This project uses ACN Nexus Docker Registry:
- Push Registry:
docker-push.acn.fr(requires authentication) - Public Registry:
docker.acn.fr(anonymous pull access)
The OpenSPP Docker build pipeline uses woodpeckerci/plugin-docker-buildx for multi-architecture builds. This plugin requires privileged mode to run Docker-in-Docker operations.
Add the following to your Woodpecker server configuration:
WOODPECKER_PLUGINS_PRIVILEGED=woodpeckerci/plugin-docker-buildxThis can be set in:
- Docker Compose: Add to the
environmentsection of the Woodpecker server service - Kubernetes: Add to the ConfigMap or environment variables
- Systemd: Add to the service file or environment file
- Direct execution: Export before starting the server
The pipeline requires the following secrets to be configured in Woodpecker:
-
Nexus Registry Credentials (for pushing images):
nexus_username: Nexus username (e.g.,admin)nexus_password: Nexus password
-
Slack Webhook (optional, for notifications):
slack_webhook: Slack webhook URL for build notifications
Using the Woodpecker CLI:
woodpecker secret add -repository openspp/openspp-packaging-docker \
-name nexus_username \
-value "admin"
woodpecker secret add -repository openspp/openspp-packaging-docker \
-name nexus_password \
-value "your-nexus-password"Or via the Woodpecker UI:
- Navigate to your repository settings
- Go to "Secrets" section
- Add each secret with the appropriate name and value
If you cannot enable privileged mode on your Woodpecker server, you can use the alternative build steps provided in the pipeline:
- Edit
.woodpecker.yml - Comment out the
build-docker-ubuntuandbuild-docker-slimsteps - Uncomment the
build-docker-ubuntu-altstep (and create a similar one for slim) - Note: This alternative method:
- Only builds for the current architecture (no multi-arch support)
- Doesn't support BuildKit cache optimization
- May be slower for large images
Solution: Ensure WOODPECKER_PLUGINS_PRIVILEGED is set on the server and restart the Woodpecker server.
Solution: The plugin needs Docker-in-Docker. Ensure:
- The plugin is in privileged mode
- The Woodpecker agent has access to Docker socket or Docker-in-Docker is properly configured
Solution: Check that:
- Nexus credentials secrets are properly configured
- The credentials have push access to the target repository
- The registry URLs are correct:
- Push:
docker-push.acn.fr - Pull:
docker.acn.fr
- Push:
- Test authentication locally:
docker login docker-push.acn.fr -u admin
The pipeline executes the following steps:
- Security Scan: Scans repository for vulnerabilities using Trivy
- Build Ubuntu Image: Builds multi-arch image based on Ubuntu 24.04
- Build Slim Image: Builds multi-arch image based on Debian bookworm-slim
- Scan Images: Security scan of built Docker images
- Test Images: Basic functionality tests
- Push to Production (tags only): Pushes images to production registry
- Update Manifests (tags only): Updates Kubernetes deployment manifests
- Notify: Sends Slack notification about build status
The pipeline triggers on:
- Push: To main, master, develop, or release/* branches
- Pull Request: For testing changes
- Tag: For production releases
The pipeline uses these CI variables (automatically provided by Woodpecker):
CI_REGISTRY: Docker registry URL (defaults todocker-push.acn.fr)CI_REPO_OWNER: Repository owner/organizationCI_COMMIT_TAG: Git tag (for releases)CI_COMMIT_BRANCH: Git branch nameCI_COMMIT_SHA: Git commit hashCI_BUILD_CREATED: Build timestampPROD_REGISTRY: Production registry URL (defaults todocker-push.acn.fr)
- Push Operations:
docker-push.acn.fr/openspp/openspp - Public Access:
docker.acn.fr/openspp/openspp
Images are automatically available at the public URL after being pushed to the private registry.