-
Notifications
You must be signed in to change notification settings - Fork 425
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Singularity cannot push to harbor #5691
Comments
Do we have any roadmap for this? @vsoch Ping as requested |
What version of harbor are you using? Singularity will push oras without issue to other registries including docker/registry, and the Azure Container Registry so it is not a universal issue pushing to an OCI registry. |
I'm using Harbor 2.1 installed with Helm Chart v1.5.0 |
Thanks - we'll look into this further. @ikaneshiro - any thoughts off the top of your head? |
@mrd2 - just came across this comment: goharbor/harbor#13420 (comment)
In this case I think we would have the situation where:
However this is assuming your harbor deployment Can you confirm whether or not that is the case? We need to get a matching setup to diagnose this. If you can try with a non-SSO / OIDC configured harbor instance with a username/password that would be helpful. Singularity uses the |
I updated What i said. I tried admin:pass still with the OSS set up assuming that Harbor's internal override of the auth mode to db_auth would make it work. I will try with a set up without SSO to check this furder. It will also help to completly discard a proxy problem. |
So, new evidence comes to light that this is probably an SSO problem and/or derived from github.com/containers/image. One of our users that is actively pushing for this just gave me a glimpse of an error when pushing to gitlab registry that presents the exact same error as with harbor. I will try to search for some issue in gitlab and update @vsoch for follow ref |
Hey. I'm closing in on the problem, this seems to be a CLI side error. To test this, i am currently testing submitting the sif package manually into the remote registry. By following the manifest obtained before. {
"schemaVersion": 2,
"config": {
"mediaType": "application/vnd.sylabs.sif.config.v1+json",
"digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0
},
"layers": [
{
"mediaType": "appliciation/vnd.sylabs.sif.layer.tar",
"digest": "sha256:c43c3ff660e01b55eb5d041d15cdcbd74a93e7d7d48fd14de03becd9bf42c979",
"size": 2760704,
"annotations": {
"org.opencontainers.image.title": "alpine_latest.sif"
}
}
]
} Using the oras CLI:
I created a dir as follows:
Pushing with oras yields the same error. oras push registry.foo.bar/dtomasgu/alpine:latest --manifest-config /dev/null:appliciation/vnd.sylabs.sif.layer.tar alpine_latest.sif
Uploading 93fbf43f73c4 alpine_latest.sif
Error: failed commit on ref "unknown-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": unexpected status: 500 Internal Server Error I suspect this is a manifest config problem. So now trying to upload with the configuration file as per oras docs: This is the contents of my config.json {
"mediaType": "application/vnd.sylabs.sif.config.v1+json",
"digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0
} Pushing: oras push registry.foo.bar/dtomasgu/alpine:latest --manifest-config config.json:appliciation/vnd.sylabs.sif.layer.tar alpine_latest.sif
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry.foo.bar/dtomasgu/alpine:latest
Digest: sha256:996bc74b7705fcc5659ce86549cbaef42b12891e32ae1b9b632320d4bd1ef630 Note the --manifest-config now includes the config.json file instead of /dev/null and the image uploads successfully. At this point in time, i dont understand how the manifest config options work (i would apreciate some instruction here) but refactoring this it seems that we want something like this?? $oras push registry.foo.bar/dtomasgu/alpine:latest --manifest-config config.json:application/vnd.sylabs.sif.config.v1+json alpine_latest.sif
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry.foo.bar/dtomasgu/alpine:latest
Digest: sha256:0032663c2712dbce3418b30574db24239e15072038bfedf42aed29808ad73aa9 ~/singularity/test$ cat config.json
{
"mediaType": "appliciation/vnd.sylabs.sif.layer.tar"
} oras push registry.foo.bar/dtomasgu/alpine:latest alpine_latest.sif:appliciation/vnd.sylabs.sif.layer.tar
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry.foo.bar/dtomasgu/alpine:latest
Digest: sha256:a2b2c2158d7935706090d05930fba0dcf0af12498c8e2800a1b9c7d8df931526 Because Harbor may say that this is fixed in goharbor/harbor@033d6da oras push registry-staging.foo.bar/dtomasgu/alpine:latest --manifest-config /dev/null:appliciation/vnd.sylabs.sif.layer.tar alpine_latest.sif
Uploading 93fbf43f73c4 alpine_latest.sif
Error: failed commit on ref "unknown-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": unexpected status: 500 Internal Server Error oras push registry-staging.foo.bar/dtomasgu/alpine:latest --manifest-config config.json:appliciation/vnd.sylabs.sif.layer.tar alpine_latest.sif
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry-staging.foo.bar/dtomasgu/alpine:latest
Digest: sha256:996bc74b7705fcc5659ce86549cbaef42b12891e32ae1b9b632320d4bd1ef630 $ oras push registry-staging.foo.bar/dtomasgu/alpine:latest --manifest-config config.json:application/vnd.sylabs.sif.config.v1+json alpine_latest.sif
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry-staging.foo.bar/dtomasgu/alpine:latest
Digest: sha256:0032663c2712dbce3418b30574db24239e15072038bfedf42aed29808ad73aa9 ~/singularity/test$ cat config.json
{
"mediaType": "appliciation/vnd.sylabs.sif.layer.tar"
} $ oras push registry-staging.foo.bar/dtomasgu/alpine:latest alpine_latest.sif:appliciation/vnd.sylabs.sif.layer.tar
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry-staging.foo.bar/dtomasgu/alpine:latest
Digest: sha256:a2b2c2158d7935706090d05930fba0dcf0af12498c8e2800a1b9c7d8df931526 Same results back to back between Harbor v2.1.0 and v2.2.0-rc2. Fetching from the registry, something is missing/wrong: singularity pull oras://registry.foo.bar/dtomasgu/alpine:latest
FATAL: While pulling image from oci registry: error fetching image to cache: failed to get checksum for oras://registry.foo.bar/dtomasgu/alpine:latest: no layer found corresponding to SIF image |
$~/singularity/test$ oras push registry.foo.bar/dtomasgu/alpine:latest --manifest-config config.json alpine_latest.sif:appliciation/vnd.sylabs.sif.layer.tar
Uploading 93fbf43f73c4 alpine_latest.sif
Pushed registry.foo.bar/dtomasgu/alpine:latest
Digest: sha256:d2b50c174801f6838998b89a0785569afb2f29df9a607d13d0ea79958f538843
$~/singularity/test$ cat config.json
{
"mediaType": "application/vnd.sylabs.sif.config.v1+json",
"digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0
}
$ singularity pull oras://registry.foo.bar/dtomasgu/alpine:latest
INFO: Downloading oras image |
Thanks for all of this information. Does harbor accept a push using
If it does accept that, it appears we should probably just use that instead of However, it still seems like harbor should probably accept the completely empty https://github.com/deislabs/oras#pushing-artifacts-with-single-files It is also noted there that the config is optional...
If this is within-spec use of oras it seems this is a harbor conformance problem - and I note that you are following that route too. |
Thanks @dioguerra - since harbor is getting more and more used I'll look at putting the workaround in our code even if this appears to be a conformance issue on the harbor side for bare single file ORAS pushes. I have a harbor install I can test against here, once I turn my home dev servers machines back on. Am in Texas where we are still having to conserve power due to winter storms for a bit. ❄️ |
@dtrudg When you have something, ping me i can test |
@dioguerra - I just sat down to implement the
Do you have any issue if you compile singualrity from the |
Hey @dtrudg, hope everything is well with you... News where not kind with Texas. :( As far as i know, with plain Harbor this is a non issue. It only happens with Harbor behind OIDC. Also, @dcsouthwick found another problem that i also need to investigate. |
I'll jump in here, as it was me pestering @dioguerra in the first place trying to push .sif 😄 Indeed using the above oras work-around, I can manually push "small" sif images to OIDC harbor - however once we got that working, I found pushing a larger image (for example, I'm guessing either the oras module singularity uses, or the default configuration for harbor isn't happy with large single-layer images. Will try and investigate more... |
Hi all... okay, I'll put this on the 'more investigation required' pile. The oras module is known working for me on multi GB images (albeit to other registries), so the 504 is likely the harbor install. Sorry I missed that this config issue only happens with OIDC... that's really odd that the authentication mechanism would impact behavior with / without a config. I'll need to setup something... or we may already have a test instance hooked up to OIDC that I can find somewhere. |
Okay... got something now with harbor authenticating with OIDC / keycloak...
Will be able to try out the |
Hey @dtrudg, I have news! This image being uploaded was actually failing because of issues on our side (related to connection drops)
Reproduce with: oras push registry-staging.foo.bar/dtomasgu/root-f31:latest --manifest-config config.json root-f31_latest.sif:appliciation/vnd.sylabs.sif.layer.tar & With config.json: {
"mediaType": "appliciation/vnd.sylabs.sif.layer.tar",
"digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0
}
I think we can try the work around? Hope this helps! |
Hey @dtrudg, Sorry to be pesky. Should i have a go at this? |
Hi @dioguerra - if you'd like to have a go, please do. Sorry - it's on my to-do list and I will get to it before 3.8 but can't guarantee when that'd be. |
I can add a small update to this: Pushing can be done with command line oras cli binary to Harbor 2.2 behind OIDC login, without the above manual manifest include using a different OCI type:
Pulling natively:
Notes: Pushing with ORAS requires the OCI SIF metatype or the pushed image will not be pull-able. Pulling with singularity requires the tag/hash. Singularity cannot resolve "latest" automatically for some reason from oras... Pushing with singularity currently fails for unknown reasons, despite its reliance on ORAS natively. |
@dcsouthwick - thanks. Sounds like something may have changed with Harbor 2.2 here? Singularity sets the type on the SIF But also provides a config which has a type, but is empty... This is working on the other registries we've tried, but harbor doesn't like it. I'm pretty sure the safest fix will be to provide some JSON for the config here. I have this on my list for today now, as we have a Harbor 2.2 instance with OIDC auth handy, and I'm working with it otherwise as well. |
If you can give #5951 a try that'd be appreciated. I have verified against harbor 2.2. It's a very simple retry-based workaround, so a little ugly... but I don't see another way short of the complexity of identifying our destination registry as one in an 'incompatible' list for the config media type. I don't believe we should invest in that, given the registry supporting oras should accept the custom config media type. |
I have noticed similar behaviour as posted by @dcsouthwick on GitLab container registry. I could push the image into registry using Using Little issue I found on GitLab registry is that the image doesnt have Does singularity includes |
@mahendrapaipuri - please could you try with the referenced PR and see if it works to push/pull now to GitLab container registry? Anything that implements the ORAS specification properly should work. Further fixes are a case of needing workaround for registries that don't support ORAS fully for arbitrary types. The metadata that the GitLab container registry is showing about images is part of the OCI container image formats. Singularity's SIF images that you are pushing are not an OCI container image, so they do not have this metadata at all. The ORAS specification doesn't have a generic metadata format, and the OCI registry only sees a single file blob... not an OCI container image with the metadata it can understand. |
@mahendrapaipuri - I found a discussion around this here btw... https://gitlab.com/gitlab-org/gitlab/-/issues/324709 |
@dtrudg Actually, I just finished testing and YES, it works now on GitLab registry now. I could push and pull the image using Yes, thats what I understood about the metadata of the singularity's SIF image.
That discussion actually brought me here. That issue still exists though even with the referenced PR. I will check with ORAS, if I can add |
Hi @dtrudg, I pulled your patch into a build from master, and I can confirm that worked for me with Harbor! Both push & pull working as expected so far! |
Thanks @dcsouthwick |
Hello!
I am having some problems pushing a container from singularity to my Harbor registry. At this time i think the problem is in the Headers being droped by my nginx reverse-proxy.
Although i suspect this, i can't validate for sure because if i try locally, i have no info on any Headers passed by Singularity, and documentation online is scarce.
My SetUp
I Have a kubernetes cluster running Harbor. The registry is behind a main load balancer that maps to the nginx-ingress in the cluster. The nginx in turn maps the requests to the pods.
Auth is managed by our internal SSO, so clients to push images must submit username and token (obtained from the harbor registry). This implementation is working nicely for ML models (using ORMB) and docker push, but not for singularity.
Testing
If i try with demo harbor repo it works successfully:
But with my deployment:
Tracking Problem (trying)
Now, for those following, the resulting SHA256 is actually the hash from an empty file.
Bellow is the output of the Harbor Core server:
See:
The bit of code that actually triggers the error is here:
Now, this can come have 2 root causes:
req.Header.Get(authHeader)
matches empty string.I checked with nginx and, headers are dropped if they start with underscore. I tried to check if singularity would send any headers like this but to my surprise, all the headers on all requests are empty (tho this is not a very sure way of validating)
I got this from the python server that i ran locally
I'm trying to understand which headers are sent from singularity, but until now i can't understand this.
Does anybody had the same problem? How did you solve it? Some pointers here would be appreciated...
The text was updated successfully, but these errors were encountered: