search

galaxyproject / galaxy

Data intensive science for everyone.
https://galaxyproject.org
Other
1.39k stars 1k forks source link

Base images for mulled containers are required to be on public docker servers if converting to Singularity #15716

Open natefoo opened 1 year ago

natefoo commented 1 year ago

Describe the bug Because we use the docker bootstrap agent , the base image is required to be on a public docker registry.

To Reproduce

$ docker pull quay.io/bioconda/base-glibc-busybox-bash:latest
# create a "local" image for the sake of demonstration:
$ docker tag quay.io/bioconda/base-glibc-busybox-bash:latest testfoo:latest
$ DEST_BASE_IMAGE='testfoo:latest' mulled-build --verbose --singularity -c conda-forge --test 'python -V' build-and-test python
... lots of output ...
[Mar  6 15:26:39] INFO Invoke Task [singularity]
[Mar  6 15:26:39] STEP Run image [quay.io/singularity/singularity:v3.10.4] with command [[mkdir -p /usr/local/var/singularity/mnt/container && singularity build /import/python /import/Singularity.def && chown 1001:1001 /import/python]]
[Mar  6 15:26:39] DEBU Creating container [step-c3d4d1b415]
[Mar  6 15:26:39] DEBU Created container [cbc913c47b02 step-c3d4d1b415], starting it
[Mar  6 15:26:39] DEBU Container [cbc913c47b02 step-c3d4d1b415] started, waiting for completion
[Mar  6 15:26:39] SERR INFO:    Starting build...
[Mar  6 15:26:41] SERR FATAL:   While performing build: conveyor failed to get: reading manifest latest in docker.io/library/testfoo: errors:
[Mar  6 15:26:41] SERR denied: requested access to the resource is denied
[Mar  6 15:26:41] SERR unauthorized: authentication required
[Mar  6 15:26:41] ERRO Task processing failed: Unexpected exit code [255] of container [cbc913c47b02 step-c3d4d1b415], container preserved

Expected behavior It would be expected that local base images are usable, especially since the base image is already local to where you're building since it would've been pulled when building the docker container in the previous step. One reason that it's not is because the Singularity build occurs in docker, so to use the docker-daemon agent, we'd need to mount the socket (and use --privileged?).

Alternatively, rather than building the Singularity container from the base image, we could just convert the locally-built Docker container from the previous step. It doesn't need to be pulled from the daemon, either, we could docker save the image to a tar file and convert that. Converting the docker container would also fix #15715, but as I mention on that issue, there may be reasons for not doing so that I'm not aware of.

mvdbeek commented 1 year ago

this is all less than ideal, why don't we build the image as in https://github.com/galaxyproject/galaxy/pull/9088 ?

mvdbeek commented 1 year ago

but also docker-daemon: can be used if we do insist to build with docker

natefoo commented 1 year ago

9088 ?

:shipit: