Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues pulling from docker.io #85

Closed
UebelAndre opened this issue Feb 28, 2023 · 8 comments
Closed

Issues pulling from docker.io #85

UebelAndre opened this issue Feb 28, 2023 · 8 comments
Milestone
1.0

Comments

@UebelAndre
Copy link

When using the WORKSPACE file documented below I get an unexpected error when running bazel query @node_image//...

oci_demo % bazel query @node_image//...
DEBUG: /private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl:71:14:
WARNING: fetching from https://docker.io/v2/library/node/manifests/18 without an integrity hash. The result will not be cached.
INFO: Repository node_image instantiated at:
  /Users/oci_demo/WORKSPACE.bazel:19:9: in <toplevel>
  /private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl:398:22: in oci_pull
Repository rule oci_pull_rule defined at:
  /private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl:220:32: in <toplevel>
ERROR: An error occurred during the fetch of repository 'node_image':
   Traceback (most recent call last):
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 149, column 27, in _oci_pull_impl
		mf, mf_len = _download(rctx, rctx.attr.identifier, mf_file, resource = "manifests")
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 80, column 27, in _download
		return json.decode(bytes), len(bytes)
Error in decode: at offset 0, unexpected character "<"
ERROR: /Users/oci_demo/WORKSPACE.bazel:19:9: fetching oci_pull_rule rule //external:node_image: Traceback (most recent call last):
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 149, column 27, in _oci_pull_impl
		mf, mf_len = _download(rctx, rctx.attr.identifier, mf_file, resource = "manifests")
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 80, column 27, in _download
		return json.decode(bytes), len(bytes)
Error in decode: at offset 0, unexpected character "<"
ERROR: Target parsing failed due to unexpected exception: at offset 0, unexpected character "<"
Loading: 0 packages loaded

WORKSPACE.bazel

workspace(name = "oci_demo")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "contrib_rules_oci",
    sha256 = "929da1362e27dc38206a116783d2b3efb95bcb165bdbc62a8190013e612a9b51",
    strip_prefix = "rules_oci-0.3.1",
    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v0.3.1/rules_oci-v0.3.1.tar.gz",
)

load("@contrib_rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")

rules_oci_dependencies()

load("@contrib_rules_oci//oci:pull.bzl", "oci_pull")

# A single-arch base image
oci_pull(
    name = "node_image",
    image = "docker.io/library/node",
    # Unpinning is undesired but is used to figure out how to initially pin.
    reproducible = False,
    tag = "18",
)
@alexeagle
Copy link
Collaborator

The < character is because docker is redirecting to an html page. We have to give a url that points to the registry v2 layout. Maybe we can rewrite well-known ones

@alexeagle
Copy link
Collaborator

The other issue is that you need to hook up the experimental "Credential Helper" https://github.com/bazelbuild/bazel/blob/master/src/main/java/com/google/devtools/build/lib/authandtls/AuthAndTLSOptions.java#L144
If we can't figure it out from sources, I meant have a chat with @tjgq sometime anyway.

@alexeagle
Copy link
Collaborator

The URL needs to be index.docker.io/library/node so that we try to fetch
https://index.docker.io/v2/library/node/manifests/18
and that's where the credentials are needed.
(Is there some standard way that the docker tool knows that docker.io is a shorthand for index.docker.io?)

https://github.com/bazelbuild/proposals/blob/main/designs/2022-06-07-bazel-credential-helpers.md also helpful, docker was called out as the design it's based on. @Yannic maybe can help us wire it up since there are no docs for it yet.

@alexeagle alexeagle mentioned this issue Feb 28, 2023
Closed
@alexeagle alexeagle added this to the 1.0 milestone Feb 28, 2023
@thesayyn
Copy link
Collaborator

Upon closer investigation i realized that --experimental-credential-helper isn't hooked up to the Starlark API. we can't use it yet.

See: bazelbuild/bazel#15013 (comment)

@fmorency fmorency mentioned this issue Mar 6, 2023
Open
@thesayyn
Copy link
Collaborator

fixed by #115

@UebelAndre
Copy link
Author

@thesayyn Thanks! Do you have an example of this working?

@thesayyn
Copy link
Collaborator

Here:

rules_oci/e2e/custom_registry/WORKSPACE

Lines 28 to 38 in 3c7e6f9

oci_pull(
name = "debian",
image = "index.docker.io/library/debian",
platforms = [
"linux/arm64",
"linux/amd64",
],
# Don't make a debian_unpinned repo and print a warning about the tag
reproducible = False,
tag = "latest",
)

@alexeagle
Copy link
Collaborator

From #115 (comment)
I still think we should probably support docker.io/library/debian as a shortcut for index.docker.io/library/debian if the former one is what everyone expects to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
3 participants
@alexeagle @thesayyn @UebelAndre