bitbucket hooks for your Automated Build:
Step | Screenshot | Description |
---|---|---|
1. | Log in to Bitbucket.org and go to your Repository page. Click on "Settings" on the far left side of the page, under "Navigation". You must have admin privileges to the repository in order to do this. | |
2. | Click on "Hooks" on the near left side of the page, under "Settings". | |
3. | You should now see a list of hooks associated with the repo, including a POST hook that points at
registry.hub.docker.com/hooks/bitbucket. |
The Dockerfile and Automated Builds
During the build process, Docker will copy the contents of your Dockerfile
.
It will also add it to the Docker Hub for the Docker
community (for public repositories) or approved team members/orgs (for private
repositories) to see on the repository page.
README.md
If you have a README.md
file in your repository, it will be used as the
repository's full description.The build process will look for a
README.md
in the same directory as your Dockerfile
.
Warning: If you change the full description after a build, it will be rewritten the next time the Automated Build has been built. To make changes, modify the
README.md
from the Git repository.
Remote Build triggers
If you need a way to trigger Automated Builds outside of GitHub or Bitbucket, you can set up a build trigger. When you turn on the build trigger for an Automated Build, it will give you a URL to which you can send POST requests. This will trigger the Automated Build, much as with a GitHub webhook.
Build triggers are available under the Settings menu of each Automated Build repository on the Docker Hub.
You can use curl
to trigger a build:
$ curl --data "build=true" -X POST https://registry.hub.docker.com/u/svendowideit/testhook/trigger/be579c
82-7c0e-11e4-81c4-0242ac110020/
OK
Note: You can only trigger one build at a time and no more than one every five minutes. If you already have a build pending, or if you recently submitted a build request, those requests will be ignored. To verify everything is working correctly, check the logs of last ten triggers on the settings page .
Webhooks
Automated Builds also include a Webhooks feature. Webhooks can be called after a successful repository push is made. This includes when a new tag is added to an existing image.
The webhook call will generate a HTTP POST with the following JSON payload:
{
"callback_url": "https://registry.hub.docker.com/u/svendowideit/testhook/hook/2141b5bi5i5b02bec211i4eeih0242eg11000a/",
"push_data": {
"images": [
"27d47432a69bca5f2700e4dff7de0388ed65f9d3fb1ec645e2bc24c223dc1cc3",
"51a9c7c1f8bb2fa19bcd09789a34e63f35abb80044bc10196e304f6634cc582c",
...
],
"pushed_at": 1.417566161e+09,
"pusher": "trustedbuilder"
},
"repository": {
"comment_count": 0,
"date_created": 1.417494799e+09,
"description": "",
"dockerfile": "#\n# BUILD\u0009\u0009docker build -t svendowideit/apt-cacher .\n# RUN\u0009\u0009docker run -d -p 3142:3142 -name apt-cacher-run apt-cacher\n#\n# and then you can run containers with:\n# \u0009\u0009docker run -t -i -rm -e http_proxy http://192.168.1.2:3142/ debian bash\n#\nFROM\u0009\u0009ubuntu\nMAINTAINER\u0009SvenDowideit@home.org.au\n\n\nVOLUME\u0009\u0009[\"/var/cache/apt-cacher-ng\"]\nRUN\u0009\u0009apt-get update ; apt-get install -yq apt-cacher-ng\n\nEXPOSE \u0009\u00093142\nCMD\u0009\u0009chmod 777 /var/cache/apt-cacher-ng ; /etc/init.d/apt-cacher-ng start ; tail -f /var/log/apt-cacher-ng/*\n",
"full_description": "Docker Hub based automated build from a GitHub repo",
"is_official": false,
"is_private": true,
"is_trusted": true,
"name": "testhook",
"namespace": "svendowideit",
"owner": "svendowideit",
"repo_name": "svendowideit/testhook",
"repo_url": "https://registry.hub.docker.com/u/svendowideit/testhook/",
"star_count": 0,
"status": "Active"
}
}
Webhooks are available under the Settings menu of each Repository.
Note: If you want to test your webhook out we recommend using a tool like requestb.in.
Note
: The Docker Hub servers are currently in the IP range
162.242.195.64 - 162.242.195.127
, so you can restrict your webhooks to accept webhook requests from that set of IP addresses.
Webhook chains
Webhook chains allow you to chain calls to multiple services. For example, you can use this to trigger a deployment of your container only after it has been successfully tested, then update a separate Changelog once the deployment is complete. After clicking the "Add webhook" button, simply add as many URLs as necessary in your chain.
The first webhook in a chain will be called after a successful push. Subsequent URLs will be contacted after the callback has been validated.
Validating a callback
In order to validate a callback in a webhook chain, you need to
- Retrieve the
callback_url
value in the request's JSON payload. - Send a POST request to this URL containing a valid JSON body.
Note
: A chain request will only be considered complete once the last callback has been validated.
To help you debug or simply view the results of your webhook(s), view the "History" of the webhook available on its settings page.
Callback JSON data
The following parameters are recognized in callback data:
state
(required): Accepted values aresuccess
,failure
anderror
. If the state isn'tsuccess
, the webhook chain will be interrupted.description
: A string containing miscellaneous information that will be available on the Docker Hub. Maximum 255 characters.context
: A string containing the context of the operation. Can be retrieved from the Docker Hub. Maximum 100 characters.target_url
: The URL where the results of the operation can be found. Can be retrieved on the Docker Hub.
Example callback payload:
{
"state": "success",
"description": "387 tests PASSED",
"context": "Continuous integration by Acme CI",
"target_url": "http://ci.acme.com/results/afd339c1c3d27"
}
Repository links
Repository links are a way to associate one Automated Build with another. If one gets updated,the linking system triggers a rebuild for the other Automated Build. This makes it easy to keep all your Automated Builds up to date.
To add a link, go to the repository for the Automated Build you want to link to and click on Repository Links under the Settings menu at right. Then, enter the name of the repository that you want have linked.
Warning: You can add more than one repository link, however, you should do so very carefully. Creating a two way relationship between Automated Builds will cause an endless build loop.