Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to fetch container digest #527

Closed
pditommaso opened this issue Jun 13, 2024 · 4 comments · Fixed by #530
Closed

Unable to fetch container digest #527

pditommaso opened this issue Jun 13, 2024 · 4 comments · Fixed by #530
Assignees
@pditommaso

Comments

@pditommaso
Copy link
Collaborator

Once a container image is built, the digest checksum is acquired to be stored in the build metadata.

wave/src/main/groovy/io/seqera/wave/service/builder/KubeBuildStrategy.groovy

Lines 106 to 107 in ec268a9

final digest = terminated.exitCode==0 ? proxyService.getImageDigest(req.targetImage,true) : null
return BuildResult.completed(req.buildId, terminated.exitCode, stdout, req.startTime, digest)

However, in some cases, this is failing with a 401 error code (Unauthorized). See below

2024-06-13 11:47:31.044	09:47:31.044 [io-executor-thread-50] WARN  i.s.wave.core.RegistryProxyService - Unable to retrieve digest for image 'xxx.dkr.ecr.us-west-2.amazonaws.com/some-name:xxxxxxxxx' -- response status=401; headers:

  content-length=15
  content-type=text/plain; charset=utf-8
  date=Thu, 13 Jun 2024 09:47:30 GMT
  docker-distribution-api-version=registry/2.0
  sizes=
  www-authenticate=Basic realm="https://xxxx.dkr.ecr.us-west-2.amazonaws.com/",service="ecr.amazonaws.com"

This should not happen because the ProxyClient when a 401 is returned, should retry the (head) requested with a new auth token

wave/src/main/groovy/io/seqera/wave/proxy/ProxyClient.groovy

Lines 268 to 272 in ec268a9

if( result.statusCode()==401 && registry.auth.isRefreshable() ) {
// clear the token to force refreshing it
loginService.invalidateAuthorization(image, registry.auth, credentials)
result = head1(uri, headers)
}

@pditommaso
Copy link
Collaborator Author

Worth noticing the logic for GET is different form the HEAD one

wave/src/main/groovy/io/seqera/wave/proxy/ProxyClient.groovy

Lines 190 to 193 in ec268a9

if( result.statusCode()==401 && (authRetry++)<2 && host==target.host && registry.auth.isRefreshable() ) {
// clear the token to force refreshing it
loginService.invalidateAuthorization(image, registry.auth, credentials)
continue

@munishchouhan
Copy link
Member

I can see in the logs that, we only start getting this error after the deployment of version 1.8

@munishchouhan
Copy link
Member

I can see in the logs that, we only start getting this error after the deployment of version 1.8

ok because it is added in that version

@pditommaso
Copy link
Collaborator Author

I've found the problem. Opening a PR soon

@pditommaso pditommaso linked a pull request Jun 13, 2024 that will close this issue
Fix get image auth digest #530
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pditommaso pditommaso

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix get image auth digest seqeralabs/wave
2 participants
@pditommaso @munishchouhan