1.1.0 OnBuild Error

[TomSweeneyRedHat]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

kind bug

Description
Look ups of local images seems to be failing.

Steps to reproduce the issue:

# FILE=./Dockerfile
/bin/cat <<EOM >$FILE
FROM docker.io/library/alpine:latest
RUN touch /foo
ONBUILD RUN touch /bar
EOM
chmod +x $FILE

# FILE=./Dockerfile-2
/bin/cat <<EOM >$FILE
FROM onbuild-image
RUN touch /baz
EOM
chmod +x $FILE

# podman build -f ./Dockerfile --format=docker -t onbuild-image .
# podman build -f ./Dockerfile-2 --format=docker -t result-image .
STEP 1: FROM onbuild-image
Error: error creating build container: The following failures happened while trying to pull image specified by "onbuild-image" based on search registries in /etc/containers/registries.conf:
* "localhost/onbuild-image": Error determining manifest MIME type for docker://localhost/onbuild-image:latest: pinging docker registry returned: Get https://localhost/v2/: dial tcp [::1]:443: connect: connection refused
* "docker.io/library/onbuild-image": Error determining manifest MIME type for docker://onbuild-image:latest: Error reading manifest latest in docker.io/library/onbuild-image: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

* "registry.fedoraproject.org/onbuild-image": Error determining manifest MIME type for docker://registry.fedoraproject.org/onbuild-image:latest: Error reading manifest latest in registry.fedoraproject.org/onbuild-image: manifest unknown: manifest unknown
* "quay.io/onbuild-image": Error determining manifest MIME type for docker://quay.io/onbuild-image:latest: Error reading manifest latest in quay.io/onbuild-image: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\n"
* "registry.access.redhat.com/onbuild-image": Error determining manifest MIME type for docker://registry.access.redhat.com/onbuild-image:latest: Error reading manifest latest in registry.access.redhat.com/onbuild-image: unknown: Not Found
* "registry.centos.org/onbuild-image": Error determining manifest MIME type for docker://registry.centos.org/onbuild-image:latest: Error reading manifest latest in registry.centos.org/onbuild-image: manifest unknown: manifest unknown

Describe the results you received:

See steps to reproduce.

Describe the results you expected:
Happy image build.

Additional information you deem important (e.g. issue happens only occasionally):

This passes on the same VM with v1.0 installed.

Output of podman version:

# podman version
Version:       1.0.0
Go Version:    go1.11.4
Git Commit:    "49780a1cf10d572edc4e1ea3b8a8429ce391d47d"
Built:         Mon Jan 14 15:38:17 2019
OS/Arch:       linux/amd64

Output of podman info --debug:

# podman info --debug
debug:
  compiler: gc
  git commit: '"49780a1cf10d572edc4e1ea3b8a8429ce391d47d"'
  go version: go1.11.4
  podman version: 1.0.0
host:
  BuildahVersion: 1.6-dev
  Conmon:
    package: podman-1.0.0-1.git82e8011.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 49780a1cf10d572edc4e1ea3b8a8429ce391d47d'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 1264709632
  MemTotal: 2087501824
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 2111393792
  SwapTotal: 2147479552
  arch: amd64
  cpus: 1
  hostname: localhost.localdomain
  kernel: 4.20.3-200.fc29.x86_64
  os: linux
  rootless: false
  uptime: 3h 22m 26.06s (Approximately 0.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 0
  RunRoot: /var/run/containers/storage

Additional environment details (AWS, VirtualBox, physical, etc.):

[TomSweeneyRedHat]

Hmmm, and this works with Buildah v1.7 released.

[mheon]

Could be the --pull-all default being changed

[mheon]

Sorry, --pull-always (--always-pull?)

[TomSweeneyRedHat]

And works on Buildah 1.8-dev which is at this point 1.7.1.

[TomSweeneyRedHat]

@mheon same error with --pull-always

[mheon]

Different vendored c/image than buildah? Running out of ideas here, there aren't many differences.

[TomSweeneyRedHat]

We've the same vendoring for c/image and c/storage....

[mheon]

Confirmed, I can reproduce locally

[mheon]

We're trying to pull onbuild-image and failing when we can't find it in registries (because it's not there).

This is 100% --pull-always - setting it to false fixes.

I think we need to change --pull-always to check locally if pulling from all sources fails.

[mheon]

@rhatdan It looks like this is going to break people trying to do a FROM with an image they tagged themselves

[TomSweeneyRedHat]

Ah, I tried setting it to true, not false. Nice catch @mheon.

[TomSweeneyRedHat]

FWIW, I can confirm that this:

docker build -f ./Dockerfile -t onbuild-image .
docker build -f ./Dockerfile-2 -t result-image .

works, so I think we need to make it work again without the pull-always.

[mheon]

I think we need to refile this against Buildah and get a fix landed there and vendored here

[rhatdan]

My understanding is we wanted to turn on --pull not --pull-always.

[mheon]

@rhatdan We enabled --pull-always by default, so if that was a mistake, we need to fix it.

The reason was that we weren't pulling the latest version of the tag if it was present on disk, so we need to verify that --pull does that.

[TomSweeneyRedHat]

I'll take a look at this.