Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error pulling pause image from private repository #9594

Closed
mottetm opened this issue Oct 29, 2024 · 6 comments · Fixed by #9654
Closed

Error pulling pause image from private repository #9594

mottetm opened this issue Oct 29, 2024 · 6 comments · Fixed by #9654
Assignees
@smira

Comments

@mottetm
Copy link

mottetm commented Oct 29, 2024
edited
Loading

Bug Report

Description

When specifying a custom pause image as described here located in a private registry, kubelet fails to pull the image
with a 401 Unauthorized error, despite the private registry being configured in the machine config
(registries.config.<private.registry>.auth).

This was previously working in v1.6.8.

Logs

10.0.2.136: {"ts":1730192466923.7874,"caller":"internal/log.go:32","msg":"RunPodSandbox from runtime service failed","err":"rpc error: code = Unknown desc = failed to start sandbox \"d7dd8a5fdcbfa0d3a2370269216a5824c2125223c8d86f582856138c7c73d85a\": failed to get sandbox image \"<private.registry>/pause:3.8\": failed to pull image \"<private.registry>/pause:3.8\": failed to pull and unpack image \"<private.registry>/pause:3.8\": failed to resolve reference \"<private.registry>/pause:3.8\": unexpected status from HEAD request to https://registry.hydra.anywhere.navify.com/v2/navify-anywhere-edge/navify-anywhere-edge-staging/navify-anywhere/pause/manifests/3.8: 401 Unauthorized"}
10.0.2.136: {"ts":1730192466924.1497,"caller":"kuberuntime/kuberuntime_sandbox.go:72","msg":"Failed to create sandbox for pod","pod":{"name":"kube-scheduler-talos-uj9-jpe","namespace":"kube-system"},"err":"rpc error: code = Unknown desc = failed to start sandbox \"d7dd8a5fdcbfa0d3a2370269216a5824c2125223c8d86f582856138c7c73d85a\": failed to get sandbox image \"<private.registry>/pause:3.8\": failed to pull image \"<private.registry>/pause:3.8\": failed to pull and unpack image \"<private.registry>/pause:3.8\": failed to resolve reference \"<private.registry>/pause:3.8\": unexpected status from HEAD request to https://registry.hydra.anywhere.navify.com/v2/navify-anywhere-edge/navify-anywhere-edge-staging/navify-anywhere/pause/manifests/3.8: 401 Unauthorized"}
10.0.2.136: {"ts":1730192466924.1914,"caller":"kuberuntime/kuberuntime_manager.go:1170","msg":"CreatePodSandbox for pod failed","pod":{"name":"kube-scheduler-talos-uj9-jpe","namespace":"kube-system"},"err":"rpc error: code = Unknown desc = failed to start sandbox \"d7dd8a5fdcbfa0d3a2370269216a5824c2125223c8d86f582856138c7c73d85a\": failed to get sandbox image \"<private.registry>/pause:3.8\": failed to pull image \"<private.registry>/pause:3.8\": failed to pull and unpack image \"<private.registry>/pause:3.8\": failed to resolve reference \"<private.registry>/pause:3.8\": unexpected status from HEAD request to https://registry.hydra.anywhere.navify.com/v2/navify-anywhere-edge/navify-anywhere-edge-staging/navify-anywhere/pause/manifests/3.8: 401 Unauthorized"}
10.0.2.136: {"ts":1730192466924.4077,"caller":"kubelet/pod_workers.go:1301","msg":"Error syncing pod, skipping","pod":{"name":"kube-scheduler-talos-uj9-jpe","namespace":"kube-system"},"podUID":"28f3e425f44f09de092fdccf37b4450f","err":"failed to \"CreatePodSandbox\" for \"kube-scheduler-talos-uj9-jpe_kube-system(28f3e425f44f09de092fdccf37b4450f)\" with CreatePodSandboxError: \"Failed to create sandbox for pod \\\"kube-scheduler-talos-uj9-jpe_kube-system(28f3e425f44f09de092fdccf37b4450f)\\\": rpc error: code = Unknown desc = failed to start sandbox \\\"d7dd8a5fdcbfa0d3a2370269216a5824c2125223c8d86f582856138c7c73d85a\\\": failed to get sandbox image \\\"<private.registry>/pause:3.8\\\": failed to pull image \\\"<private.registry>/pause:3.8\\\": failed to pull and unpack image \\\"<private.registry>/pause:3.8\\\": failed to resolve reference \\\"<private.registry>/pause:3.8\\\": unexpected status from HEAD request to https://registry.hydra.anywhere.navify.com/v2/navify-anywhere-edge/navify-anywhere-edge-staging/navify-anywhere/pause/manifests/3.8: 401 Unauthorized\"","errCauses":[{"error":"failed to \"CreatePodSandbox\" for \"kube-scheduler-talos-uj9-jpe_kube-system(28f3e425f44f09de092fdccf37b4450f)\" with CreatePodSandboxError: \"Failed to create sandbox for pod \\\"kube-scheduler-talos-uj9-jpe_kube-system(28f3e425f44f09de092fdccf37b4450f)\\\": rpc error: code = Unknown desc = failed to start sandbox \\\"d7dd8a5fdcbfa0d3a2370269216a5824c2125223c8d86f582856138c7c73d85a\\\": failed to get sandbox image \\\"<private.registry>/pause:3.8\\\": failed to pull image \\\"<private.registry>/pause:3.8\\\": failed to pull and unpack image \\\"<private.registry>/pause:3.8\\\": failed to resolve reference \\\"<private.registry>/pause:3.8\\\": unexpected status from HEAD request to https://registry.hydra.anywhere.navify.com/v2/navify-anywhere-edge/navify-anywhere-edge-staging/navify-anywhere/pause/manifests/3.8: 401 Unauthorized\""}]}

Environment

  • Talos version: v1.8.1
  • Platform: arm64
@mottetm mottetm changed the title Pause image from private repository Error pulling pause image from private repository Oct 29, 2024
@smira smira self-assigned this Oct 29, 2024
@smira
Copy link
Member

smira commented Oct 29, 2024

I can confirm it's a bug, but not sure whether it's containerd or Talos generating config for containerd.

@smira
Copy link
Member

smira commented Oct 29, 2024

It's a containerd bug: containerd/containerd#10916, depending on the response from the upstream, we will either wait for the next release/patch, or patch it ourselves.

smira added a commit to smira/talos that referenced this issue Oct 30, 2024
@smira
fix: use more correct condition to skip generating hosts files
5ca1317 
After a fix a while ago, the condition was hard to understand - but we
should skip this block as long as there's no TLS config, which might
mean either being nil or having default values.

I found this while debugging siderolabs#9594, but it doesn't change anything.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira mentioned this issue Oct 30, 2024
Merged
smira added a commit to smira/talos that referenced this issue Oct 30, 2024
@smira
fix: use more correct condition to skip generating hosts files
b379506 
After a fix a while ago, the condition was hard to understand - but we
should skip this block as long as there's no TLS config, which might
mean either being nil or having default values.

I found this while debugging siderolabs#9594, but it doesn't change anything.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@MarkLFT
Copy link

MarkLFT commented Nov 5, 2024

Can someone please confirm a version that does not have this issue? I have tried three different releases, and I cannot pull images from a private Nexus Docker repository. It am pretty sure I have the secrets set correctly, as on Ubuntu they pull correctly.

If I can find a known good release that does not have this issue, I can prove if the issue is something I am doing or the containerd problem.

Thanks.

@frezbo
Copy link
Member

frezbo commented Nov 5, 2024

1.7 talos versions will work since it uses old containerd

@MarkLFT
Copy link

MarkLFT commented Nov 5, 2024

@frezbo. Thanks for the info. Then I must be doing something wrong, as I tried version 1.7.7, and I still received an authentication error when trying to pull from a private registry.

@smira
Copy link
Member

smira commented Nov 5, 2024

This issue is only about Talos 1.8+ and specifically about pause image (pod sandbox).

@smira smira mentioned this issue Nov 5, 2024
Closed
smira added a commit to smira/pkgs that referenced this issue Nov 6, 2024
@smira
feat: update containerd to v2.0.0
bb3bf95 
Include the patch containerd/containerd#10917

See siderolabs/talos#9594

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira mentioned this issue Nov 6, 2024
Merged
smira added a commit to smira/pkgs that referenced this issue Nov 6, 2024
@smira
feat: update containerd to v2.0.0
9a98f73 
Include the patch containerd/containerd#10917

See siderolabs/talos#9594

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this issue Nov 6, 2024
@smira
feat: update containerd to v2.0.0
68c546e 
Also pulls in a patch, so

Fixes siderolabs#9594

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira mentioned this issue Nov 6, 2024
Merged
smira added a commit to smira/pkgs that referenced this issue Nov 12, 2024
@smira
feat: update containerd to v2.0.0
60db990 
Include the patch containerd/containerd#10917

See siderolabs/talos#9594

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 9a98f73)
smira added a commit to smira/pkgs that referenced this issue Nov 12, 2024
@smira
feat: update containerd to v2.0.0
747c6c7 
Include the patch containerd/containerd#10917

See siderolabs/talos#9594

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 9a98f73)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smira smira

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: update containerd to v2.0.0 smira/talos
4 participants
@smira @mottetm @MarkLFT @frezbo