search

openSUSE / open-build-service

Build and distribute Linux packages from sources in an automatic, consistent and reproducible way #obs
https://openbuildservice.org
GNU General Public License v2.0
920 stars 437 forks source link

OBS registry can't be set as a mirror for Containerd #16186

Closed davidcassany closed 1 month ago

davidcassany commented 3 months ago

Is your feature request related to a problem? Please describe. The problem we have is that we can't set registry.opensuse.org registry as a mirror in Containerd, hence this impacts many K8s distributions such as K3S and RKE2.

The problem is that Containerd makes use of an additional parameter in image manifest queries that is not OCI conformat yet (despite being in pipe to be approved since 2020).

Containerd included this feature here: https://github.com/containerd/containerd/pull/4413 And its inclusion in opencontainers spec is discussed here: https://github.com/opencontainers/distribution-spec/pull/66

It can be easily reproduced from the command line by using a Containerd generated GET call. This is a failing example:

wget https://registry.opensuse.org/v2/isv/rancher/elemental/maintenance/5.5/containers/rancher/elemental-operator/manifests/1.5.2?ns=registry.suse.com

The call above always returns a 400 Bad Request. Note the ns=registry.suse.com parameter, this is the offending part. Without this non strictly OCI compliant parameter the call just works fine and returns the expected manifest.

This parameter is added by Contianerd when trying to pull a mirrored registry. In particular I found this by trying to set a mirror to the OBS projects of a maintenance incident in order to run some full tests before the actual release.

Describe the solution you'd like We would like to support Containerd calls by either ignore the offending parameter or eventually honor it according to https://github.com/opencontainers/distribution-spec/pull/66

Additional context I have verified that using a private registry deployed using the registry image from DockerHub which is based on https://github.com/distribution/distribution works just fine when it gets calls including the mentioned ns=<mirrored-domain> parameter.

davidcassany commented 3 months ago

@mlschroe I think this might be of your interest, I got a suggestion to ping you on that one.

kkaempf commented 1 month ago

@adrianschroeter @mlschroe - trying to get your attention on this one

mlschroe commented 1 month ago

We already changed the code to ignore a "ns" parameter. Do you still get errors?

Commit:

commit 92aca9248f4a530daa540413227407bb5a410649
Author: Michael Schroeder <mls@suse.de>
Date:   Fri Jun 7 15:24:21 2024 +0200

    [backend] accept (but ignore) an "ns" parameter

    See https://github.com/opencontainers/distribution-spec/pull/66
davidcassany commented 1 month ago

@mlschroe I completely missed your comment, let me retest it today and provide feedback. Thanks

davidcassany commented 1 month ago

@mlschroe thanks much!

Verified this is no longer an issue 🎉 Closing the GH ticket