Use a blank docker config file to avoid issues with the requiring credentials for public gcr.io images #1125
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
@googlebot I signed it! |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
googlebot
added
cla: yes
filesnate
force-pushed
the
blank-docker-config
branch
from
1fd592f to
22512c5
Compare
…ault config.json which requires credentials accessing gcr.io registries - Users who require credentials will need to supply their own config.json file anyway, so let them set it up as needed.
filesnate
force-pushed
the
blank-docker-config
branch
from
22512c5 to
24268d6
Compare
| @@ -27,6 +27,8 @@ RUN make -C /go/src/github.com/awslabs/amazon-ecr-credential-helper linux-amd64 | |||
| # ACR docker credential helper | |||
| ADD https://aadacr.blob.core.windows.net/acr-docker-credential-helper/docker-credential-acr-linux-amd64.tar.gz /usr/local/bin | |||
| RUN tar -C /usr/local/bin/ -xvzf /usr/local/bin/docker-credential-acr-linux-amd64.tar.gz | |||
| # Blank out the credentials file | |||
| RUN echo "{}" > /root/.docker/config.json | |||
There was a problem hiding this comment.
I believe a better approach would be to remove the line RUN docker-credential-gcr configure-docker which is the line that adds .docker/config.json
There was a problem hiding this comment.
Can't do that, as then kaniko blows up when it tries to read a non-existent config.json file. :(
[ Been there, done that, got the scars to prove it. ]
There was a problem hiding this comment.
got it, thanks for that extra info. @tejal29 your thoughts?
There was a problem hiding this comment.
Thank you for figuring out the issue that I also hit previously! I wasn't able to figure out exactly where the config was coming from before.
In order to test this, could you remove the code in the integration tests that replaces public GCR images with images from the local docker registry? Basically this whole source file should be removed and all the code that uses any of the functions in that file: https://github.com/GoogleContainerTools/kaniko/blob/master/integration/migrate_gcr.go
I'm also happy to take over this PR if you get stuck.
|
@samos123 - Feel free to rewrite the go code, I'm just trying to get a kaniko image that I can use to pull/build images that are publically available on gcr.io. If we could move this forward to get a working build, and then as a follow PR rewrite the |
Previously there was a need to import public GCR images into the local docker registry and replace the base images to use the local docker registry. This is no longer needed since Kaniko now works with public GCR images also for unauthenticated users.
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
googlebot
added
cla: no
|
I've added a commit to this PR since I prefer to ensure the PR as a whole is tested with an integration test. Our previous integration tests didn't test public GCR images, but the commit I just added removes the migrate_gcr.go source, which causes the integration test to test kaniko with a public GCR image. Could you leave a comment with the following content: "@googlebot I consent." so that I'm allowed to add the commit to this PR? Appreciate your patience and taking the time to respond to all my questions! |
There was a problem hiding this comment.
This will break existing GCR users that are using kaniko likes this:
docker run -v /home/stoelinga/.config/gcloud:/root/.config/gcloud -v $PWD/sam/public_gcr:/workspace gcr.io/gsam-123/kaniko-executor:debug-filesnate --dockerfile Dockerfile --destination gcr.io/gsam-123/test-gcr:latest --context dir:///workspace/
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "gcr.io/gsam-123/test-gcr:latest": creating push check transport for gcr.io failed: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
In master branch this works as expected however after building kaniko-executor from this PR it fails with authentication issue. This fix requires some more work and discussion to make sure we're not breaking the users that use GCR with Kaniko today.
For reference here is the exact same command using kaniko-executor from latest master, which works as expected with GCR and correct credentials:
docker run -v /home/stoelinga/.config/gcloud:/root/.config/gcloud -v $PWD/sam/public_gcr:/workspace gcr.io/gsam-123/kaniko-executor:master --dockerfile Dockerfile --destination gcr.io/gsam-123/test-gcr:latest --context dir:///workspace/
INFO[0000] Resolved base name gcr.io/distroless/python2.7:debug to gcr.io/distroless/python2.7:debug
INFO[0000] Resolved base name gcr.io/distroless/python2.7:debug to gcr.io/distroless/python2.7:debug
INFO[0000] Retrieving image manifest gcr.io/distroless/python2.7:debug
INFO[0001] Retrieving image manifest gcr.io/distroless/python2.7:debug
INFO[0003] Built cross stage deps: map[]
INFO[0003] Retrieving image manifest gcr.io/distroless/python2.7:debug
INFO[0003] Retrieving image manifest gcr.io/distroless/python2.7:debug
INFO[0004] Unpacking rootfs as cmd COPY a /a requires it.
INFO[0009] Taking snapshot of full filesystem...
INFO[0015] Resolving paths
INFO[0015] COPY a /a
INFO[0015] Resolving paths
INFO[0015] Taking snapshot of files...
|
@googlebot I consent. |
@samos123 can you please change your command to also mount the |
|
This PR might break "GCB Kaniko" users or anyother users who mount their Cloud config only and not docker config to push to GCR e.g. https://cloud.google.com/cloud-build/docs/kaniko-cache
This approach could be tricky and we will need to test with GCB since GCB Kaniko usage docs don't explicitly mount google cloud config, so we need to look for file to be present.
WDYT? |
|
IMO, that it's been working to-date for some folks is completely un-documented, and a side-effect of a default configuration that wasn't obvious until recently. I also understand the pain of breaking something that was working for Therefore, I'm of the mind-set that creating a bunch of workarounds to fix it so things continue to work (meaning just continuing the 'magic' behavior) is the wrong solution, since the software is hiding important configuration details from them. IMO, eventually some part of the software will eventually change, requiring the configuration to be changed, so by not solving the problem now, you're just delaying the inevitable issue of requiring the user to configure docker authentication. So, you can either deal with it now while it's fresh in your mind with the understanding of how to solve it, or put it off to future |
Thanks @filesnate. Yes i understand the "fixing" it the right way. I just feel a lot fo folks are using kaniko in production pipeline as part of CI jobs. I am definitely up for fixing this the bold way by forcing users to fix their config if they relied on the docker credentials to be initialized.
After investigating 1 and 2, if we feel this is the right change, it would be great if we can first make change to add a deprecation notice in this PR. We could simply print a message if "/root/.config/gcloud" but not "/kaniko/.docker". The warning message printed would be Would you be up for investigating 1 and 2 bullet points? Thanks |
I have no context to answer questions (1) and (2). I'm just a random dev who attempted to use kaniko to use it to build a publically available gcr.io docker image, and did a little bit of debugging to find the underlying issue, sorry. Nate |
|
I've done an alternative approach that should work for @filesnate use case but won't break existing users that relied on kaniko being configured with gcr by default. This is the PR: #1140 |
@samos123 - Is there an easy-to-use image tag I could use, or do I have to build a custom image with your PR? |
|
You can use the image I build at your own risk lol. This is the image: Also in the future you can easily build your own image using this: That will build kaniko and push executor to your registry defined in the variable REGISTRY See below how I used it to test: |
Perfect, thanks! |
Someone used space in the |
This has been corrected in master, so it's all good (was working on a PR to fix this, but @samos123 already fixed it. 😁 ) |
My local test for this works correctly using a locally built-image, so I say go for it! |
Use a blank docker config file to avoid issues with the requiring credentials for public gcr.io images
so let them set it up as needed.
Fixes #1122.
Reviewer Notes
Release Notes
Create a blank docker config.json file to allow pulling public images hosted on *.gcr.io without credentials.