containerd: containerd can't pull image from Github Docker Package Registry
Using the new github docker registry containerd kubernetes can’t pull image but using docker engine based k8s works fine.
Steps to reproduce the issue:
- Create a secret with github docker registry token Follow instructions here: https://help.github.com/en/articles/configuring-docker-for-use-with-github-package-registry#authenticating-to-github-package-registry
Using kubectl
kubectl create secret docker-registry regcred --docker-server=https://docker.pkg.github.com --docker-username=<user | org>--docker-password=15650cad4e8a6602284255f7caf76134eb977b45 --docker-email=<email>
- Create pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go
imagePullSecrets:
- name: regcred
- Create a pod
kubectl apply -f pod.yaml
Describe the results you received: Errors for the Pod pulling image
31s Normal Pulling Pod pulling image "docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go"
31s Warning Failed Pod Failed to pull image "docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go": rpc error: code = Unknown desc = failed to resolve image "docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go:latest": no available registry endpoint: docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go:latest not found
31s Warning Failed Pod Error: ErrImagePull
3s Normal BackOff Pod Back-off pulling image "docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go"
3s Warning Failed Pod Error: ImagePullBackOff
Describe the results you expected: Pod is in Running State Here is the output when running same scenario on minikube with docker engine
Normal Pulling 2m58s kubelet, minikube Pulling image "docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go"
Normal Pulled 2m48s kubelet, minikube Successfully pulled image "docker.pkg.github.com/csantanapr/docker/knative-samples_helloworld-go"
Normal Created 2m48s kubelet, minikube Created container private-reg-container
Normal Started 2m47s kubelet, minikube Started container private-reg-container
Output of containerd --version
:
I’m running on IKS here is the version 1.2.6
when running kubectl get nodes -o wide
kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
10.187.176.105 Ready <none> 18d v1.13.5+IKS 10.187.176.105 169.*.*.* Ubuntu 18.04.2 LTS 4.15.0-47-generic containerd://1.2.6
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 33
- Comments: 137 (27 by maintainers)
Links to this issue
Commits related to this issue
- changing docker repository due to https://github.com/containerd/containerd/issues/3291 — committed to clintjedwards/experimental by clintjedwards 4 years ago
- Push images to Docker Hub as well, esp useful since K8S/containerd can't pull from Github Packages as per containerd/containerd#3291 Could have opted for making the GCR registry used for the Cloud Ru... — committed to chids/stoneboard by chids 4 years ago
- Push Docker image to Quay as well Workaround for containerd/containerd#3291. — committed to WISVCH/userman2 by praseodym 4 years ago
- Attempt to deploy the web app from private repo This doesn't currently work, because of a bug in the GitHub docker repo: https://github.com/containerd/containerd/issues/3291 Options: 1. When insta... — committed to cloud-71/infra by adamthalhammer 4 years ago
- Attempt to deploy the web app from private repo This doesn't currently work, because of a bug in the GitHub docker repo: https://github.com/containerd/containerd/issues/3291 Options: 1. When insta... — committed to cloud-71/infra by adamthalhammer 4 years ago
- Pull builds from dockerhub There is an issue with github packages which means they don't play nice with k8s at present. Github are aware and are fixing it https://github.com/containerd/containerd/is... — committed to RE-Discord-Development/CommunityBot by Catbuttes 4 years ago
👋 Ability to pull images by digest is in our backlog for this quarter. Apologies for the delay.
@clarkbw any news? I really think you’re underestimating the seriousness of this issue. Simply nobody who’s using Kubernetes with containerd (which is an uncontrollable combination in many cases) can use Github container registry.
Yes, we’re actively working on a solution. Give my team until the end of April and we’ll have something for you all to test.
We can close this issue out now. GHCR was (beta) released today.
I ran this again.
v2+json
HEAD works as expectedv1+prettyjws
/v1
only returns the v2 manifest so I’ll look into thisshell output
Right, thanks; this work is being done by humans with integrity and professionalism. I’m sorry we’ve let you down.
We are rolling out the feature flag to a number of people. I’m sorry if you’ve emailed me and haven’t gotten into the beta yet. Still more coming this week.
Thanks for checking in!
Dates slipped a little due to extenuating circumstances.
I’ll send a message to the maintainer group in mid May with the details for access and feedback.
Should be a public announcement by end of May.
The issue of direct sha access is with our current Docker offering. I’ve connected nearly everyone who reached out from this thread to the fix we have running. Please reach out to me clarkbw@github.com and I can get you setup as well. Hopefully soon we’ll be able to have a public offering here.
We are beginning a private beta this week. Email me, clarkbw@github.com to gain access. We had planned to be in a public beta by this point but 2020, oh she had other plans.
This is absurd.
I ❤️ GitHub but this really makes me question the integrity and professionalism of this service. I’m currently paying for a product that doesn’t even work. It’s been a month since the private beta and literally nothing notably has happened. This is a serious issue… Probably moving to Docker Hub this week… 💔
We’ll have more public news in September. Not far now.
Sorry to be annoying, but do you have any update to share @clarkbw as it has been a
couple of weeks
since the last update. Getting tripped up on this again after coming back hoping this would’ve been resolved by now.alright, that was the 🔑 , I know how to fix this in GitHub Docker Registry 😄
I’ll start working on a fix and comment on this thread when I have the fix deployed to production.
Thank you so much for trying out GPR and giving us valuable feedback ❤️
The private beta is rolling out to a number of users. This is a phased rollout over time so you may only get your instructions over the next couple weeks. Thanks!
We’ll be opening up to the maintainers group very soon and then we’ll have a Beta to share more broadly. Sorry for the delays, I appreciate your patience here.
I believe I see this error as well:
When I add the
--user
flag the error is different, yet still present:@Phanatic any updates on this?
Pushed out all the latest invites. Was out on holiday last week so apologies for the delay.
Please send feedback, good or bad. Thanks!
No credentials are provided until a 401 is received from a registry informing containerd what type of
Authorization
is expected. This could bebasic
orbearer
.containerd
does not every contacthttps://registry-1.docker.io/v2/
as this endpoint provides no purpose to the overall registry flow. This endpoint was originally put in place to distinguish a v2 registry from a v1 registry index server (this has been long deprecated and never supported by containerd). Later this year Docker will no longer contact this endpoint either as v1 registry support has been completely removed in the upcoming version of Docker.New GHCR docs are up
You can continue to namespace images down to the repo with GHCR but it is no longer required. Here are our recommended migration steps
It has been great for me! I had to change references to the new location, and get my kubernetes regcred working, but the beta itself is working smoothly.
I’m getting the following error when trying to pull with miicrok8s.
Failed to pull image "docker.pkg.github.com/resplendent-data/front-end/frontend": rpc error: code = NotFound desc = failed to pull and unpack image "docker.pkg.github.com/resplendent-data/front-end/frontend:latest": failed to copy: httpReaderSeeker: failed open: content at https://docker.pkg.github.com/v2/resplendent-data/front-end/frontend/manifests/sha256:XXXX not found: not found
Doing a docker pull works fine.
Sorry you got stuck. We are working on a solution and will have news soon.
I don’t think is only related to github registry I also faced it with docker trusted registry.
On Tue, 21 Jan 2020 at 18:45 Alex Ellis notifications@github.com wrote:
Is there at least some workaround to make it work at the moment?
Seeing this error with IBM IKS, containerd, and the docker registry deployed within IKS.
The issue is that the docker registry was backed by an external auth provider. Containerd will not send authentication until it receives a 401 with the method that should be used.
So in the auth server, when authorization header is not present, you need to return a 401 with a header
@Phanatic I would be happy to go over the registry API and how containerd client is using it.
The package registry is only returning 401 on the
/v2
“ping” endpoint. This endpoint will be removed from future version of Docker. The expected use of the API is that 401 is returned by any endpoint which requires authorization. When an endpoint returns 404 when no auth is provided, then the client will not know to provide authorization. The expected flow from a client for any resource…if no auth then return 200, 401, or 404 (only when everything is public), if with auth then return 200 or 404. This is because the start of a registry interaction may begin on any resource, as the client may not need all resources.This is all based on what is defined by https://github.com/opencontainers/distribution-spec/blob/master/spec.md rather than Docker’s current very specific flow.
@clarkbw Do you have a ballpark ETA for public fix?
Expecting more people would be giving GitHub container package registry another chance now that dockerhub updated their usage terms. https://www.docker.com/pricing/retentionfaq
@clarkbw is there any update from the folks at GH? This is still a serious issue…
@clarkbw do you have any details on planning?
I spoke with a PM from GH, seems the issue is on their backlog but it is the number one issue they are seeing with their registry implementation.
Hi, I am trying to use Kubernetes Kind and it seems I am hitting this issue, too . https://github.com/kubernetes-sigs/kind/issues/870
I tried both 1.2 and 1.3 latest released versions and I am still getting the same error.
We would like to see this issue resolved. This is blocking us from using Github registry.
@Phanatic The manifest fetch by digest doesn’t seem to work for me too. Is it because I’m missing something or this is a known issue/feature? Thanks.
Please email me for access!
@clarkbw sorry for hijacking the thread, but this is kind of related to this issue; are public GH package (docker) registries still on the radar?
For anybody having issues with running outdated images with docker swarm, a workaround for me was the Following:
Instead of using a moving tag like
:latest
, tagging images with the commit sha instead, so for example:latest-5716e43
and then pulling that image. As there is only one image that has the tag I don’t encounter any issues of outdated images on different nodes.@clarkbw would still be nice to see this asap as the github package registry is pretty useless for Docker if you can’t access images by sha
@clarkbw any news when this will be fixed?
