search

GoogleContainerTools / kaniko

Build Container Images In Kubernetes
Apache License 2.0
14.82k stars 1.44k forks source link

Error pushing image to OpenShift Container Registry #623

Open alezzandro opened 5 years ago

alezzandro commented 5 years ago

Actual behavior It seems that kaniko is trying to use the latest metadata "FROM registry.fedoraproject.org/fedora-minimal" in the Dockerfile:

error pushing image: failed to push to destination docker-registry-default.apps.minishift.inmyopenshift.cloud/quarkus-knative/quarkus-knative:latest: no token in bearer response:
{"details":"repository name \"fedora-minimal\" invalid: it must be of the format \u003cproject\u003e/\u003cname\u003e"}

To Reproduce I'm testing quarkus project with Knative in OpenShift (Kubernetes) with following Dockerfile. https://github.com/quarkusio/quarkus-quickstarts/tree/master/getting-started-knative

FROM gcr.io/cloud-builders/mvn as builder
COPY . /project
WORKDIR /project
RUN mvn -Duser.home=/builder/home -B install

FROM swd847/centos-graal-native-image-rc12 as nativebuilder
COPY --from=builder /project/target /project/
WORKDIR /project
RUN  /opt/graalvm/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager \
     -J-Dcom.sun.xml.internal.bind.v2.bytecode.ClassTailor.noOptimize=true \
     -H:InitialCollectionPolicy='com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime' \
     -jar quarkus-quickstart-knative-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 \
     -H:+PrintAnalysisCallTree -H:EnableURLProtocols=http \
     -H:-SpawnIsolates -H:-JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace \
     && cp  -v quarkus-quickstart-knative-runner /tmp/quarkus-knative-runner

FROM  registry.fedoraproject.org/fedora-minimal
RUN mkdir -p /work
COPY --from=nativebuilder /tmp/quarkus-knative-runner /work/application
RUN chmod -R 775 /work
EXPOSE 8080
WORKDIR /work/
ENTRYPOINT ["./application","-Dquarkus.http.host=0.0.0.0"]

Kaniko image used (current latest):

# docker inspect 025ab64f8cc8
[
    {
        "Id": "sha256:025ab64f8cc830417dc6d85b1f2cbdff9030d1ba1bd781a44f3191f53450214b",
        "RepoTags": [
            "gcr.io/kaniko-project/executor:latest"
        ],
        "RepoDigests": [
            "gcr.io/kaniko-project/executor@sha256:d9fe474f80b73808dc12b54f45f5fc90f7856d9fc699d4a5e79d968a1aef1a72"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2019-02-08T22:46:03.455249332Z",

Pod info:

  build-step-docker-push:
    Container ID:  docker://6ee98816c9fd2d5642893aa0dc0d8452c65175b09f99ca774aa45d473967dc58
    Image:         gcr.io/kaniko-project/executor
    Image ID:      docker-pullable://gcr.io/kaniko-project/executor@sha256:d9fe474f80b73808dc12b54f45f5fc90f7856d9fc699d4a5e79d968a1aef1a72
    Port:          <none>
    Host Port:     <none>
    Args:
      --context=/workspace/getting-started-knative
      --dockerfile=/workspace/getting-started-knative/Dockerfile
      --destination=docker-registry-default.apps.minishift.inmyopenshift.cloud/quarkus-knative/quarkus-knative
      --skip-tls-verify
    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Sat, 23 Mar 2019 15:51:59 +0100
      Finished:     Sat, 23 Mar 2019 16:04:57 +0100
    Ready:          False
    Restart Count:  0
    Environment:
      HOME:           /builder/home
      DOCKER_CONFIG:  /builder/home/.docker
    Mounts:
      /builder/home from home (rw)
      /builder/home/.m2 from m2-cache (rw)
      /cache from kaniko-cache (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from build-bot-token-d4mk7 (ro)
      /workspace from workspace (rw)
cmoulliard commented 5 years ago

I think that you missed to mount the secret created for the service account within the pod running kaniko. So this file /builder/home/.docker/docker.json is probably not mounted with the credentials to access the docker registry.

cmoulliard commented 5 years ago

I'm also experimenting the same issue even if the ENV VAR - DOCKER_CONFIG is set correctly and pointto the file/builder/home/.docker/config.json` which is well there

{"auths":{"172.30.4.187:5000":{"username":"serviceaccount","password":"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJ1aWxkLWJvdC10b2tlbi1zNHgycyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJidWlsZC1ib3QiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ZDY4YjNlZi1kNjFjLTExZTktYmJkOS0xMDdiNDRiMDM1NDAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dGVzdDpidWlsZC1ib3QifQ.usmzIiQGht96VcI9Ut6tTejw40imn0htKWymU4qbSW6tgga0R1k9XV41r-C8YMawHC37UKUOgO500IMB5WHTMyPoBJ7QzpDR2T5PCn0_TbzxcziKDI_1F23TmlZfzALcRB1OuzG2NwkpCDTcZ8MvIIRVVPZsEdnT2lDDtKhAvh_t9BA2wGay1SrssGI7dL2e1AGcDpMkgvGrvTCp8qNNmVuDq0nXvDPmgWIyRYrA6m5tnv50dfLM5p6xOObKhdIHXmfHw6V8k4KFqdiSWgY-eA-jscr3kRIgURqpEBNorcCJzgVruwwF66RJ0EVJC0ZsNhWTUzKcopUT3bGT7TdteA","auth":"c2VydmljZWFjY291bnQ6ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjBaWE4wSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaV055WlhRdWJtRnRaU0k2SW1KMWFXeGtMV0p2ZEMxMGIydGxiaTF6TkhneWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSmlkV2xzWkMxaWIzUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRaRFk0WWpObFppMWtOakZqTFRFeFpUa3RZbUprT1MweE1EZGlORFJpTURNMU5EQWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2ZEdWemREcGlkV2xzWkMxaWIzUWlmUS51c216SWlRR2h0OTZWY0k5VXQ2dFRlanc0MGltbjBodEtXeW1VNHFiU1c2dGdnYTBSMWs5WFY0MXItQzhZTWF3SEMzN1VLVU9nTzUwMElNQjVXSFRNeVBvQko3UXpwRFIyVDVQQ24wX1RienhjemlLRElfMUYyM1RtbFpmekFMY1JCMU91ekcyTndrcENEVGNaOE12SUlSVlZQWnNFZG5UMmxERHRLaEF2aF90OUJBMndHYXkxU3Jzc0dJN2RMMmUxQUdjRHBNa2d2R3J2VENwOHFOTm1WdURxMG5YdkRQbWdXSXlSWXJBNm01dG52NTBkZkxNNXA2eE9PYktoZElIWG1mSHc2VjhrNEtGcWRpU1dnWS1lQS1qc2NyM2tSSWdVUnFwRUJOb3JjQ0p6Z1ZydXd3RjY2UkowRVZKQzBac05oV1RVektjb3BVVDNiR1Q3VGR0ZUE=","email":"serviceaccount@example.org"},"docker-registry.default.svc.cluster.local:5000":{"username":"serviceaccount","password":"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJ1aWxkLWJvdC10b2tlbi1zNHgycyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJidWlsZC1ib3QiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ZDY4YjNlZi1kNjFjLTExZTktYmJkOS0xMDdiNDRiMDM1NDAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dGVzdDpidWlsZC1ib3QifQ.usmzIiQGht96VcI9Ut6tTejw40imn0htKWymU4qbSW6tgga0R1k9XV41r-C8YMawHC37UKUOgO500IMB5WHTMyPoBJ7QzpDR2T5PCn0_TbzxcziKDI_1F23TmlZfzALcRB1OuzG2NwkpCDTcZ8MvIIRVVPZsEdnT2lDDtKhAvh_t9BA2wGay1SrssGI7dL2e1AGcDpMkgvGrvTCp8qNNmVuDq0nXvDPmgWIyRYrA6m5tnv50dfLM5p6xOObKhdIHXmfHw6V8k4KFqdiSWgY-eA-jscr3kRIgURqpEBNorcCJzgVruwwF66RJ0EVJC0ZsNhWTUzKcopUT3bGT7TdteA","auth":"c2VydmljZWFjY291bnQ6ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjBaWE4wSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaV055WlhRdWJtRnRaU0k2SW1KMWFXeGtMV0p2ZEMxMGIydGxiaTF6TkhneWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSmlkV2xzWkMxaWIzUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRaRFk0WWpObFppMWtOakZqTFRFeFpUa3RZbUprT1MweE1EZGlORFJpTURNMU5EQWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2ZEdWemREcGlkV2xzWkMxaWIzUWlmUS51c216SWlRR2h0OTZWY0k5VXQ2dFRlanc0MGltbjBodEtXeW1VNHFiU1c2dGdnYTBSMWs5WFY0MXItQzhZTWF3SEMzN1VLVU9nTzUwMElNQjVXSFRNeVBvQko3UXpwRFIyVDVQQ24wX1RienhjemlLRElfMUYyM1RtbFpmekFMY1JCMU91ekcyTndrcENEVGNaOE12SUlSVlZQWnNFZG5UMmxERHRLaEF2aF90OUJBMndHYXkxU3Jzc0dJN2RMMmUxQUdjRHBNa2d2R3J2VENwOHFOTm1WdURxMG5YdkRQbWdXSXlSWXJBNm01dG52NTBkZkxNNXA2eE9PYktoZElIWG1mSHc2VjhrNEtGcWRpU1dnWS1lQS1qc2NyM2tSSWdVUnFwRUJOb3JjQ0p6Z1ZydXd3RjY2UkowRVZKQzBac05oV1RVektjb3BVVDNiR1Q3VGR0ZUE=","email":"serviceaccount@example.org"},"docker-registry.default.svc:5000":{"username":"serviceaccount","password":"eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ0ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImJ1aWxkLWJvdC10b2tlbi1zNHgycyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJidWlsZC1ib3QiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ZDY4YjNlZi1kNjFjLTExZTktYmJkOS0xMDdiNDRiMDM1NDAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dGVzdDpidWlsZC1ib3QifQ.usmzIiQGht96VcI9Ut6tTejw40imn0htKWymU4qbSW6tgga0R1k9XV41r-C8YMawHC37UKUOgO500IMB5WHTMyPoBJ7QzpDR2T5PCn0_TbzxcziKDI_1F23TmlZfzALcRB1OuzG2NwkpCDTcZ8MvIIRVVPZsEdnT2lDDtKhAvh_t9BA2wGay1SrssGI7dL2e1AGcDpMkgvGrvTCp8qNNmVuDq0nXvDPmgWIyRYrA6m5tnv50dfLM5p6xOObKhdIHXmfHw6V8k4KFqdiSWgY-eA-jscr3kRIgURqpEBNorcCJzgVruwwF66RJ0EVJC0ZsNhWTUzKcopUT3bGT7TdteA","auth":"c2VydmljZWFjY291bnQ6ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSjBaWE4wSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaV055WlhRdWJtRnRaU0k2SW1KMWFXeGtMV0p2ZEMxMGIydGxiaTF6TkhneWN5SXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMbTVoYldVaU9pSmlkV2xzWkMxaWIzUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRaRFk0WWpObFppMWtOakZqTFRFeFpUa3RZbUprT1MweE1EZGlORFJpTURNMU5EQWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2ZEdWemREcGlkV2xzWkMxaWIzUWlmUS51c216SWlRR2h0OTZWY0k5VXQ2dFRlanc0MGltbjBodEtXeW1VNHFiU1c2dGdnYTBSMWs5WFY0MXItQzhZTWF3SEMzN1VLVU9nTzUwMElNQjVXSFRNeVBvQko3UXpwRFIyVDVQQ24wX1RienhjemlLRElfMUYyM1RtbFpmekFMY1JCMU91ekcyTndrcENEVGNaOE12SUlSVlZQWnNFZG5UMmxERHRLaEF2aF90OUJBMndHYXkxU3Jzc0dJN2RMMmUxQUdjRHBNa2d2R3J2VENwOHFOTm1WdURxMG5YdkRQbWdXSXlSWXJBNm01dG52NTBkZkxNNXA2eE9PYktoZElIWG1mSHc2VjhrNEtGcWRpU1dnWS1lQS1qc2NyM2tSSWdVUnFwRUJOb3JjQ0p6Z1ZydXd3RjY2UkowRVZKQzBac05oV1RVektjb3BVVDNiR1Q3VGR0ZUE=","email":"serviceaccount@example.org"}}}%

But kaniko - gcr.io/kaniko-project/executor:v0.9.0, when it will try to push the image is complaining

2019/09/13 11:51:53 Unable to read "/home/builder/.docker/config.json": open /home/builder/.docker/config.json: no such file or directory

This message is returned from this code : https://github.com/GoogleContainerTools/kaniko/blob/80421f2a73d49057ab0aea8170afbf867475855c/vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go#L106-L111 So it seems that when kaniko container runs, then it can't find the file /home/builder/.docker/config.json

Here is the snippet part of the pod created by tekton

   - args:
        - '-wait_file'
        - /builder/tools/2
        - '-post_file'
        - /builder/tools/3
        - '-entrypoint'
        - /kaniko/executor
        - '--'
        - '--dockerfile=./Dockerfile'
        - '--skip-tls-verify'
        - '--context=/workspace/source/./'
        - '--destination=docker-registry.default.svc:5000/test/sb-kaniko-image'
      command:
        - /builder/tools/entrypoint
      env:
        - name: HOME
          value: /builder/home
        - name: DOCKER_CONFIG
          value: /home/builder/.docker
      image: 'gcr.io/kaniko-project/executor:v0.9.0'
      imagePullPolicy: IfNotPresent
      name: step-build-and-push
      resources:
        requests:
          cpu: '0'
          ephemeral-storage: '0'
          memory: '0'
      securityContext:
        capabilities:
          drop:
            - MKNOD
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
        - mountPath: /builder/tools
          name: tools
        - mountPath: /workspace
          name: workspace
        - mountPath: /builder/home
          name: home
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: build-bot-token-trx47
          readOnly: true
      workingDir: /workspace/source
  volumes:
    - emptyDir: {}
      name: home