search

testcontainers / testcontainers-go

Testcontainers for Go is a Go package that makes it simple to create and clean up container-based dependencies for automated integration/smoke tests. The clean, easy-to-use API enables developers to programmatically define containers that should be run as part of a test and clean up those resources when the test is done.
https://golang.testcontainers.org
MIT License
3.57k stars 492 forks source link

[Bug]: Docker Pull fails on some machines #1987

Open stubents opened 10 months ago

stubents commented 10 months ago

Testcontainers version

v0.26.0

Using the latest Testcontainers version?

Yes

Host OS

MacOS

Host arch

ARM

Go version

go1.21.4 darwin/arm64

Docker version

Client:
 Cloud integration: v1.0.35+desktop.5
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.25.2 (129061)
 Engine:
  Version:          24.0.6
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.7
  Git commit:       1a79695
  Built:            Mon Sep  4 12:31:36 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Docker info

Client:
 Version:    24.0.6
 Context:    desktop-linux
 Debug Mode: false
Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 17
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2

What happened?

Hi, it seems like I'm unable to pull new images with testcontainers-go on my local machine. I know that the same config works on other operating systems / docker versions / 🤷‍♂️.

I had a look into it and dockercfs says in its comment for GetRegistryCredentials(...): "If the returned username string is empty, the password is an identity token." With the following commit I made it work again: https://github.com/stubents/testcontainers-go/commit/0b6a416d3636e32f3707f740f529f3d3e9014965

However, I'm not too familiar with container registry authentication mechanisms so I can't really say if this is the right thing to do or might break other stuff...

Nevertheless, hope this helps :)

Relevant log output

No response

Additional information

No response

mdelapenya commented 10 months ago

Could you elaborate a PR including tests to automatically demonstrate the behaviour? I've seen your patch and I think it could be fine, but I'd like to have a test demonstrating it, as we have a lot of them in the docker_auth_test.go file.

stubents commented 10 months ago

Thanks for your quick response! I'm not completely sure how you imagine the test:

We could spin up a registry that's configured to accept an identity token and test if it accepts a token that is set in the AuthConfig. This wouldn't really have much to do with the code change I made, though.

To really see the code executed we'd need to invoke dockercfg.GetRegistryCredentials(k) but this would run directly exec.Command(...) which is hard to intercept and I don't see any other tests doing this.

Could you please point me into the right direction here?

cuppett commented 8 months ago

FWIW, I may be seeing a similar version of this on Fedora with Podman.

Server Version: 4.9.0 API Version: 1.41 Operating System: fedora Resolved Docker Host: unix:///run/user/1000/podman/podman.sock Resolved Docker Socket Path: /run/user/1000/podman/podman.sock

It is attempting to pull the following image: ghcr.io/cuppett/mariadb:11.0

The container is a public container,. This fails in the same way when both when there is a valid credential in my ~./docker/config.json and when there is no credential in there.

Log attached.

testcontainers-go-issue-1987.txt

mdelapenya commented 5 months ago

Given we have a docker registry module (https://golang.testcontainers.org/modules/registry/) I encourage you to use it in a repro project to verify this behaviour 🙏

mdelapenya commented 1 month ago

@stevenh could you take a look at @stubents' patch here? https://github.com/stubents/testcontainers-go/commit/0b6a416d3636e32f3707f740f529f3d3e9014965

With the recent changes in the docker auth code, those lines are now different, but we still get the user and password. Probably worth it to take a look at the identity token 🤔