Closed mrsimonemms closed 2 years ago
Generalising: the issue seems to arise when we want to pull a base image from docker hub. The question then becomes: why does it work when testing in a workspace, or more broadly, why does it work at all?
@csweichel I wonder if this is the key. I've added loads of additional (insecure) logs in a branch (not to be merged) and found something interesting....
I've checked the response from repo.Auth.Authorize.
In GCP, it ALWAYS returns back without an error (even on the very first time). In Azure, it ALWAYS returns back this error:
{
"@type": "type.googleapis.com/google.devtools.clouderrorreporting.v1beta1.ReportedErrorEvent",
"error": "Get \"https://auth.ipv6.docker.com/token?scope=repository%3Agitpod%2Fworkspace-mongodb%3Apull\u0026service=registry.docker.io\": dial tcp [2600:1f18:2148:bc00:cec:e441:76aa:4346]:443: connect: network is unreachable\nfailed to fetch anonymous token\ngithub.com/containerd/containerd/remotes/docker.(*authHandler).doBearerAuth\n\t/workspace/go/pkg/mod/github.com/containerd/containerd@v1.5.5/remotes/docker/authorizer.go:306\ngithub.com/containerd/containerd/remotes/docker.(*authHandler).authorize\n\t/workspace/go/pkg/mod/github.com/containerd/containerd@v1.5.5/remotes/docker/authorizer.go:228\ngithub.com/containerd/containerd/remotes/docker.(*dockerAuthorizer).Authorize\n\t/workspace/go/pkg/mod/github.com/containerd/containerd@v1.5.5/remotes/docker/authorizer.go:112\ngithub.com/gitpod-io/gitpod/image-builder/bob/pkg/proxy.(*Proxy).reverse.func2\n\t/tmp/build/components-image-builder-bob--app.65626b7c97210e6bd97e4ad3c440d299218b427f/pkg/proxy/proxy.go:173\ngithub.com/hashicorp/go-retryablehttp.(*Client).Do\n\t/workspace/go/pkg/mod/github.com/hashicorp/go-retryablehttp@v0.7.0/client.go:584\ngithub.com/hashicorp/go-retryablehttp.(*RoundTripper).RoundTrip\n\t/workspace/go/pkg/mod/github.com/hashicorp/go-retryablehttp@v0.7.0/roundtripper.go:44\nnet/http/httputil.(*ReverseProxy).ServeHTTP\n\t/home/gitpod/go/src/net/http/httputil/reverseproxy.go:298\ngithub.com/gitpod-io/gitpod/image-builder/bob/pkg/proxy.(*Proxy).ServeHTTP\n\t/tmp/build/components-image-builder-bob--app.65626b7c97210e6bd97e4ad3c440d299218b427f/pkg/proxy/proxy.go:127\nnet/http.(*ServeMux).ServeHTTP\n\t/home/gitpod/go/src/net/http/server.go:2424\nnet/http.serverHandler.ServeHTTP\n\t/home/gitpod/go/src/net/http/server.go:2878\nnet/http.(*conn).serve\n\t/home/gitpod/go/src/net/http/server.go:1929\nruntime.goexit\n\t/home/gitpod/go/src/runtime/asm_amd64.s:1581",
"level": "error",
"message": "sje auth err",
"serviceContext": {
"service": "bob",
"version": ""
},
"severity": "ERROR",
"time": "2021-11-22T13:28:08Z"
}
So, why is the network unreachable?
It appears that in Azure, the www-authenticate
value that comes back from the initial call to https://registry-1.docker.io/v2/gitpod/workspace-mongodb/manifests/latest
is to auth.ipv6.docker.com
rather than auth.docker.com
.
And I've no idea why
Interestingly, the X-Forwarded-For
value in Azure is ::1
and in GCP it's 127.0.0.1
- this appears to set the IPV6 URL
Edit: unbelievably, if I set X-Forwarded-For
to 127.0.0.1
, it works
This is to be used as a notepad for an issue. Please ignore
502 Bad Gateway
errors, ending in#5 37.17 error: unexpected status: 502 Bad Gateway
------
error: failed to solve: unexpected status: 502 Bad Gateway
{"@type":"type.googleapis.com/google.devtools.clouderrorreporting.v1beta1.ReportedErrorEvent","command":"build","error":"exit status 1","level":"error","message":"build failed","serviceContext":{"service":"bob","version":""},"severity":"ERROR","time":"2021-11-19T15:42:35Z"}
HEAD https://registry-1.docker.io/v2/gitpod/workspace-mongodb/manifests/latest
call. Works fine if using GCR based imageObservations:
gcr.io
registry, so not relevant to the FQDN status. The.dockerconfigjson
value appears valid when running locally as can push an image with the value set to~/.docker/config.json
Questions:
workspace.runtime.containerdRuntimeDir
values? In GCP it's/var/lib/containerd/io.containerd.runtime.v2.task/k8s.io
, in Azure it's/run/containerd/io.containerd.runtime.v1.linux/k8s.io
~shiftfs
, GCP usesfuse
~http: proxy error: HEAD https://registry-1.docker.io/v2/gitpod/workspace-mongodb/manifests/latest
which GCP doesn't (is this causal or symptomatic?)