search

firecow / gitlab-ci-local

Tired of pushing to test your .gitlab-ci.yml?
MIT License
2.28k stars 128 forks source link

dependency proxy not supported #1358

Open rgalonso opened 1 day ago

rgalonso commented 1 day ago

This is really two issues in one. They're submitted together because I believe the solution to one probably enables the solution to the other.

A) None of the Dependency Proxy predefined variables are defined. These variables, along with what I think are reasonable default values, are shown below.

Variable Default Value (Proposed)
CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX ${CI_SERVER_HOST}:${CI_SERVER_PORT}/${CI_PROJECT_ROOT_NAMESPACE}/dependency_proxy/containers
CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX ${CI_SERVER_HOST}:${CI_SERVER_PORT}/${CI_PROJECT_NAMESPACE}/dependency_proxy/containers
CI_DEPENDENCY_PROXY_SERVER ${CI_SERVER_HOST}:${CI_SERVER_PORT}
CI_DEPENDENCY_PROXY_USER ${GITLAB_USER_LOGIN}
CI_DEPENDENCY_PROXY_PASSWORD ${CI_JOB_TOKEN}

(Note that CI_PROJECT_ROOT_NAMESPACE is also not currently defined, so the proposed default value for CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX would be invalid until that is resolved. See #1357.)

B) A related issue is that the if an image from the Dependency Proxy is listed as the image for a CI job, then that job fails if the user has not already logged into $CI_DEPENDENCY_PROXY_SERVER. It's debatable whether a user should really need to take that action, given that if all of the variables above are defined, then the login can happen automatically, as shown below and documented here.

echo "$CI_DEPENDENCY_PROXY_PASSWORD" | docker login $CI_DEPENDENCY_PROXY_SERVER -u $CI_DEPENDENCY_PROXY_USER --password-stdin

Minimal .gitlab-ci.yml illustrating the issue

---
build-and-run-fortune:
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker
  script:
    # login to dependency proxy
    - echo "$CI_DEPENDENCY_PROXY_PASSWORD" | docker login $CI_DEPENDENCY_PROXY_SERVER -u $CI_DEPENDENCY_PROXY_USER --password-stdin
    # build image
    - docker build --pull --build-arg BASE_IMAGE=${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/ubuntu -t fortune .
    # run it
    - docker run --rm fortune

Corresponding Dockerfile:

ARG BASE_IMAGE
FROM $BASE_IMAGE

RUN apt-get update -y && apt-get install -y fortune
CMD /usr/games/fortune

Expected behavior

  1. Job begins to execute (issue B above)
  2. Job is able to reference variables in order to complete successfully (issue A above)
Expected output ``` parsing and downloads finished in 49 ms. json schema validated in 225 ms build-and-run-fortune starting MASKED_SERVER_NAME_AND_ROOT_NAMESPACE/dependency_proxy/containers/docker (test) build-and-run-fortune copied to docker volumes in 876 ms build-and-run-fortune pulled MASKED_SERVER_NAME_AND_ROOT_NAMESPACE/dependency_proxy/containers/docker in 8.23 s build-and-run-fortune $ echo "$CI_DEPENDENCY_PROXY_PASSWORD" | docker login $CI_DEPENDENCY_PROXY_SERVER -u $CI_DEPENDENCY_PROXY_USER --password-stdin build-and-run-fortune > WARNING! Your password will be stored unencrypted in /root/.docker/config.json. build-and-run-fortune > Configure a credential helper to remove this warning. See build-and-run-fortune > https://docs.docker.com/engine/reference/commandline/login/#credential-stores build-and-run-fortune > build-and-run-fortune > Login Succeeded build-and-run-fortune $ docker build --pull --build-arg BASE_IMAGE=${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/ubuntu -t fortune . build-and-run-fortune > #0 building with "default" instance using docker driver build-and-run-fortune > build-and-run-fortune > #1 [internal] load build definition from Dockerfile build-and-run-fortune > #1 transferring dockerfile: 150B done build-and-run-fortune > #1 DONE 0.1s build-and-run-fortune > build-and-run-fortune > #2 [auth] MASKED_ROOT_NAMESPACE/MASKED_NAMESPACE/dependency_proxy/containers/ubuntu:pull token for MASKED_SERVER_NAME build-and-run-fortune > #2 DONE 0.0s build-and-run-fortune > build-and-run-fortune > #3 [internal] load metadata for MASKED_SERVER_NAME_AND_NAMESPACE/dependency_proxy/containers/ubuntu:latest build-and-run-fortune > #3 DONE 1.2s build-and-run-fortune > build-and-run-fortune > #4 [internal] load .dockerignore build-and-run-fortune > #4 transferring context: 2B done build-and-run-fortune > #4 DONE 0.0s build-and-run-fortune > build-and-run-fortune > #5 [1/2] FROM MASKED_SERVER_NAME_AND_NAMESPACE/dependency_proxy/containers/ubuntu:latest@sha256:b359f1067efa76f37863778f7b6d0e8d911e3ee8efa807ad01fbf5dc1ef9006b build-and-run-fortune > #5 resolve MASKED_SERVER_NAME_AND_NAMESPACE/dependency_proxy/containers/ubuntu:latest@sha256:b359f1067efa76f37863778f7b6d0e8d911e3ee8efa807ad01fbf5dc1ef9006b 0.0s done build-and-run-fortune > #5 sha256:b359f1067efa76f37863778f7b6d0e8d911e3ee8efa807ad01fbf5dc1ef9006b 1.34kB / 1.34kB done build-and-run-fortune > #5 sha256:74f92a6b3589aa5cac6028719aaac83de4037bad4371ae79ba362834389035aa 424B / 424B done build-and-run-fortune > #5 sha256:61b2756d6fa9d6242fafd5b29f674404779be561db2d0bd932aa3640ae67b9e1 2.30kB / 2.30kB done build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 0B / 29.75MB 0.1s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 3.15MB / 29.75MB 0.3s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 6.29MB / 29.75MB 0.4s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 9.44MB / 29.75MB 0.5s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 16.78MB / 29.75MB 0.7s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 23.07MB / 29.75MB 0.9s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 26.21MB / 29.75MB 1.0s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 29.75MB / 29.75MB 1.1s build-and-run-fortune > #5 sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 29.75MB / 29.75MB 1.1s done build-and-run-fortune > #5 extracting sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 build-and-run-fortune > #5 extracting sha256:eda6120e237e0bdd328bc3e0f610854590400d4f96d9678dfcf781edb2f541d0 2.0s done build-and-run-fortune > #5 DONE 3.5s build-and-run-fortune > build-and-run-fortune > #6 [2/2] RUN apt-get update -y && apt-get install -y fortune build-and-run-fortune > #6 0.594 Get:1 http://archive.ubuntu.com/ubuntu noble InRelease [256 kB] build-and-run-fortune > #6 0.601 Get:2 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB] build-and-run-fortune > #6 1.072 Get:3 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [477 kB] build-and-run-fortune > #6 1.122 Get:4 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB] build-and-run-fortune > #6 1.305 Get:5 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB] build-and-run-fortune > #6 1.388 Get:6 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [446 kB] build-and-run-fortune > #6 1.519 Get:7 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [19.3 MB] build-and-run-fortune > #6 1.568 Get:8 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [367 kB] build-and-run-fortune > #6 1.676 Get:9 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [13.7 kB] build-and-run-fortune > #6 3.409 Get:10 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages [1808 kB] build-and-run-fortune > #6 3.507 Get:11 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [331 kB] build-and-run-fortune > #6 3.554 Get:12 http://archive.ubuntu.com/ubuntu noble/restricted amd64 Packages [117 kB] build-and-run-fortune > #6 3.558 Get:13 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [17.8 kB] build-and-run-fortune > #6 3.558 Get:14 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [678 kB] build-and-run-fortune > #6 3.682 Get:15 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [507 kB] build-and-run-fortune > #6 3.698 Get:16 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [446 kB] build-and-run-fortune > #6 3.711 Get:17 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [11.8 kB] build-and-run-fortune > #6 4.504 Fetched 25.2 MB in 4s (6078 kB/s) build-and-run-fortune > #6 4.504 Reading package lists... build-and-run-fortune > #6 5.312 Reading package lists... build-and-run-fortune > #6 6.151 Building dependency tree... build-and-run-fortune > #6 6.323 Reading state information... build-and-run-fortune > #6 6.608 The following additional packages will be installed: build-and-run-fortune > #6 6.610 fortunes-min librecode0 build-and-run-fortune > #6 6.611 Suggested packages: build-and-run-fortune > #6 6.611 fortunes x11-utils bsdmainutils build-and-run-fortune > #6 6.639 The following NEW packages will be installed: build-and-run-fortune > #6 6.641 fortune-mod fortunes-min librecode0 build-and-run-fortune > #6 6.845 0 upgraded, 3 newly installed, 0 to remove and 2 not upgraded. build-and-run-fortune > #6 6.845 Need to get 711 kB of archives. build-and-run-fortune > #6 6.845 After this operation, 2129 kB of additional disk space will be used. build-and-run-fortune > #6 6.845 Get:1 http://archive.ubuntu.com/ubuntu noble/main amd64 librecode0 amd64 3.6-26 [625 kB] build-and-run-fortune > #6 7.473 Get:2 http://archive.ubuntu.com/ubuntu noble/universe amd64 fortune-mod amd64 1:1.99.1-7.3build1 [32.7 kB] build-and-run-fortune > #6 7.475 Get:3 http://archive.ubuntu.com/ubuntu noble/universe amd64 fortunes-min all 1:1.99.1-7.3build1 [53.1 kB] build-and-run-fortune > #6 7.617 debconf: delaying package configuration, since apt-utils is not installed build-and-run-fortune > #6 7.650 Fetched 711 kB in 1s (858 kB/s) build-and-run-fortune > #6 7.690 Selecting previously unselected package librecode0:amd64. (Reading database ... 4378 files and directories currently installed.) build-and-run-fortune > #6 7.694 Preparing to unpack .../librecode0_3.6-26_amd64.deb ... build-and-run-fortune > #6 7.711 Unpacking librecode0:amd64 (3.6-26) ... build-and-run-fortune > #6 7.785 Selecting previously unselected package fortune-mod. build-and-run-fortune > #6 7.787 Preparing to unpack .../fortune-mod_1%3a1.99.1-7.3build1_amd64.deb ... build-and-run-fortune > #6 7.796 Unpacking fortune-mod (1:1.99.1-7.3build1) ... build-and-run-fortune > #6 7.852 Selecting previously unselected package fortunes-min. build-and-run-fortune > #6 7.854 Preparing to unpack .../fortunes-min_1%3a1.99.1-7.3build1_all.deb ... build-and-run-fortune > #6 7.862 Unpacking fortunes-min (1:1.99.1-7.3build1) ... build-and-run-fortune > #6 7.922 Setting up librecode0:amd64 (3.6-26) ... build-and-run-fortune > #6 7.947 Setting up fortunes-min (1:1.99.1-7.3build1) ... build-and-run-fortune > #6 7.975 Setting up fortune-mod (1:1.99.1-7.3build1) ... build-and-run-fortune > #6 8.002 Processing triggers for libc-bin (2.39-0ubuntu8.3) ... build-and-run-fortune > #6 DONE 8.2s build-and-run-fortune > build-and-run-fortune > #7 exporting to image build-and-run-fortune > #7 exporting layers build-and-run-fortune > #7 exporting layers 0.3s done build-and-run-fortune > #7 writing image sha256:7f04e643f2548730cd93d24cf1ef162d4ea0ab252d95a9d26c47f50980d7e8a4 done build-and-run-fortune > #7 naming to docker.io/library/fortune done build-and-run-fortune > #7 DONE 0.3s build-and-run-fortune > build-and-run-fortune > 1 warning found (use docker --debug to expand): build-and-run-fortune > - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 5) build-and-run-fortune $ docker run --rm fortune build-and-run-fortune > There is an old time toast which is golden for its beauty. build-and-run-fortune > "When you ascend the hill of prosperity may you not meet a friend." build-and-run-fortune > -- Mark Twain build-and-run-fortune finished in 25 s PASS build-and-run-fortune pipeline finished in 26 s ```

Actual output

Issue B The job's `image` is `${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker`, which resolves to `/docker:latest` because `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX` is undefined. ``` parsing and downloads finished in 59 ms. json schema validated in 248 ms build-and-run-fortune starting /docker:latest (test) build-and-run-fortune copied to docker volumes in 7.76 s Error: Command failed with exit code 1: docker pull /docker:latest invalid reference format at makeError (/snapshot/firecow-gitlab-ci-local/node_modules/execa/lib/error.js:60:11) at handlePromise (/snapshot/firecow-gitlab-ci-local/node_modules/execa/index.js:118:26) at processTicksAndRejections (node:internal/process/task_queues:95:5) at actualPull (/snapshot/firecow-gitlab-ci-local/src/job.ts:915:13) at Job.pullImage (/snapshot/firecow-gitlab-ci-local/src/job.ts:928:13) at Job.execScripts (/snapshot/firecow-gitlab-ci-local/src/job.ts:692:13) at Job.execPreScripts (/snapshot/firecow-gitlab-ci-local/src/job.ts:641:36) at Job.start (/snapshot/firecow-gitlab-ci-local/src/job.ts:538:9) at /snapshot/firecow-gitlab-ci-local/node_modules/p-map/index.js:57:22 ```
Issue A I define the `*_DEPENDENCY_PROXY_*` variables as shown in the table above (including providing a definition for `CI_PROJECT_ROOT_NAMESPACE`), such that the job's `image` properly resolves. ``` parsing and downloads finished in 55 ms. json schema validated in 233 ms build-and-run-fortune starting MASKED_SERVER_NAME_AND_ROOT_NAMESPACE/dependency_proxy/containers/docker (test) build-and-run-fortune copied to docker volumes in 1.04 s Error: Command failed with exit code 1: docker pull MASKED_SERVER_NAME_AND_ROOT_NAMESPACE/dependency_proxy/containers/docker Error response from daemon: Head "MASKED_SERVER_NAME/v2/MASKED_ROOT_NAMESPACE/dependency_proxy/containers/docker/manifests/latest": error parsing HTTP 403 response body: no error details found in HTTP response body: "{\"message\":\"access forbidden\",\"status\":\"error\",\"http_status\":403}" Using default tag: latest at makeError (/snapshot/firecow-gitlab-ci-local/node_modules/execa/lib/error.js:60:11) at handlePromise (/snapshot/firecow-gitlab-ci-local/node_modules/execa/index.js:118:26) at processTicksAndRejections (node:internal/process/task_queues:95:5) at actualPull (/snapshot/firecow-gitlab-ci-local/src/job.ts:915:13) at Job.pullImage (/snapshot/firecow-gitlab-ci-local/src/job.ts:928:13) at Job.execScripts (/snapshot/firecow-gitlab-ci-local/src/job.ts:692:13) at Job.execPreScripts (/snapshot/firecow-gitlab-ci-local/src/job.ts:641:36) at Job.start (/snapshot/firecow-gitlab-ci-local/src/job.ts:538:9) at /snapshot/firecow-gitlab-ci-local/node_modules/p-map/index.js:57:22 ``` (Note that I masked some values pertaining to my self-managed GitLab instance.)

Host information Ubuntu gitlab-ci-local 4.53.0

Containerd binary docker

Additional context I don't think it's actually relevant, but the project is hosted on a self-hosted GitLab instance.