Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Images.buildKit.Args get ignored while using localRegistry #2700

Open
ArcticXWolf opened this issue Aug 24, 2023 · 3 comments
Open

Images.buildKit.Args get ignored while using localRegistry #2700

ArcticXWolf opened this issue Aug 24, 2023 · 3 comments
Labels
kind/bug Something isn't working

Comments

@ArcticXWolf
Copy link

ArcticXWolf commented Aug 24, 2023
edited
Loading

What happened?
I want to add specific buildKit options (--secret ...) to the image build process, but also deploy to the local registry.
However, enabling the localRegistry weirdly overwrites the complete buildKit stanza in the devspace.yaml and no args are being applied.

What did you expect to happen instead?
That devspace applies images.[imagename].buildKit.args even when enabling localRegistry.

How can we reproduce the bug? (as minimally and precisely as possible)
Create the following three files in a new folder:

Dockerfile

FROM ubuntu

RUN --mount=type=secret,id=mysecret,dst=/secretfile cat /secretfile

secretfile

THIS IS A SECRET

devspace.yaml

version: v2beta1
name: test

vars:
  IMAGE: testimage
  DOCKERFILE: "./Dockerfile"

images:
  testimage:
    image: ${IMAGE}
    dockerfile: "${DOCKERFILE}"
    rebuildStrategy: ignoreContextChanges
    buildKit:
      args:
        - "--progress=plain"
        - "--secret"
        - "id=mysecret,src=./secretfile"

deployments: {}
dev: {}
localRegistry:
  enabled: true

Output on devspace build:

❯ devspace build --debug
12:01:38 info Using namespace 'default'
12:01:38 info Using kube context 'testcluster'
12:01:38 debug Use config:
version: v2beta1
name: test
images:
    testimage:
        name: testimage
        image: testimage
        dockerfile: ./Dockerfile
        rebuildStrategy: ignoreContextChanges
        buildKit:
            args:
                - --progress=plain
                - --no-cache
                - --secret
                - id=mysecret,src=./secretfile
localRegistry:
    enabled: true


12:01:38 debug Run pipeline:
name: build
run: |-
    run_dependencies --all --pipeline build
    build_images --all


12:01:38 run_dependencies --all --pipeline build
12:01:38 Marked project excluded: test
12:01:38 build_images --all
12:01:38 Ensuring image pull secret for registry: hub.docker.com...
12:01:38 Couldn't retrieve username for registry  from docker store
12:01:38 Couldn't retrieve password for registry  from docker store
12:01:39 local-registry: Starting Local Image Registry
12:01:39 local-registry: Namespace default is the default Devspace namespace
12:01:39 local-registry: Wait for local registry node port to be assigned...
12:01:39 local-registry: Check for running local registry
12:01:39 local-registry: Wait for running local registry pod...
12:01:40 build:testimage Rebuild image testimage because tag is missing
12:01:40 build:testimage Building image 'testimage:UIBCLmB' with engine 'localregistry'
12:01:40 build:testimage Sending build context to Docker daemon  4.096kB
12:01:40 build:testimage #1 [internal] load remote build context
12:01:40 build:testimage #1 DONE 0.0s
12:01:40 build:testimage 
12:01:40 build:testimage #2 copy /context /
12:01:40 build:testimage #2 DONE 0.0s
12:01:40 build:testimage 
12:01:40 build:testimage #3 [internal] load metadata for docker.io/library/ubuntu:latest
12:01:41 build:testimage #3 DONE 0.9s
12:01:41 build:testimage 
12:01:41 build:testimage #4 [stage-0 1/2] FROM docker.io/library/ubuntu@sha256:ec050c32e4a6085b423d36ecd025c0d3ff00c38ab93a3d71a460ff1c44fa6d77
12:01:41 build:testimage #4 resolve docker.io/library/ubuntu@sha256:ec050c32e4a6085b423d36ecd025c0d3ff00c38ab93a3d71a460ff1c44fa6d77 done
12:01:41 build:testimage #4 CACHED
12:01:41 build:testimage 
12:01:41 build:testimage #5 [stage-0 2/2] RUN --mount=type=secret,id=mysecret,dst=/secretfile cat /secretfile
12:01:41 build:testimage #0 0.053 cat: /secretfile: No such file or directory
12:01:41 build:testimage #5 ERROR: process "/bin/sh -c cat /secretfile" did not complete successfully: exit code: 1
12:01:41 build_images: build images: error building image localhost:30211/testimage:UIBCLmB: failed to solve: process "/bin/sh -c cat /secretfile" did not complete successfully: exit code: 1
12:01:41 fatal exit status

Local Environment:

  • DevSpace Version: 6.3.2
  • Operating System: linux
  • ARCH of the OS: AMD64 | ARM64 | i386
    Kubernetes Cluster:
  • Cloud Provider: other
  • Kubernetes Version: 1.24.2 (irrelevant since this issue is not interacting with kubernetes)

Anything else we need to know?
I have already debugged the issue in devspace code. The reason is that when you enable the localRegistry, then unintuitively a different docker builder is being used (localregistry vs buildkit). The localregistry builder also uses buildkit (for online builds) or docker (for local builds), but does not reuse the code from the real buildkit or docker builder.

Thus the localregistry builder does not have any access to the images.[imagename].buildKit.args config parameters and cannot apply those to the build. This is also the same when setting localRegistry.localbuild=true.

The problem is: We need a local build with buildkit (which works when disabling localRegistry) AND need to push the image to the local registry. But currently you cannot use both together.

My proposal (but since I do not know the devspace code well you might have different opinions/reasons) would be to isolate the build and push parts of the devspace build pipeline, so any builder can be used with localRegistry. This also makes localRegistry more DRY, since you do not implement the full docker build pipeline there AND in the docker/buildKit builder.

Also: is there a workaround to already use this now? (creating a new pipeline or else)
@ArcticXWolf ArcticXWolf added the kind/bug Something isn't working label Aug 24, 2023
@ArcticXWolf
Copy link
Author

Just to clarify our usecase:
We need to build an image which uses python and one of the pip packages is inside a private pipy-index. So we need to include the credentials for this during the pip install step of the build. However copying or setting the credentials via envs will leak them in the image layer history. Thus we want to use the intended mechanism of buildkit secrets.

So we need devspace to:

  • Use the local buildkit builder (otherwise the builder cannot access local files)
  • Use the buildkit args that we set in devspace.yaml
  • Push the image to the local registry

All three together are currently not possible, because the upload to local registry is bound to its own set of builders (docker or remote buildkit).

@lizardruss
Copy link
Collaborator

Hello! Thanks for submitting an issue. This is something we will work on enabling.

@jmeickle-theaiinstitute
Copy link

also ran into this and spent a lot of time against it before I realized what was happening

Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lizardruss @ArcticXWolf @jmeickle-theaiinstitute