containerd / nerdctl

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
Apache License 2.0
8.09k stars 600 forks source link

Cannot pull image from private repository after successful login #920

Open catalinbahrin opened 2 years ago

catalinbahrin commented 2 years ago

Description

I am able to pull an image from a private repository when I do lima nerdctl pull REPOSITORY\IMAGE. However, when I try to build with lima nerdctl compose up --build a Dockerfile that uses the same image from a private repository, I get an error.

Steps to reproduce the issue

  1. lima nerdctl login
  2. lima nerdctl compose up --build

Describe the results you received and expected

`=> [internal] load build definition from Dockerfile 0.0s => => transferring dockerfile: 1.51kB 0.0s => [internal] load .dockerignore 0.1s => => transferring context: 166B 0.1s => ERROR [internal] load metadata for docker.io/REPOSITORY/image:tag: 2.8s

[internal] load metadata for docker.io/REPOSITORY/image:tag:

Dockerfile:1 1 | >>> FROM REPOSITORY/image:tag 2 |
3 | # general environment settings

error: failed to solve: REPOSITORY/image:tag: pull access denied, repository does not exist or may require authorization: authorization status: 401: authorization failed FATA[0003] unrecognized image format
FATA[0003] error while building image some_name: exit status 1 `

What version of nerdctl are you using?

Client: Version: v0.17.1 Git commit: 20233c26d26f11ca73a9a775fba87ca884ab14d2

Server: containerd: Version: v1.6.1 GitCommit: 10f428dac7cec44c864e1b830a4623af27a9fc70

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Lima

Host information

Client: Namespace: default Debug Mode: false

Server: Server Version: v1.6.1 Storage Driver: overlayfs Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Log: json-file Storage: native overlayfs fuse-overlayfs stargz Security Options: apparmor seccomp Profile: default cgroupns rootless Kernel Version: 5.13.0-35-generic Operating System: Ubuntu 21.10 OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 3.827GiB Name: lima-default ID: 71cbe510-fc1b-4029-ac4a-c456e41560ff

WARNING: AppArmor profile "nerdctl-default" is not loaded. Use 'sudo nerdctl apparmor load' if you prefer to use AppArmor with rootless mode. This warning is negligible if you do not intend to use AppArmor. WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled

AkihiroSuda commented 2 years ago

Cc @ktock

wonderfuwillard commented 2 years ago

Same problem when using the local image as the base image in dockerfile

apostasie commented 3 months ago

Cannot reproduce:

Running a registry on localhost using basic authentication.

compose.yaml:

services:
  backend:
    image: foobar
    build:
      context: .
      dockerfile: Dockerfile.debug

Dockerfile.debug:

FROM localhost:5000/busybox

RUN echo lol
nerdctl login --username foo --password bar localhost:5000
nerdctl pull busybox
nerdctl tag busybox localhost:5000/busybox
nerdctl push localhost:5000/busybox
nerdctl rmi localhost:5000/busybox
nerdctl compose up --build

Confirming that buildkit does send authenticated requests to the registry (logs):

time="2024-07-30T05:16:57.302729994Z" level=info msg="authorized request" go.version=go1.11.2 http.request.host="localhost:5000" http.request.id=3f6f7ee1-225d-4b2b-8ccb-7362a280a62a http.request.method=HEAD http.request.remoteaddr="10.4.0.1:38830" http.request.uri="/v2/busybox/manifests/latest" http.request.useragent="buildkit/v0.12" vars.name=busybox vars.reference=latest
10.4.0.1 - - [30/Jul/2024:05:16:57 +0000] "HEAD /v2/busybox/manifests/latest HTTP/1.1" 200 755 "" "buildkit/v0.12"
time="2024-07-30T05:16:57.303098829Z" level=info msg="response completed" go.version=go1.11.2 http.request.host="localhost:5000" http.request.id=3f6f7ee1-225d-4b2b-8ccb-7362a280a62a http.request.method=HEAD http.request.remoteaddr="10.4.0.1:38830" http.request.uri="/v2/busybox/manifests/latest" http.request.useragent="buildkit/v0.12" http.response.contenttype="application/vnd.oci.image.index.v1+json" http.response.duration=91.910289ms http.response.status=200 http.response.written=755

I also tried with a private repository on Docker Hub and it worked as well.

@wonderfuwillard @catalinbahrin : can you provide an example demonstrating how to reproduce this?

Also, can you provide the versions of buildctl and buildkit you are using, and how you did install and configure them?