Open metgrahamr opened 2 months ago
Hi @metgrahamr! This seems like a tricky one. Thanks a lot for experimenting with --no-capture-output
, that's pretty interesting.
I think we'll need to drill down quite a bit more before we can isolate the cause of this issue.
bash
prompt following a docker run
command, or is this occurring in a Dockerfile
via docker build
?-e
argument to docker run
?${ENV_VAR}
instead of $ENV_VAR
when referencing the environment variables.It would help a lot with the diagnosis if you could share relevant snippets (or better the whole thing minus personally identifiable info if not confidential) from your original environment definition, the generated lockfile, and the particular docker
commands you're executing. Thanks!
1. Could you clarify exactly what you mean by "within a docker container"? Is this from a `bash` prompt following a `docker run` command, or is this occurring in a `Dockerfile` via `docker build`?
I initially tried this in a Dockerfile as I want to use conda-lock to install all the dependencies for an AWS Lambda function. However, when it didn't work I also fired up a container with docker run and tried replicating what I was doing in the Dockerfile but got the same results.
2. How are you creating the environment variables with the credentials? Are they coming from the `-e` argument to `docker run`?
For the Dockerfile I used ARG and supplied the CodeArtifact token as a build argument. When using docker run I created an environment variable once inside the container. I checked that it was available in the environment, e.g. echo $CODEARTIFACT_AUTH_TOKEN
and even tried CODEARTIFACT_AUTH_TOKEN=$(echo $CODEARTIFACT_AUTH_TOKEN) conda-lock install ...
. When I tried running the requirements file directly I was prompted for the user and password and this worked (although obviously not via the environment variable).
3. How exactly are you referencing the environment variables within your original environment definition? And how are those environment variables being translated within your lockfile? There is some quirkiness where sometimes you must use `${ENV_VAR}` instead of `$ENV_VAR` when referencing the environment variables.
ARG FUNCTION_DIR="/opt/gauge/"
ARG GENERATOR="gauge"
FROM continuumio/miniconda3:latest as BUILDER
ARG FUNCTION_DIR
ARG GENERATOR
ARG CODEARTIFACT_AUTH_TOKEN
RUN pip install conda-lock
COPY conda-lock.yml /locks/conda-lock.yml
RUN CODEARTIFACT_AUTH_TOKEN=${CODEARTIFACT_AUTH_TOKEN} conda-lock install -p ${FUNCTION_DIR} /locks/conda-lock.yml
I then pass the credentials in like this
docker build . -t gauge_lock --build-arg CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain sample --domain-owner 111222333444 --region us-west-2 --query authorizationToken --output text`
The env file looks like this
name: gauge
channels:
- conda-forge
pip-repositories:
- https://aws:$CODEARTIFACT_AUTH_TOKEN@sample-111222333444.d.codeartifact.us-west-2.amazonaws.com/pypi/repo/simple/
dependencies:
- python=3.9
- pyyaml
- pip
- pip:
- aws-lambda-powertools
- awslambdaric
- fr-helpers # a private package in the CodeArtifact repo
platforms:
- linux-64
Thanks for looking into this (and the project as a whole) it's much appreciated.
Hey @metgrahamr, thanks a lot for bearing with my questions. This seems pretty challenging to debug, and unfortunately I wasn't able to get to it over the weekend. Just wanted you to know that I haven't forgotten. Please feel free to ping me again later or continue debugging yourself.
@maresb Thanks for the update and for keeping this under consideration.
Checklist
What happened?
I created a lock file using a mix of conda-forge packages and private pip packages in an AWS CodeArtifact repo in a similar way to here but as I am using conda-lock version 2.5.6 I don't have the issue with the value of the CodeArtifact password being passed through. With the CodeArtifact password set as an environment variable, I can successfully use this lock file to create a new conda environment. However, if I try to do this from within a docker container then I get the following error
I wondered whether the error was anything to do with this and tried adding
--no-capture-output
to the conda run command that gets called. This just caused the install to hang at the first package install. Running the pip install command manually with the requirements file in the /tmp directory prompted for a user and then password. If I enteredaws
and the CodeArtifact password at each prompt then pip was able to install each package.It looks like when running inside a docker container the install command is not getting the password from the environment and is trying to prompt for the information. How do I get this lock file to work inside a docker container in the same way that it works outside?
Conda Info
Conda Config
No response
Conda list
No response
Additional Context
I am using the
continuumio/miniconda3:latest
docker image and install conda-lock into the base environment using pip.