Error pulling private image from GitHub Container Registry

[enbeec]

Due diligence

My actions before raising this issue

Following the docs I have done the following:

• using faasd on a fresh VM
• logged in to faasd with faas login (on the host)
• ran faas registry-login and installed config.json to /var/lib/faasd/.docker/ (on the VM)
  • I re-did this step a few ways and ended up comparing against the docker configuration in my home directory.
• set up my function repo with faas template pull and faas new (on the host)
• did a faas build and faas push (on the host)
  • confirmed the push by browsing to the package manually and pulling with docker
• restarted the faasd VM

edited 2022-11-01

Why do you need this?

I'm trying to deploy my first function with OpenFaaS using the golang-middleware template.

Who is this for?

A personal weekend project. I exclusively work with Lambda at work and want a fresh perspective on FaaS.

Expected Behaviour

When running faas deploy -f my-function.yml against my local faasd VM with a valid configuration at /var/lib/faasd/.docker/config.json, I expect the image to be pulled and the function deployed.

Current Behaviour

Instead, there is an issue authenticating with ghcr.io.

I can docker pull this image with a config file that matches the installed faasd file (just with different token values).

Deploying: todo-api.
WARNING! You are not using an encrypted connection to the gateway, consider using HTTPS.

Unexpected status: 400, message: unable to pull image ghcr.io/enbeec/todo-api:latest: cannot pull: failed to resolve reference "ghcr.io/enbeec/todo-api:latest": failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden

Function 'todo-api' failed to deploy with status code: 400

Are you a GitHub Sponsor (Yes/No?)

• [x] No

List All Possible Solutions and Workarounds

I wouldn't expect HTTPS between my host and the local VM to be an issue but is it? Time is short and I was planning to play around without fussing with certs on my local host.

Which Solution Do You Recommend?

Steps to Reproduce (for bugs)

1. using faasd, configure /var/lib/faasd/.docker/config.json with your ghcr.io credentials
2. try to deploy a function from one of your private images

Development/VM Host Environment

• OS and architecture: Ubuntu on x86

faasd Host Environment

• OS and architecture: Debian on x86 on KVM/QEMU

• Versions:

go version
# not installed

containerd -version
containerd github.com/containerd/containerd v1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6

uname -a
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
...

cat /etc/os-release
# see uname

faasd version
faasd version: 0.16.7 commit: 282b05802cccd311678a73efaee78af0086cc7fd

[alexellis]

Hi, thanks for your interest in faasd.

I spent a couple of hours trying to reproduce this issue for you with a brand new repo and installation on my Raspberry Pi.

https://github.com/alexellis/creates-private-ghcr-function/actions/runs/3359586196

pi@faasd-pi:~ $ faas-cli deploy --name private --image ghcr.io/alexellis/private-test-fn:0.0.2

Deployed. 200 OK.
URL: http://127.0.0.1:8080/function/private

I couldn't reproduce any problems, but I have updated the eBook instructions which I think will help you get past this, in version 1.8.

If you are still having issues after that, I'm not sure what to suggest.

Regards,

Alex

[enbeec]

Thanks for the prompt and decisive response

It would certainly appear that something inexplicable is happening. The good news is that means starting from scratch might inexplicably work!

Cheers, Val

[alexellis]

Hi Val,

I can see the error in your instructions. You'll find the updated information you need in the eBook which is the manual for faasd.

Do you have a copy yet?

Alex

[enbeec]

I do have the eBook! It's been very helpful. I was able to get things working with a multipass VM last night.

edit just pulled version 1.8 of the eBook and that's a lot cleaner.

Val

[alexellis]

/lock: resolved