search

bazel-contrib / rules_oci

Bazel rules for building OCI containers
Apache License 2.0
305 stars 159 forks source link

oci_pull fails with public nvcr images #737

Open gfrankliu opened 5 days ago

gfrankliu commented 5 days ago

Some of the nvcr images are publicly available. eg, below docker pull works fine:

rm $HOME/.docker/config.json
docker pull nvcr.io/nvidia/tensorrt:24.02-py3

Now if you use oci_pull from rules_oci v2, it will fail, eg:

    oci_pull(
        name = "nvidia_test",
        tag = "24.02-py3",
        registry = "nvcr.io",
        repository = "nvidia/tensorrt",
    )

I get error:

...
  /home/gfrankliu/.cache/bazel/_bazel_gfrankliu/b71142cf8050563176d73cc4d125110e/external/rules_oci/oci/pull.bzl:251:14: in oci_pull
Repository rule oci_alias defined at:
  /home/gfrankliu/.cache/bazel/_bazel_gfrankliu/b71142cf8050563176d73cc4d125110e/external/rules_oci/oci/private/pull.bzl:417:28: in <toplevel>
WARNING: Download from https://nvcr.io/v2/nvidia/tensorrt/manifests/24.02-py3 failed: class java.io.FileNotFoundException GET returned 404 Not Found
...

Switching to oci_pull from rules_oci v1 works with curl fallback.

thesayyn commented 5 days ago

You need to use a credential helper for this to work by the looks of it. https://github.com/bazel-contrib/rules_oci/blob/eebda6568c91a1c437764ed665a7929aa04f294f/oci/private/authn.bzl#L55

thesayyn commented 5 days ago

Cross-ref: https://github.com/bazel-contrib/rules_oci/issues/126

gfrankliu commented 5 days ago

The error I saw (as posted in the log above) was 404, not 401.

not everything on nvcr.io requires auth, just like docker.io. I can pull public images from docker.io just fine, without auth.

rm $HOME/.docker/config.json
docker pull envoyproxy/envoy:v1.29.6

oci_pull also works fine:

    oci_pull(
        name = "envoy_test",
        tag = "v1.29.6",
        registry = "index.docker.io",
        repository = "envoyproxy/envoy",
        platforms = ["linux/amd64"],
    )