Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image relocation library doesn't let you specify that plain http is allowed #2297

Closed
carolynvs opened this issue Aug 15, 2022 · 2 comments · Fixed by #2273 or #2301
Closed

image relocation library doesn't let you specify that plain http is allowed #2297

carolynvs opened this issue Aug 15, 2022 · 2 comments · Fixed by #2273 or #2301
Assignees
@carolynvs

Comments

@carolynvs
Copy link
Member

I've hit this same issue using different steps but I believe it's related to the same issue as this and is not fixed by #2273. I've tried a build of porter on that branch and it still fails.

My steps to reproduce:

  1. Alias a hostname other than "localhost" to the loopback address. I have this in my /etc/hosts file:
127.0.0.1       localhost bundleregistry
  1. Start a local registry binding to default 0.0.0.0 (I'm using port 5001 but I don't think that's relevant).
$ docker run -d -p 5001:5000 --name bundle-registry registry:2
$ curl http://bundleregistry:5001/v2/_catalog
{"repositories":[]}
  1. Now try to publish a TGZ to the aliased registry:
$ porter publish -a bun.tgz -r bundleregistry:5001/test:v0.0.1 --insecure-registry
Beginning bundle publish to bundleregistry:5001/test:v0.0.1. This may take some time.
unable to push updated image: unable to push image bundleregistry:5001/test:3a3921a3fca03e4dca685528a927449c: failed to write image sha256:92679cb2412b63d073e9e2b9c3959c5253a3f0d80294faeab726487bd6b4ce32 to bundleregistry:5001/test:3a3921a3fca03e4dca685528a927449c: failed to write image bundleregistry:5001/test:3a3921a3fca03e4dca685528a927449c: Get "https://bundleregistry:5001/v2/": http: server gave HTTP response to HTTPS client
  1. But using "localhost" works:
$ porter publish -a bun.tgz -r localhost:5001/test:v0.0.1 --insecure-registry
Beginning bundle publish to localhost:5001/test:v0.0.1. This may take some time.
Starting to copy image localhost:5001/test:68516b03a700e3beb53eff53400141d5@sha256:92679cb2412b63d073e9e2b9c3959c5253a3f0d80294faeab726487bd6b4ce32...
Completed image localhost:5001/test:68516b03a700e3beb53eff53400141d5@sha256:92679cb2412b63d073e9e2b9c3959c5253a3f0d80294faeab726487bd6b4ce32 copy
Starting to copy image localhost:5001/test:16bfd780b6d9d6b1d67be18f3c207bb2@sha256:d2b5fedbbf0c15f78f41db7afb34b2af4215f15debc9438ddc861d0361c874e2...
Completed image localhost:5001/test:16bfd780b6d9d6b1d67be18f3c207bb2@sha256:d2b5fedbbf0c15f78f41db7afb34b2af4215f15debc9438ddc861d0361c874e2 copy
Bundle tag localhost:5001/test:v0.0.1 pushed successfully, with digest "sha256:0eaa28ed045037a70a133c48a72538ebe94c8b67191a2b8f09178f67387a4289"

After some investigation, I've traced this to yet more inconsistent behavior in another dependent library github.com/google/go-containerregistry.

At line 78 in https://github.com/google/go-containerregistry/blob/main/pkg/v1/remote/transport/ping.go the reg.Scheme() is "https" despite the --insecure-registry flag in porter, so it appears the property isn't getting passed through to this layer.

Comments in this ping() function and NewWithContext() in transport.go suggest this package uses its own "localhost heuristic" to determine whether to use https/TLS or plain text. I have yet to trace the call path all the way through to this function from porter, but I know that when I hack the ping() function to add an "http" scheme, things work correctly.

Originally posted by @jemgoss in #1813 (comment)
@carolynvs carolynvs changed the title go container registry doesn't detect a hostname as a loopback address image relocation library doesn't let you specify that plain http is allowed Aug 15, 2022
@carolynvs
Copy link
Member Author

I have updated the title based on more debugging. I have a patch to the pivotal/image-relocation library so that we can specify that http is allowed when --insecure-registry is set.

@carolynvs carolynvs self-assigned this Aug 15, 2022
@carolynvs carolynvs mentioned this issue Aug 15, 2022
Merged
4 tasks
@carolynvs carolynvs reopened this Aug 15, 2022
This was referenced Aug 15, 2022
Closed
Merged
@github-actions
Copy link

Closed by #2301.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carolynvs carolynvs

Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@carolynvs