-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error pushing container to Harbor repo with OIDC SSO auth #207
Comments
Track from Harbor: goharbor/harbor#13420 |
hey @mrd2 ! This looks like an issue with Singularity not being compliant for the OCI distribution spec, and this is indeed true. The repository here is no longer maintained - it's the old documentation site for Singularity containers, which eventually was ported to the sylabs organization, and then hpcng. You should likely close the issue here and open it up at https://github.com/hpcng/singularity/issues. I too would very much like to see the singularity command line client be OCI compliant for a registry, but it's likely a tough push because the company that runs Singularity has their own proprietary "library" client and server, and having OCI compliance would then make it easy to push to any registry and thus lose customers. If you don't get help over there, we could work on a simple script (go lang would work) that would serve to push/pull and otherwise interact with the registry for singularity, of course it would still be annoying that Singularity can't just handle it directly. But it would work easily because the SIF image is just a kind of blob, and we'd just need to artificially create a config blob and then the manifest. Feel free to ping me on the issue so I can follow along. Good luck! |
Closing this in favor of: apptainer/singularity#5691 |
This is not the case. Singularity includes functionality for pushing to OCI registries that implement ORAS, and we routinely test this against Additionally, please note that Singularity is an open source project that gladly includes contributions in this area. Recently, improved authentication handling for OCI registries has been merged for the upcoming 3.7.0 release. |
Hello!
I am having some problems pushing a container from singularity to my Harbor registry. At this time i think the problem is in the Headers being droped by my nginx reverse-proxy.
Although i suspect this, i can't validate for sure because if i try locally, i have no info on any Headers passed by Singularity, and documentation online is scarce.
My SetUp
I Have a kubernetes cluster running Harbor. The registry is behind a main load balancer that maps to the nginx-ingress in the cluster. The nginx in turn maps the requests to the pods.
Auth is managed by our internal SSO, so clients to push images must submit username and token (obtained from the harbor registry). This implementation is working nicely for ML models (using ORMB) and docker push, but not for singularity.
Testing
If i try with demo harbor repo it works successfully:
But with my deployment:
Tracking Problem (trying)
Now, for those following, the resulting SHA256 is actually the hash from an empty file.
Bellow is the output of the Harbor Core server:
See:
The bit of code that actually triggers the error is here:
Now, this can come have 2 root causes:
req.Header.Get(authHeader)
matches empty string.I checked with nginx and, headers are dropped if they start with underscore. I tried to check if singularity would send any headers like this but to my surprise, all the headers on all requests are empty (tho this is not a very sure way of validating)
I got this from the python server that i ran locally
I'm trying to understand which headers are sent from singularity, but until now i can't understand this.
Does anybody had the same problem? How did you solve it? Some pointers here would be appreciated...
The text was updated successfully, but these errors were encountered: