Infrastructure/fedora-infrastructure

Fork 0

registry.fp.o multiarch manifest lists seem to not work #7223

New issue

Closed

opened 2018-09-05 14:32:33 +00:00 by dustymabe · 19 comments

dustymabe commented

2018-09-05 14:32:33 +00:00

Describe what you need us to do:

Manifest lists don't seem to work.

[root@localhost ~]# podman pull registry.fedoraproject.org/fedora:latest                                                                                                                                                                   
Trying to pull registry.fedoraproject.org/fedora:latest...Failed
error pulling image "registry.fedoraproject.org/fedora:latest": unable to pull registry.fedoraproject.org/fedora:latest: unable to pull image, or you do not have pull access                                                              
[root@localhost ~]#
[root@localhost ~]# uname -m
aarch64
[root@localhost ~]#

pulling the explicit image seems to get farther but there might be a bug in podman for aarch64 (i'm using podman-0.8.4-1.git9f9b8cf.fc29.aarch64)

[root@localhost ~]#
[root@localhost ~]#  podman pull registry.fedoraproject.org/fedora:28-aarch64
Trying to pull registry.fedoraproject.org/fedora:28-aarch64...Getting image source signatures
Copying blob sha256:a050f587f7bc76897c77936a232ceb1db95f69c9949a8699de3eb1fa68b704c3
 84.86 MB / 84.86 MB [===================================================] 1m43s
Failed
error pulling image "registry.fedoraproject.org/fedora:28-aarch64": unable to pull registry.fedoraproject.org/fedora:28-aarch64: unable to pull image, or you do not have pull access

When do you need this? (YYYY/MM/DD)

iot edition would like this soonish

When is this no longer needed or useful? (YYYY/MM/DD)
If we cannot complete your request, what is the impact?

aarch64 machines don't get images easily

* Describe what you need us to do: Manifest lists don't seem to work. ``` [root@localhost ~]# podman pull registry.fedoraproject.org/fedora:latest Trying to pull registry.fedoraproject.org/fedora:latest...Failed error pulling image "registry.fedoraproject.org/fedora:latest": unable to pull registry.fedoraproject.org/fedora:latest: unable to pull image, or you do not have pull access [root@localhost ~]# [root@localhost ~]# uname -m aarch64 [root@localhost ~]# ``` pulling the explicit image seems to get farther but there might be a bug in podman for aarch64 (i'm using `podman-0.8.4-1.git9f9b8cf.fc29.aarch64`) ``` [root@localhost ~]# [root@localhost ~]# podman pull registry.fedoraproject.org/fedora:28-aarch64 Trying to pull registry.fedoraproject.org/fedora:28-aarch64...Getting image source signatures Copying blob sha256:a050f587f7bc76897c77936a232ceb1db95f69c9949a8699de3eb1fa68b704c3 84.86 MB / 84.86 MB [===================================================] 1m43s Failed error pulling image "registry.fedoraproject.org/fedora:28-aarch64": unable to pull registry.fedoraproject.org/fedora:28-aarch64: unable to pull image, or you do not have pull access ``` * When do you need this? (YYYY/MM/DD) iot edition would like this soonish * When is this no longer needed or useful? (YYYY/MM/DD) * If we cannot complete your request, what is the impact? aarch64 machines don't get images easily

dustymabe commented

2018-09-05 14:51:58 +00:00

Author

note skopeo gives us a bit more information for registry.fedoraproject.org/fedora:latest

[root@localhost ~]# skopeo copy docker://registry.fedoraproject.org/fedora:latest dir:/tmp/boo/
FATA[0001] Error choosing an image from manifest list docker://registry.fedoraproject.org/fedora:latest: no image found in manifest list for architecture arm64, OS linux

note skopeo gives us a bit more information for `registry.fedoraproject.org/fedora:latest` ``` [root@localhost ~]# skopeo copy docker://registry.fedoraproject.org/fedora:latest dir:/tmp/boo/ FATA[0001] Error choosing an image from manifest list docker://registry.fedoraproject.org/fedora:latest: no image found in manifest list for architecture arm64, OS linux ```

cverna commented

2018-09-05 17:30:11 +00:00

Metadata Update from @cverna:

Issue assigned to cverna

**Metadata Update from @cverna**: - Issue assigned to cverna

kevin commented

2018-09-05 22:08:28 +00:00

Metadata Update from @kevin:

Issue priority set to: Waiting on Assignee (was: Needs Review)

**Metadata Update from @kevin**: - Issue priority set to: Waiting on Assignee (was: Needs Review)

cverna commented

2018-09-06 17:34:46 +00:00

I have opened https://pagure.io/releng/pull-request/7773 to fix this.

dustymabe commented

2018-09-07 01:26:21 +00:00

Author

you asked me for this today.. here is the output. I just ran the command:

[root@localhost ~]# skopeo copy docker://registry.fedoraproject.org/fedora:rawhide dir:/tmp/coo/
FATA[0001] Error choosing an image from manifest list docker://registry.fedoraproject.org/fedora:rawhide: no image found in manifest list for architecture arm64, OS linux

you asked me for this today.. here is the output. I just ran the command: ``` [root@localhost ~]# skopeo copy docker://registry.fedoraproject.org/fedora:rawhide dir:/tmp/coo/ FATA[0001] Error choosing an image from manifest list docker://registry.fedoraproject.org/fedora:rawhide: no image found in manifest list for architecture arm64, OS linux ```

puiterwijk commented

2018-09-10 13:26:09 +00:00

Well, doing a lookup on the registry, I am only seeing a raw manifest, and not a manifest list, for fedora:rawhide: "curl https://registry.fedoraproject.org/v2/fedora/manifests/rawhide", which only has the amd64 architecture?
i.e. it doesn't look like the multi-arch manifest list is being pushed?
I do see a bunch of tags like "28-armhfp" and "28-ppc64le" in the tag list, but still no manifest lists.

Well, doing a lookup on the registry, I am only seeing a raw manifest, and not a manifest list, for fedora:rawhide: "curl https://registry.fedoraproject.org/v2/fedora/manifests/rawhide", which only has the amd64 architecture? i.e. it doesn't look like the multi-arch manifest list is being pushed? I do see a bunch of tags like "28-armhfp" and "28-ppc64le" in the tag list, but still no manifest lists.

cverna commented

2018-09-10 13:29:52 +00:00

Well, doing a lookup on the registry, I am only seeing a raw manifest, and not a manifest list, for fedora:rawhide: "curl https://registry.fedoraproject.org/v2/fedora/manifests/rawhide", which only has the amd64 architecture?
i.e. it doesn't look like the multi-arch manifest list is being pushed?
I do see a bunch of tags like "28-armhfp" and "28-ppc64le" in the tag list, but still no manifest lists.

You need to pass the -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" to the curl command to get the manifest list

> Well, doing a lookup on the registry, I am only seeing a raw manifest, and not a manifest list, for fedora:rawhide: "curl https://registry.fedoraproject.org/v2/fedora/manifests/rawhide", which only has the amd64 architecture? > i.e. it doesn't look like the multi-arch manifest list is being pushed? > I do see a bunch of tags like "28-armhfp" and "28-ppc64le" in the tag list, but still no manifest lists. You need to pass the -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" to the curl command to get the manifest list

puiterwijk commented

2018-09-10 13:32:58 +00:00

Ah. Thanks.
So, then I notice that your PR made things get pushed as "arm64v8", while Dusty's error says it can't find "arm64", which to me indeed don't seem like the same string at all?

Ah. Thanks. So, then I notice that your PR made things get pushed as "arm64v8", while Dusty's error says it can't find "arm64", which to me indeed don't seem like the same string at all?

dustymabe commented

2018-09-10 13:38:57 +00:00

Author

Ah. Thanks.
So, then I notice that your PR made things get pushed as "arm64v8", while Dusty's error says it can't find "arm64", which to me indeed don't seem like the same string at all?

It's possible the client (podman) is to blame. Does anyone know what the value should be and then we can determine if its the server or the client that is at fault?

> Ah. Thanks. > So, then I notice that your PR made things get pushed as "arm64v8", while Dusty's error says it can't find "arm64", which to me indeed don't seem like the same string at all? It's possible the client (podman) is to blame. Does anyone know what the value *should* be and then we can determine if its the server or the client that is at fault?

cverna commented

2018-09-10 13:39:41 +00:00

I used https://github.com/docker-library/official-images/blob/master/library/fedora#L13 as an example.
I could not find a proper documentation on what the registry expect. I fine with testing "arm64" instead of "arm64v8". It would be nice to know if there are more info on the registry logs.

I used https://github.com/docker-library/official-images/blob/master/library/fedora#L13 as an example. I could not find a proper documentation on what the registry expect. I fine with testing "arm64" instead of "arm64v8". It would be nice to know if there are more info on the registry logs.

puiterwijk commented

2018-09-10 13:43:21 +00:00

I believe most of Docker uses the GOARCH terms, which are: https://golang.org/doc/install/source#environment .
So I guess that podman defaults to that too.
However, the Docker official-images program uses arm64v8: https://github.com/docker-library/official-images#architectures-other-than-amd64 .

I believe most of Docker uses the GOARCH terms, which are: https://golang.org/doc/install/source#environment . So I guess that podman defaults to that too. However, the Docker official-images program uses arm64v8: https://github.com/docker-library/official-images#architectures-other-than-amd64 .

puiterwijk commented

2018-09-10 13:46:26 +00:00

@cverna I just see a 200 against the manifest list, and then a 200 against the actual manifest, and that's it.
All of the decisions for which arches to support or pull are on the client-side.

@cverna I just see a 200 against the manifest list, and then a 200 against the actual manifest, and that's it. All of the decisions for which arches to support or pull are on the client-side.

puiterwijk commented

2018-09-10 13:49:55 +00:00

(@cverna, note that this is not meant as a "you can't see the logs", I'd be totally fine with that, just giving you the info you asked for until someone takes care of your ticket for that access)

cverna commented

2018-09-10 13:50:18 +00:00

Let give "arm64" a try then 😄

Let give "arm64" a try then :smile:

cverna commented

2018-09-10 13:56:00 +00:00

(@cverna, note that this is not meant as a "you can't see the logs", I'd be totally fine with that, just giving you the info you asked for until someone takes care of your ticket for that access)

Sure thanks for helping :)

> (@cverna, note that this is not meant as a "you can't see the logs", I'd be totally fine with that, just giving you the info you asked for until someone takes care of your ticket for that access) Sure thanks for helping :)

cverna commented

2018-09-10 14:06:05 +00:00

OK so that the manifest list from the docker hub

{
'schemaVersion': 2, 
'mediaType': 'application/vnd.docker.distribution.manifest.list.v2+json', 
'manifests': [
{'mediaType': 'application/vnd.docker.distribution.manifest.v2+json', 'size': 529, 'digest': 'sha256:6
fb84ba634fe68572a2ac99741062695db24b921d0aa72e61ee669902f88c187', 'platform': {'architecture': 'amd64', 'os': 'linux'}}, 
{'mediaType': 'application/vnd.docker.distribution.manifest.v2+json', 'size': 529, 'digest
': 'sha256:dadbe43c2d90b68cd9e9ba7bdd9907f32842f3b93bf66d8f22e1fd12ac5cefcf', 'platform': {'architecture': 'arm', 'os': 'linux', 'variant': 'v7'}}, 
{'mediaType': 'application/vnd.docker.distribution.manifest.v2+
json', 'size': 529, 'digest': 'sha256:a2adc1621935869bcd51a84b007b3ee6aa8aa9aef0bf30a947f7312fd43e5b0b', 'platform': {'architecture': 'arm64', 'os': 'linux', 'variant': 'v8'}}, 
{'mediaType': 'application/vnd.doc
ker.distribution.manifest.v2+json', 'size': 529, 'digest': 'sha256:74026e25854714e616f46182b4f41a1b25a90a76b484e30142d073bec6b861df', 'platform': {'architecture': 'ppc64le', 'os': 'linux'}}]}

So it looks like arm and arm64 is the way to go

OK so that the manifest list from the docker hub ``` { 'schemaVersion': 2, 'mediaType': 'application/vnd.docker.distribution.manifest.list.v2+json', 'manifests': [ {'mediaType': 'application/vnd.docker.distribution.manifest.v2+json', 'size': 529, 'digest': 'sha256:6 fb84ba634fe68572a2ac99741062695db24b921d0aa72e61ee669902f88c187', 'platform': {'architecture': 'amd64', 'os': 'linux'}}, {'mediaType': 'application/vnd.docker.distribution.manifest.v2+json', 'size': 529, 'digest ': 'sha256:dadbe43c2d90b68cd9e9ba7bdd9907f32842f3b93bf66d8f22e1fd12ac5cefcf', 'platform': {'architecture': 'arm', 'os': 'linux', 'variant': 'v7'}}, {'mediaType': 'application/vnd.docker.distribution.manifest.v2+ json', 'size': 529, 'digest': 'sha256:a2adc1621935869bcd51a84b007b3ee6aa8aa9aef0bf30a947f7312fd43e5b0b', 'platform': {'architecture': 'arm64', 'os': 'linux', 'variant': 'v8'}}, {'mediaType': 'application/vnd.doc ker.distribution.manifest.v2+json', 'size': 529, 'digest': 'sha256:74026e25854714e616f46182b4f41a1b25a90a76b484e30142d073bec6b861df', 'platform': {'architecture': 'ppc64le', 'os': 'linux'}}]} ``` So it looks like `arm` and `arm64` is the way to go

cverna commented

2018-09-10 17:26:57 +00:00

So now it is picking the correct image but there is an issue with the certificates.

sudo docker -D pull registry.fedoraproject.org/fedora:rawhide
Trying to pull repository registry.fedoraproject.org/fedora ...
sha256:d1df13939e52b24fef32271b8f1543e90c38a1a47e84c859db45d437e463d0f3: Pulling from registry.fedoraproject.org/fedora                                                                                           
0fe73490aedd: Pulling fs layer
error pulling image configuration: Get https://cdn.registry.fedoraproject.org/v2/fedora/blobs/sha256:d00f2170d181b5605ef7b165a88be0a67200dd8f2878811df76572338d86f974: x509: certificate has expired or is not yet
valid

The same command works just fine on x86_64.

So now it is picking the correct image but there is an issue with the certificates. ``` sudo docker -D pull registry.fedoraproject.org/fedora:rawhide Trying to pull repository registry.fedoraproject.org/fedora ... sha256:d1df13939e52b24fef32271b8f1543e90c38a1a47e84c859db45d437e463d0f3: Pulling from registry.fedoraproject.org/fedora 0fe73490aedd: Pulling fs layer error pulling image configuration: Get https://cdn.registry.fedoraproject.org/v2/fedora/blobs/sha256:d00f2170d181b5605ef7b165a88be0a67200dd8f2878811df76572338d86f974: x509: certificate has expired or is not yet valid ``` The same command works just fine on x86_64.

cverna commented

2018-09-10 17:39:25 +00:00

So now it is picking the correct image but there is an issue with the certificates.
sudo docker -D pull registry.fedoraproject.org/fedora:rawhide
Trying to pull repository registry.fedoraproject.org/fedora ...
sha256:d1df13939e52b24fef32271b8f1543e90c38a1a47e84c859db45d437e463d0f3: Pulling from registry.fedoraproject.org/fedora
0fe73490aedd: Pulling fs layer
error pulling image configuration: Get https://cdn.registry.fedoraproject.org/v2/fedora/blobs/sha256:d00f2170d181b5605ef7b165a88be0a67200dd8f2878811df76572338d86f974: x509: certificate has expired or is not yet
valid

The same command works just fine on x86_64.

It was just an issue with the date of the aarch64 box I was doing the testing from :D. So this should work now, it can be tested using the rawhide image.

I will coordinate with releng to do a base image release this week.

> So now it is picking the correct image but there is an issue with the certificates. > sudo docker -D pull registry.fedoraproject.org/fedora:rawhide > Trying to pull repository registry.fedoraproject.org/fedora ... > sha256:d1df13939e52b24fef32271b8f1543e90c38a1a47e84c859db45d437e463d0f3: Pulling from registry.fedoraproject.org/fedora > 0fe73490aedd: Pulling fs layer > error pulling image configuration: Get https://cdn.registry.fedoraproject.org/v2/fedora/blobs/sha256:d00f2170d181b5605ef7b165a88be0a67200dd8f2878811df76572338d86f974: x509: certificate has expired or is not yet > valid > > > > The same command works just fine on x86_64. It was just an issue with the date of the aarch64 box I was doing the testing from :D. So this should work now, it can be tested using the rawhide image. I will coordinate with releng to do a base image release this week.

cverna commented

2018-09-10 17:40:03 +00:00

Metadata Update from @cverna: