New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VCH appears to pull 5 times manifest from Harbor when I issue "docker pull", it blocks docker pull #5950
Comments
Uploading log bundle. |
Looking at the timestamps it's overtly performing a retry/backoff increasing by 5s each time, meaning this loop: https://github.com/vmware/vic/blob/master/pkg/fetcher/fetcher.go#L172 |
This was done using this OVA https://storage.googleapis.com/vic-product-ova-builds/vic-4efc2f2e-dev.ova |
logs-debug.zip |
This
Other items of note: Probably introduced by the Admiral integration - they almost always coming in clusters of 3, with two basically concurrent and then a third after some delay. I'm assuming for now this relates to whatever is pulling.
Access denied errors should be self explanatory - this is a problem only if we should have been able to access the registry at this point - unknown without more context.
This is a problem - either the error message should not be an error (if the registry is configured as insecure and there'll be a fallback), or the registry is misconfigured.
|
@hickeng I can confirm only the 412 is relevant, other errors are due to misconfigurations. I have discussed with @chengwang86 , we believe the root cause is VCH trying to pull v1 manifest, while vanilla docker only pulls v2 manifest. |
Chatted with @reasonerjt . Here is our understanding of this issue: In vic engine, we pull the image manifest twice:
At harbor side, for
|
Harbor will fix this on their side by adding support for schema 1 for content trust. We will add schema 2 pull support in VIC engine in the future. #5963 |
When I issue
docker pull 10.160.247.138/default-project/hello-world:signed
via a vanilla docker the requests look like this:However when I issue the same command against a VCH, it failed:
And the requests look like this:
Note only the first request has header "application/vnd.docker.distribution.manifest.v2+json"
The problem is that it appears VCH keep sending request after receiving the 200.
And Harbor will use the v2 digest of image to match the signature and vulnerability data of an image, when the header is not set the digest returned by Registry is incorrect, probably v1.
Hence the "project level content trust" and "prevent pulling vulnerable image" works with vanilla docker but failed in the integration with VCH.
The text was updated successfully, but these errors were encountered: