Open atorrembo opened 1 year ago
lusu007
commented
1 year ago I encountered the same problem when I set up Harbor as a proxy for DockerHub to overcome DockerHub's strict rate limiting. However, upon changing the base image to the proxy registry, I encountered this issue. π«€
lusu007
commented
1 year ago Is there any update regarding this issue? DockerHub's rate limiting is causing significant disruptions to my pipeline, effectively halving its efficiency. I'm eagerly hoping for a resolution to this problem, as it would enable me to overcome the rate limit restrictions and restore my pipeline's full functionality.
algo7
commented
1 year ago Any news on this?
lusu007
commented
1 year ago Hey, this still makes our proxy cache unusable. I would be happy to provide more information if needed and I would appreciate if someone could take a look at this.
zijiwork
commented
8 months ago What progress has been made?
RufusJWB
commented
8 months ago It would be great if you could provide a fix or a recommended work-around. This problem will probably appear more often in the next months, since Visual Studio is now creating multistage build files for container deployment of ASP.net applications: https://learn.microsoft.com/en-us/visualstudio/containers/container-build?view=vs-2022#multistage-build . I hope my reproducible problem description in #2944 will help you fixing this issue.
atorrembo
commented
8 months ago Have you tried using runner version 1.7.0?
lusu007
commented
8 months ago Have you tried using runner version 1.7.0?
Using an old outdated version isn't an optimal solution. π
atorrembo
commented
8 months ago Nope, just for investigation/debuggin purposes
RufusJWB
commented
8 months ago Have you tried using runner version 1.7.0?
I just did. This is the docker file I use:
FROM gcr.io/kaniko-project/executor:v1.7.0-debug
WORKDIR /buildDir/SRC
COPY . .
WORKDIR "PROXY Protocol Tester"
CMD ["--verbosity=debug", "--ignore-path=/buildDir", "--context=/buildDir", "--single-snapshot", "--cache=false", "--dockerfile=/buildDir/SRC/PROXY Protocol Tester/Dockerfile", "--no-push"]
But it is also failing: https://gist.github.com/RufusJWB/1e9b46657faea8c4ea31574fcc120c44
DeanHnter
commented
7 months ago Still having this exact issue with current version
RufusJWB
commented
7 months ago Still having this exact issue with current version
Have a look into my repro: https://github.com/GoogleContainerTools/kaniko/issues/2944 I was able to fix it.
lusu007
commented
7 months ago Still having this exact issue with current version
Have a look into my repro: #2944 I was able to fix it.
I just tried your suggested fix, but it's not working for me. In my opinion #2944 and this issue aren't even related because we are having authentication issues and you are not. π
Even with your fixes implemented I still get the following error:
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "redacted.com/redacted/redacted": POST https://redacted.com/v2/redacted/redacted/blobs/uploads/: UNAUTHORIZED: unauthorized to access repository: redacted/redacted, action: push: unauthorized to access repository: redacted/redacted, action: pushAfter further debugging, I found that the problem arises when the --no-push flag is utilized. However, when the --no-push flag isn't set, but a --destination is specified, the error disappears and authentication proceeds successfully.
I believe the no-push flag should not influence the authentication when pulling base images.
meyfa
commented
2 months ago With --no-push set, this code is never called:
Behind the scenes, that function performs authentication against the registry. As such, unless we are pushing, auth is never performed.
We would need an additional function, e.g., checkRemotePullPermissions, that runs in case --no-push is set. This would allow us to use remote images as the base image even without pushing.
atorrembo
commented
2 months ago damn...
setting env var DOCKER_CONFIG=/root/.docker did the trick (running on gitlab kubernetes executor]
Actual behavior Trying to run a pipeline in GitLab Runner using Kubernetes executor with a private repository that has a Multistage Dockerfile using a FROM image from another private repository in the same gitlab project/group (Same access credentials)
Context: /PRIVATE_GROUP-1/PRIVATE_PROJECT1
Script in the build stage: /kaniko/executor --context "${CI_PROJECT_DIR}" --dockerfile "${CI_PROJECT_DIR}/Dockerfile" --target "prod" --no-push
Returns:
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "registry.gitlab.com/privategroupname/privateregistryname/image:version": creating push check transport for registry.gitlab.com failed: GET https://gitlab.com/jwt/auth?scope=PRIVATE_REGISTRY:push,pull&service=container_registry: DENIED: access forbidden
Using --no-push parameter I got another clue
INFO[0000] Retrieving image registry.gitlab.com/privateregistry/image:1.0 from registry registry.gitlab.com error building image: GET https://gitlab.com/jwt/auth?scope=PRIVATE_REGISTRY:pull&service=container_registry: UNAUTHORIZED: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/user/profile/account/two_factor_authentication#troubleshooting
So after trying everything I've found in the internet I started downgrading versions from v1.11.0 until in v1.7.0 the job starts to work as expected.
Expected behavior Image built and pushed to a private repository
To Reproduce Steps to reproduce the behavior:
Additional Information
Part of my runners config:
[[runners.kubernetes.volumes.secret]]
And the secret:
This is only additonal info, this configuration works with "docker pull" and with kaniko < 1.7
A "docker pull" command added for testing in the same job works OK
Triage Notes for the Maintainers
--cacheflag