I had this problem and spent 3 days on it, finally stumbled upon this thread that it was is an issue on GitHub’s end.
I don’t understand the details of the specification here. Just from layman’s perspective, all these other docker registry’s work with the
docker
command. Why can’t containerd just do that docker is doing? I thought the recent Docker releases just uses containerd under the hood.@clarkbw wondering if there’s any progress on GitHub’s side on this issue?
For my testing use cases, I have “solved” it by moving the images from a private github registry to the one provided by gitlab. But I’m curious to know if GitHub folks are able to solve this for real
@narqo the way I solved was setting up a docker registry in front of the main registry acting as a proxy. Now I can pull/images using containerd.
@tamalsaha This is the same issue that was reported earlier and a registry side fix. @Phanatic for an update.
Thanks, the authentication seems to work now.
The manifest fetch by digest doesn’t seem to work though.
Also I recommend returning the
Docker-Content-Digest
header on manifest requests to avoid making the client do an extraGET
for digest computation.More generally, fetching by tag is done to resolve to a digest. In this case the registry is used as a trusted source for what that named tag represents. Client may also use external ways to trust a name such as notary or always pinning their deployed images to a manifest digest.
I’m fine closing this one, also allows for Celebration 🥳
@clarkbw could you open the 2 new issues, I would not know how to describe the issue or reproduce.
We can leave this issue open and track, or open 2 new issues in this repo since these things affect containerd users.
Thanks @dfreilich for the tip the change to use
ghcr.io
and also moving from docker package registry per repo to the new container registry without repo made it work.My example is now working @clarkbw 🌮 🎉
I didn’t read that there were changes
@csantanapr As per https://docs.github.com/en/packages/getting-started-with-github-container-registry/migrating-to-github-container-registry-for-docker-images#domain-changes, the domain for the registry is
ghcr.io
, in place ofdocker.pkg.github.com
. Try it with that?I would like access to test this with faasd please @clarkbw
@clarkbw can you add activengage org, too?
Awesome; thank you @clarkbw for your personal involvement and supervision on this issue. I’m sure everyone here appreciates that ❤️
Here’s a nasty little workaround for thoses who:
In your CI scripts call:
Basically you ask Docker scheduler to stop all the services under {{ your_stack_name }} orchestrator. A little knack of docker swarm is that
docker stack rm
will immediately return even if some services are not properly closed chich may cause networking errors when you try to deploy again. That’s why we use a small inline scriptuntil [ -z $(docker stack ps {{ your_stack_name }} -q) ]; do sleep 1; done
to wait for the proper return.Hopes it saves a few folks headaches. I guess a similar temporary fix will help you out.
This is quite a frustrating issue, for our apps that MUST use blue/green deploys we bought a private repo to fix the problem.
@jaschaio I tried it with GitHub sha, but it still doesn’t work, once the stack deploy has run, it doesn’t change and gives the same error. Am I missing something here:
I am using it like this
PS: I checked, the containers are getting deployed, but the error message is still there. Thanks for your help! Cheers!
A tip here, you can use a Github action which lets you delete docker images from the registry, with the combination of that and this approach I able to deploy and not have a bunch of images lying around.
I got informed by @clarkbw that this is moving on GitHub’s side (but I don’t have an ETA).
@1player very likely the same cause;
docker service
resolves (and pulls) images by digest, which is what isn’t supported currently by GitHub’s registrystay tuned
Just to be clear, is this issue being classed as a problem with GitHub’s registry, rather than with containerd? Is there somewhere upstream that we can track it and link back to? Anybody have friends with GitHub engineering?
@cpuguy83 How long has this been on the backlog? I’m concerned that this is a breaking bug, opened almost a year ago and we’re still discussing this. It’s putting me off a little to “commit” to GH.
Is there an ETA on this?
ref: https://docs.docker.com/registry/recipes/mirror/
@Phanatic did you have any luck reproducing it inside a github’s lab? I have the same results as https://github.com/containerd/containerd/issues/3291#issuecomment-560412099 when trying to use github registry from k3s:
@ArpithaDR that is a separate issue and a different registry provider. JFrog’s registry has a different set of issues that they also need to fix upstream, maybe related to #3556
Hello is this issue resolved?
I am getting
406 Not Acceptable
when trying to pull fromdocker.pkg.github.com
and I can’t find any reference for this status code anywhereI have tried both with user creds and without and I got the same output
awesome, thanks for the context! I’ll read up on https://github.com/opencontainers/distribution-spec/blob/master/spec.md and try to setup a repro that I can use to debug this further. I’d love to get the gaps identified so we can tackle them all in one go.
Thanks @dmcgowan and @Phanatic for the quick follow up on this.