oras-py doesn't work with unauthenticated pull #56
Comments
|
I am running the command to reproduce your error - and trying with and without my token for GitHub packages in my {
"auths": {
"ghcr.io": {
"auth": "xxxxxxxxx........xxxxxxxxxxxxxxxx"
},
By default with my config in place, it looks like it's working for me: $ ls /tmp/vdb1/
data.index.vdb data.vdbAnd the full command: $ oras-py pull ghcr.io/ngcloudsec/vdb:v1 --output /tmp/vdb1
Successfully pulled /tmp/vdb1/data.vdb.
Successfully pulled /tmp/vdb1/data.index.vdb.I think GitHub packages has had an issue in the past where if you are authenticated, it actually doesn't work when it doesn't need auth (I had this error just using a standard pull). When I rename the config, I reproduce the same error as you: $ oras-py pull ghcr.io/ngcloudsec/vdb:v1 --output /tmp/vdb1
This endpoint requires a token. Please set oras.provider.Registry.set_basic_auth(username, password) first or use oras-py login to do the same.
authentication required
Issue with https://ghcr.io/v2/ngcloudsec/vdb/manifests/v1:
UnauthorizedLet me a take a look at how oras in Go does it. The message that we are getting above is correct - the server is upset that we aren't providing something and telling us we are unathorized. I'm just not sure how it works without providing something. |
|
Thanks, @vsoch, for looking into this. Another problem I faced is the use of |
|
Sure could you please open a separate issue for that? |
|
Okay pinged oras-go devs to get their feedback here - let's hope we hear back soon! As soon as we talk about the strategy they use I'm happy to implement it here. |
|
@prabhu here is a first PR to test adding exceptions - give that a whirl and let me know what you think! #57 We will need to wait for the oras-go maintainers to chime in for this issue. And don't worry about opening an issue - I just did the PR straight away so we wouldn't need to remember :P The luxury of the Thanksgiving holiday is that you can do that! 😆 |
|
Thank you so much! Will give this a try! |
|
Hey @prabhu! We found the bug I think - oras-go will generate essentially an empty token for the registry when this happens: https://github.com/oras-project/oras-go/blob/f09c8577c526c2e13172d6321b2bbb57cd7152e6/registry/remote/auth/client.go#L292-L336 and we don't do that here. I will try to make time to work on this soon, likely in the evening after work. |
|
hey @prabhu ! Thank you for your patience! The pull request at #57 now addresses both issues:
Take it for a test run and let me know if it solves the issues for you. |
|
@vsoch I cannot test it by checking out this branch due to some issues with relative imports. Could you share some instructions? |
|
What issues exactly? you should create a new environment, pull the branch directly, and install to it. |
|
|
@vsoch Thank you. It is working, but the download is significantly slow. Will try later over the weekend. |
|
okay gotcha! For the test case here, it was slow for me too. I'm not sure there is any way around that. |
|
On the first test, the python version took 14min 20sec whereas go took 11min 7sec. I will repeat it several times, but this particular issue can be closed. Thank you for the quick fix! |
|
Sure thing! And I'm not surprised about the time difference - we can definitely discuss how to improve upon it, if that's possible. I suspect Go has some more efficient ways to do the requests that we aren't emulating here. |
Works
Performing the same action via the python library results in an authentication error with get_manifest.
The text was updated successfully, but these errors were encountered: