Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Docker.io rancher-agent:v2.7.2 Tag Fails to Download all OS versions. manifest unknown output #1394

Closed
bfreidank opened this issue Apr 28, 2023 · 14 comments · Fixed by #1404
Closed

[Bug]: Docker.io rancher-agent:v2.7.2 Tag Fails to Download all OS versions. manifest unknown output #1394

bfreidank opened this issue Apr 28, 2023 · 14 comments · Fixed by #1404
Assignees
@eusebiu-constantin-petu-dbk
Labels
awaiting-answers bug Something isn't working rm-external Roadmap item submitted by non-maintainers

Comments

@bfreidank
Copy link

zot version

v1.4.3

Describe the bug

Setup onDemand repository to point to https://docker.io/rancher which fails to sync all OS types/arch and produces the following output:

Trying to pull server-fqdn:5000/rancher/rancher-agent:v2.7.2... Error: initializing source docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2: reading manifest v2.7.2 in server-fqdn:5000/rancher/rancher-agent: manifest unknown: manifest unknown

The output of zot.log includes the following:
2023-04-28 13:31:13 skipping syncing on demand rancher/rancher-agent from [https://docker.io] registry because it's filtered out by content config
2023-04-28 13:31:13 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 notary references
2023-04-28 13:31:13 failed to stat blob
2023-04-28 13:31:13 cache: not found
2023-04-28 13:31:13 cache: not found
2023-04-28 13:31:13 cache: not found
2023-04-28 13:31:13 cache: not found
2023-04-28 13:31:13 cache: not found
2023-04-28 13:31:13 failed to stat blob
2023-04-28 13:31:13 failed to stat blob
2023-04-28 13:31:13 cache: not found
2023-04-28 13:31:13 copying image docker.io/rancher/rancher-agent:v2.7.2 to /tmp/zot/rancher/rancher-agent/.sync/dae5b3da-dc51-4799-a530-7e81cafb26d5
2023-04-28 13:31:13 pushing synced local image /tmp/zot/rancher/rancher-agent/.sync/dae5b3da-dc51-4799-a530-7e81cafb26d5/rancher/rancher-agent:v2.7.2 to local registry
2023-04-28 13:31:13 sync routine: docker.io/rancher/rancher-agent:v2.7.2 exited
2023-04-28 13:31:20 HTTP API
2023-04-28 13:31:20 image not found, trying to get image rancher/rancher-agent:v2.7.2 by syncing on demand
2023-04-28 13:31:20 syncing image rancher/rancher-agent:v2.7.2
2023-04-28 13:31:20 skipping syncing on demand rancher/rancher-agent from [https://registry.k8s.io] registry because it's filtered out by content config
2023-04-28 13:31:20 skipping syncing on demand rancher/rancher-agent from [https://docker.io] registry because it's filtered out by content config
2023-04-28 13:31:20 syncing on demand with [https://docker.io/rancher]
2023-04-28 13:31:20 couldn't find any cosign signature from https://docker.io/rancher/v2/rancher-agent/manifests/sha256-64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359.sig, status code: 404 skipping
2023-04-28 13:31:20 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 cosign manifest
2023-04-28 13:31:20 couldn't find any notary signature from https://docker.io/rancher/oras/artifacts/v1/rancher-agent/manifests/sha256:64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359/referrers, status code: 404, skipping
2023-04-28 13:31:20 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 notary references
2023-04-28 13:31:20 copying image docker.io/rancher/rancher-agent:v2.7.2 to /tmp/zot/rancher/rancher-agent/.sync/db6bbc7a-b7d8-4512-8bc8-45c256d95ebb
2023-04-28 13:32:09 pushing synced local image /tmp/zot/rancher/rancher-agent/.sync/db6bbc7a-b7d8-4512-8bc8-45c256d95ebb/rancher/rancher-agent:v2.7.2 to local registry
2023-04-28 13:32:09 failed to stat blob
2023-04-28 13:32:09 cache: not found
2023-04-28 13:32:09 failed to stat blob
2023-04-28 13:32:09 couldn't read blob
2023-04-28 13:32:09 error while pushing synced cached image /tmp/zot/rancher/rancher-agent/.sync/db6bbc7a-b7d8-4512-8bc8-45c256d95ebb/rancher/rancher-agent:v2.7.2
2023-04-28 13:32:10 sync routine: starting routine to copy image docker.io/rancher/rancher-agent:v2.7.2, cause err: blob: not found
2023-04-28 13:32:10 HTTP API
2023-04-28 13:32:10 couldn't find any cosign signature from https://docker.io/rancher/v2/rancher-agent/manifests/sha256-64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359.sig, status code: 404 skipping
2023-04-28 13:32:10 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 cosign manifest
2023-04-28 13:32:10 couldn't find any notary signature from https://docker.io/rancher/oras/artifacts/v1/rancher-agent/manifests/sha256:64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359/referrers, status code: 404, skipping
2023-04-28 13:32:10 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 notary references
2023-04-28 13:32:10 copying image docker.io/rancher/rancher-agent:v2.7.2 to /tmp/zot/rancher/rancher-agent/.sync/c0e89636-16b0-4da0-a581-bb8572a5de19
2023-04-28 13:32:55 pushing synced local image /tmp/zot/rancher/rancher-agent/.sync/c0e89636-16b0-4da0-a581-bb8572a5de19/rancher/rancher-agent:v2.7.2 to local registry
2023-04-28 13:32:55 failed to stat blob
2023-04-28 13:32:55 cache: not found
2023-04-28 13:32:55 failed to stat blob
2023-04-28 13:32:55 couldn't read blob
2023-04-28 13:32:55 error while pushing synced cached image /tmp/zot/rancher/rancher-agent/.sync/c0e89636-16b0-4da0-a581-bb8572a5de19/rancher/rancher-agent:v2.7.2
2023-04-28 13:32:56 sync routine: error while copying image docker.io/rancher/rancher-agent:v2.7.2
2023-04-28 13:32:56 sync routine: docker.io/rancher/rancher-agent:v2.7.2 exited

Trying the sync the repo through skopeo:

skopeo --insecure-policy copy --src-tls-verify=false --multi-arch=all --format=oci docker://rancher/rancher-agent:v2.7.2 docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2

Output from command:
Getting image list signatures
Copying 5 of 5 images in list
Copying image sha256:cc4f4e6cdbafe7747f7819bab4f8ba8c360da05f5deb8d18946d8cb345cf6150 (1/5)
Getting image source signatures
Copying blob c1284e7e517e skipped: already exists
Copying blob 41fdb87eda23 skipped: already exists
Copying blob 6fb9de569c10 skipped: already exists
Copying blob ac65d1108f1e skipped: already exists
Copying blob 31a2e55fffbc skipped: already exists
Copying blob c482dda145e8 skipped: already exists
Copying blob 46e9ae0c71ef skipped: already exists
Copying config 312a19d49d done
Writing manifest to image destination
Storing signatures
Copying image sha256:e9619272120ab1b5217e03a518640a45c80d60220bc286fcbc04ca796d57423a (2/5)
Getting image source signatures
Copying blob 6b45531e87f6 skipped: already exists
Copying blob 4a4d2ddbaf32 skipped: already exists
Copying blob f675822dd2ec skipped: already exists
Copying blob 4e22d9981baf skipped: already exists
Copying blob 66c37be3dde5 skipped: already exists
Copying blob f9449bae4498 skipped: already exists
Copying blob bd3a8211e17b skipped: already exists
Copying config bf40fe8fd5 done
Writing manifest to image destination
Storing signatures
Copying image sha256:7567ce3e272b1592f142567c34e3d93abd1ed5197c30de6035da3738bbf62e4c (3/5)
Getting image source signatures
Copying blob f9aba08f6c1a done
Copying blob 4e2ae00553a0 done
Copying blob 052f2692335a done
Copying blob ec4391989485 done
Copying blob 1a0ea2886e06 done
Copying blob deaa6ebe0107 done
Copying blob 53e4b58dccb8 done
Copying blob 8750b0b24e63 done
Copying blob dd8dd609278c done
Copying blob 6c2d878be457 done
Copying blob 21b9ac665c20 done
Copying blob 698dca4a3067 done
Copying blob 9e664a8fbd13 done
Copying blob 1f3d3bd2466f done
Copying blob 9718c9a34a28 done
Copying blob b41414cefddf done
Copying blob 28ac86cb10e1 done
Copying config 4d85eb2247 done
Writing manifest to image destination
FATA[0009] copying image 3/5 from manifest list: writing manifest: uploading manifest sha256:0035a2729cb8ae9d1bbe189a62ceb7acec0e66e0a0b26b065d4b724451eefb9a to server-fqdn:5000/rancher/rancher-agent: blob unknown to registry

Syncing only amd64 linux agent completes successfully
skopeo --insecure-policy copy --src-tls-verify=false --format oci docker://rancher/rancher-agent:v2.7.2 docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2

Reviewing the size of each of the OS versions for the rancher-agent:v2.7.2 tag shows that there are two large windows versions. There is one large layer within the larger Windows version of the tag which fails to move properly.

This leads me to believe that the larger layer isn't being handled by Zot correctly and the manifest is also not being read properly by Zot for the converted registry/tag.

To reproduce

  1. Stand up Zot server and configure onDemand repository in extentions.sync.registries for https://docker.io/rancher
    { "urls": [ "https://docker.io/rancher" ], "onDemand": true, "tlsVerify": true, "maxRetries": 3, "retryDelay": 1, "content": [ { "prefix": "**", "destination": "/rancher" } ] }
  2. Run sync command with podman or reconfigure kubernetes repositories to point to repositories:
    sudo podman pull server-fqdn:5000/rancher/rancher-agent:v2.7.2
  3. See error
    Error: initializing source docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2: reading manifest v2.7.2 in server-fqdn:5000/rancher/rancher-agent: manifest unknown: manifest unknown

Expected behavior

onDemand sync to work as expected

Screenshots

No response

Additional context

No response
@bfreidank bfreidank added the bug Something isn't working label Apr 28, 2023
@rchincha
Copy link
Contributor

@bfreidank thanks for trying out zot. Noticed that you are using v1.4.3. Do you want to try our latest *-rc release v2.0.0-rc3?
It should have your issue fixed: #847

@rchincha rchincha added the rm-external Roadmap item submitted by non-maintainers label Apr 30, 2023
@bfreidank
Copy link
Author

@rchincha Thank you for your suggestion and quick reply. However the issue persists in v2.0.0-rc3.

The procedure followed and output while attempting to sync can be found below:

Pulled down v2.0.0-rc3 and restarted the service:

sudo wget -O /usr/bin/zot  https://github.com/project-zot/zot/releases/download/v2.0.0-rc3/zot-linux-amd64

Confirmed the binary file version:

zot --version
{"level":"info","distribution-spec":"1.1.0-dev","commit":"v2.0.0-rc3-0-gf6a5407","binary-type":"-sync-search-scrub-metrics-lint-ui","go version":"go1.19.6","time":"2023-05-01T13:11:44Z","message":"version"}

Logged into server and attempted to pull the tag down again with the following commands:

skopeo login server-fqdn:5000
skopeo --insecure-policy copy --src-tls-verify=false --multi-arch=all --format=oci docker://rancher/rancher-agent:v2.7.2 docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2

The pull failed in the same location with the following output:

Getting image list signatures
Copying 5 of 5 images in list
Copying image sha256:cc4f4e6cdbafe7747f7819bab4f8ba8c360da05f5deb8d18946d8cb345cf6150 (1/5)
Getting image source signatures
Copying blob c1284e7e517e done
Copying blob c482dda145e8 done
Copying blob 6fb9de569c10 done
Copying blob 41fdb87eda23 done
Copying blob 31a2e55fffbc done
Copying blob ac65d1108f1e done
Copying blob 46e9ae0c71ef done
Copying config 312a19d49d done
Writing manifest to image destination
Storing signatures
Copying image sha256:e9619272120ab1b5217e03a518640a45c80d60220bc286fcbc04ca796d57423a (2/5)
Getting image source signatures
Copying blob 6b45531e87f6 done
Copying blob 4a4d2ddbaf32 done
Copying blob 66c37be3dde5 done
Copying blob f9449bae4498 done
Copying blob 4e22d9981baf done
Copying blob f675822dd2ec done
Copying blob bd3a8211e17b done
Copying config bf40fe8fd5 done
Writing manifest to image destination
Storing signatures
Copying image sha256:7567ce3e272b1592f142567c34e3d93abd1ed5197c30de6035da3738bbf62e4c (3/5)
Getting image source signatures
Copying blob f9aba08f6c1a done
Copying blob 4e2ae00553a0 done
Copying blob ec4391989485 done
Copying blob 1a0ea2886e06 done
Copying blob 052f2692335a done
Copying blob deaa6ebe0107 done
Copying blob 53e4b58dccb8 done
Copying blob 8750b0b24e63 done
Copying blob dd8dd609278c done
Copying blob 6c2d878be457 done
Copying blob 21b9ac665c20 done
Copying blob 698dca4a3067 done
Copying blob 9e664a8fbd13 done
Copying blob 1f3d3bd2466f done
Copying blob 9718c9a34a28 done
Copying blob b41414cefddf done
Copying blob 28ac86cb10e1 done
Copying config 4d85eb2247 done
Writing manifest to image destination
FATA[0107] copying image 3/5 from manifest list: writing manifest: uploading manifest sha256:0035a2729cb8ae9d1bbe189a62ceb7acec0e66e0a0b26b065d4b724451eefb9a to server-fqdn:5000/rancher/rancher-agent: blob unknown to registry

The output of zot.log includes the following:

TIME zot.log Output
2023-05-01 10:13:12 HTTP API
2023-05-01 10:13:12 blob doesn't exist
2023-05-01 10:13:12 invalid oci image manifest
2023-05-01 10:13:12 HTTP API
2023-05-01 10:14:04 HTTP API
2023-05-01 10:14:05 HTTP API
2023-05-01 10:14:05 blob doesn't exist
2023-05-01 10:14:05 invalid oci image manifest
2023-05-01 10:14:05 HTTP API

Attempted to pull the tag down again with podman using the following command:
sudo podman pull server-fqdn:5000/rancher/rancher-agent:v2.7.2

The output of podman pull produces the same error output:
Trying to pull server-fqdn:5000/rancher/rancher-agent:v2.7.2...
Error: initializing source docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2: reading manifest v2.7.2 in server-fqdn:5000/rancher/rancher-agent: manifest unknown: manifest unknown

The output of zot.log includes the following:

TIME zot.log Output
2023-05-01 10:19:20 HTTP API
2023-05-01 10:19:20 trying to get updated image rancher/rancher-agent:v2.7.2 by syncing on demand
2023-05-01 10:19:20 syncing image rancher/rancher-agent:v2.7.2
2023-05-01 10:19:20 skipping syncing on demand rancher/rancher-agent from [https://registry.k8s.io] registry because it's filtered out by content config
2023-05-01 10:19:20 skipping syncing on demand rancher/rancher-agent from [https://docker.io] registry because it's filtered out by content config
2023-05-01 10:19:20 syncing on demand with [https://docker.io/rancher]
2023-05-01 10:19:36 couldn't get blob: https://docker.io/rancher/v2/rancher-agent/manifests/sha256-64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359.sig
2023-05-01 10:19:36 couldn't find any cosign manifest: https://docker.io/rancher/v2/rancher-agent/manifests/sha256-64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359.sig
2023-05-01 10:19:36 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 cosign manifest
2023-05-01 10:19:42 couldn't get blob: https://docker.io/rancher/v2/rancher-agent/referrers/sha256:64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359
2023-05-01 10:19:42 couldn't find any oci reference from https://docker.io/rancher/v2/rancher-agent/referrers/sha256:64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359, status code: 404, skipping
2023-05-01 10:19:42 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 OCI references
2023-05-01 10:19:42 copying image docker.io/rancher/rancher-agent:v2.7.2 to /var/zot/rancher/rancher-agent/.sync/e9ab65b7-4ad4-4515-a2f0-cc39652c3034
2023-05-01 10:20:57 pushing synced local image /var/zot/rancher/rancher-agent/.sync/e9ab65b7-4ad4-4515-a2f0-cc39652c3034/rancher/rancher-agent:v2.7.2 to local registry
2023-05-01 10:20:58 failed to stat blob
2023-05-01 10:20:58 cache: not found
2023-05-01 10:20:58 failed to stat blob
2023-05-01 10:20:58 couldn't read blob
2023-05-01 10:20:58 error while pushing synced cached image /var/zot/rancher/rancher-agent/.sync/e9ab65b7-4ad4-4515-a2f0-cc39652c3034/rancher/rancher-agent:v2.7.2
2023-05-01 10:20:58 sync routine: starting routine to copy image docker.io/rancher/rancher-agent:v2.7.2, cause err: blob: not found
2023-05-01 10:20:58 HTTP API
2023-05-01 10:20:59 couldn't get blob: https://docker.io/rancher/v2/rancher-agent/manifests/sha256-64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359.sig
2023-05-01 10:20:59 couldn't find any cosign manifest: https://docker.io/rancher/v2/rancher-agent/manifests/sha256-64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359.sig
2023-05-01 10:20:59 couldn't get blob: https://docker.io/rancher/v2/rancher-agent/referrers/sha256:64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359
2023-05-01 10:20:59 couldn't find any oci reference from https://docker.io/rancher/v2/rancher-agent/referrers/sha256:64893bc04d326732e2d429abbd6d0f7f78ec1d34c65da011472174bbeff68359, status code: 404, skipping
2023-05-01 10:20:59 couldn't get upstream image docker.io/rancher/rancher-agent:v2.7.2 OCI references
2023-05-01 10:20:59 copying image docker.io/rancher/rancher-agent:v2.7.2 to /var/zot/rancher/rancher-agent/.sync/f48283ef-882e-4ea4-816d-7df7afb17da4

@rchincha
Copy link
Contributor

rchincha commented May 1, 2023
edited
Loading

Indeed it is broken.

zot performs some layer validations but that code path is not accounting for the non-distributable content

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:4d85eb22477a0ca1c01c46ec90bff40eb888b9a38924fb202f80b31125fb7854",
    "size": 6500
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.nondistributable.v1.tar+gzip",
      "digest": "sha256:8185ee4ed6467d79d4c69f02fe3902311ba84777802d459dcd99869f603b161f",
      "size": 1660377526,
      "urls": [
        "https://mcr.microsoft.com/v2/windows/servercore/blobs/sha256:8185ee4ed6467d79d4c69f02fe3902311ba84777802d459dcd99869f603b161f"
      ]
    },
    {
      "mediaType": "application/vnd.oci.image.layer.nondistributable.v1.tar+gzip",
      "digest": "sha256:a2008f0310392df2ebb7f3e87a1d2b04839396bf6c7f352d5dac97f3253a2359",
      "size": 355524124,
      "urls": [
        "https://mcr.microsoft.com/v2/windows/servercore/blobs/sha256:a2008f0310392df2ebb7f3e87a1d2b04839396bf6c7f352d5dac97f3253a2359"
      ]
    },
    ```

rchincha added a commit to rchincha/zot that referenced this issue May 1, 2023
@rchincha
fix: non-distributable layers may not exist
eaa344f 
Currently, when pushing an image, validation is performed to check that
a layer/blob in the manifest already exists. For non-distributable
layers, that check needs to be skipped.

Fixes issue project-zot#1394

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
@rchincha rchincha mentioned this issue May 1, 2023
Merged
@rchincha rchincha linked a pull request May 1, 2023 that will close this issue
fix: non-distributable layers may not exist #1404
Merged
@rchincha
Copy link
Contributor

rchincha commented May 1, 2023
edited
Loading

#1404 fixes this issue now.
Pls feel free to try a patched zot with this PR.

Our next rc release will include this patch

rchincha added a commit to rchincha/zot that referenced this issue May 1, 2023
@rchincha
fix: non-distributable layers may not exist
092d475 
Currently, when pushing an image, validation is performed to check that
a layer/blob in the manifest already exists. For non-distributable
layers, that check needs to be skipped.

Fixes issue project-zot#1394

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
rchincha added a commit that referenced this issue May 1, 2023
@rchincha
fix: non-distributable layers may not exist (#1404)
86ecbd3 
Currently, when pushing an image, validation is performed to check that
a layer/blob in the manifest already exists. For non-distributable
layers, that check needs to be skipped.

Fixes issue #1394

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
@rchincha
Copy link
Contributor

rchincha commented May 1, 2023

@bfreidank v2.0.0-rc4 has been released, pls try and let us know if it fixes your issue.

@bfreidank
Copy link
Author

bfreidank commented May 2, 2023
edited
Loading

Hello @rchincha

Testing a pull with podman does still produce the manifest unknown error as above.

Retesting with skopeo with the following command did successfully complete:

skopeo --insecure-policy copy --src-tls-verify=false --multi-arch=all --format=oci docker://rancher/rancher-agent:v2.7.2 docker://sever-fqdn:5000/rancher/rancher-agent:v2.7.2

Output of Skopeo copy:
Getting image list signatures
Copying 5 of 5 images in list
Copying image sha256:cc4f4e6cdbafe7747f7819bab4f8ba8c360da05f5deb8d18946d8cb345cf6150 (1/5)
Getting image source signatures
Copying blob c1284e7e517e skipped: already exists
Copying blob ac65d1108f1e skipped: already exists
Copying blob 31a2e55fffbc skipped: already exists
Copying blob 6fb9de569c10 skipped: already exists
Copying blob c482dda145e8 skipped: already exists
Copying blob 41fdb87eda23 skipped: already exists
Copying blob 46e9ae0c71ef skipped: already exists
Copying config 312a19d49d done
Writing manifest to image destination
Storing signatures
Copying image sha256:e9619272120ab1b5217e03a518640a45c80d60220bc286fcbc04ca796d57423a (2/5)
Getting image source signatures
Copying blob 6b45531e87f6 skipped: already exists
Copying blob 66c37be3dde5 skipped: already exists
Copying blob f675822dd2ec skipped: already exists
Copying blob 4e22d9981baf skipped: already exists
Copying blob 4a4d2ddbaf32 skipped: already exists
Copying blob bd3a8211e17b skipped: already exists
Copying blob f9449bae4498 skipped: already exists
Copying config bf40fe8fd5 done
Writing manifest to image destination
Storing signatures
Copying image sha256:7567ce3e272b1592f142567c34e3d93abd1ed5197c30de6035da3738bbf62e4c (3/5)
Getting image source signatures
Copying blob f9aba08f6c1a done
Copying blob 4e2ae00553a0 done
Copying blob deaa6ebe0107 done
Copying blob ec4391989485 done
Copying blob 052f2692335a done
Copying blob 1a0ea2886e06 done
Copying blob 53e4b58dccb8 done
Copying blob 8750b0b24e63 done
Copying blob dd8dd609278c done
Copying blob 6c2d878be457 done
Copying blob 21b9ac665c20 done
Copying blob 698dca4a3067 done
Copying blob 9e664a8fbd13 done
Copying blob 1f3d3bd2466f done
Copying blob 9718c9a34a28 done
Copying blob b41414cefddf done
Copying blob 28ac86cb10e1 done
Copying config 4d85eb2247 done
Writing manifest to image destination
Storing signatures
Copying image sha256:986ba9db6cd86221c6faff755a14701a6bde6d4b5aab23b0c3bec72806b31d9e (4/5)
Getting image source signatures
Copying blob e83b8af78541 done
Copying blob 22725b307e9f done
Copying blob 23f6adc72ad1 done
Copying blob 2f959e7beb13 done
Copying blob 9722d3f4f089 done
Copying blob a0688f2ece7f done
Copying blob c39a003eaf65 done
Copying blob 2c7478296fc4 done
Copying blob 0eeef48ff1a6 done
Copying blob 7c64c5e9ba92 done
Copying blob 1fb341aa217a done
Copying blob 10f0cf7c83da done
Copying blob e57e2be82cbe done
Copying blob bedeed88a8d8 done
Copying blob b2b880f91514 done
Copying blob 9b94fd671721 done
Copying blob 46215d304119 done
Copying config ac36975345 done
Writing manifest to image destination
Storing signatures
Copying image sha256:56233171f3c18daf58d01d37b737e73974a88a007aa03451792135e56e6d82f1 (5/5)
Getting image source signatures
Copying blob e6afecf4774e done
Copying blob 264c6460b018 done
Copying blob ad90d5019cff done
Copying blob 8f47ef52a3d7 done
Copying blob 4035c8e301c0 done
Copying blob b1525895df5a done
Copying blob c79b4c3cafba done
Copying config 0e6e355126 done
Writing manifest to image destination
Storing signatures
Writing manifest list to image destination
Storing list signatures

Retesting podman pull of image with the following command fails:

sudo podman pull server-fqdn:5000/docker/rancher/fleet-agent:v0.6.0

Output of podman copy:

Trying to pull server-fqdn:5000/docker/rancher/fleet-agent:v0.6.0...
Error: initializing source docker://server-fqdn:5000/docker/rancher/fleet-agent:v0.6.0: reading manifest v0.6.0 in server-fqdn:5000/docker/rancher/fleet-agent: manifest unknown: manifest unknown

Conclusion:
Using zot as a pull through proxy does not work at this time.
Using skopeo to push the image to zot works as expected.

@rchincha rchincha reopened this May 2, 2023
@rchincha
Copy link
Contributor

rchincha commented May 2, 2023

@bfreidank we would rather fix this issue. What version of podman are you using?

@bfreidank
Copy link
Author

Hello @rchincha

The version of podman that I'm using is the following:

$ podman --version
podman version 3.4.4

For reference the sync section for the configuration file being used is the following:

        "sync": {
            "enable": true,
            "registries": [
                {
                    "urls": [
                        "https://registry.k8s.io"
                    ],
                    "onDemand": true,
                    "tlsVerify": true,
                    "content":[{
                        "prefix": "**",
                        "destination": "/k8s"
                    }]
                },
                {
                    "urls": [
                        "https://docker.io"
                    ],
                    "onDemand": true,
                    "tlsVerify": true,
                    "maxRetries": 3,
                    "retryDelay": 1,
                    "content":[{
                        "prefix": "**",
                        "destination": "/docker"
                    }]
                },
                {
                    "urls": [
                        "https://docker.io/rancher"
                    ],
                    "onDemand": true,
                    "tlsVerify": true,
                    "maxRetries": 3,
                    "retryDelay": 1,
                    "content":[{
                        "prefix": "**",
                        "destination": "/rancher"
                    }]
                }
            ]
        }

@rchincha
Copy link
Contributor

rchincha commented May 2, 2023
edited
Loading

Pls see (for configuring docker as an upstream)
https://github.com/project-zot/zot/blob/main/examples/config-sync.json#LL66C34-L66C34

Try your sync URLs as docker.io/library and docker.io/library/rancher

@bfreidank
Copy link
Author

bfreidank commented May 2, 2023
edited
Loading

@rchincha

Thank you for notifying of the changes needed in the sync registries section for docker as an upstream.

When tested, I noted that the sync failed when the sync URLs were set to docker.io/library and docker.io/library/rancher.

I adjusted the registries section to the following:

        "sync": {
            "enable": true,
            "registries": [
                {
                    "urls": [
                        "https://registry.k8s.io"
                    ],
                    "onDemand": true,
                    "tlsVerify": true,
                    "content":[{
                        "prefix": "**",
                        "destination": "/k8s"
                    }]
                },
                {
                    "urls": [
                        "https://docker.io"
                    ],
                    "onDemand": true,
                    "tlsVerify": true,
                    "maxRetries": 3,
                    "retryDelay": "5m"
                }
            ]
        }

Tested podman pull for rancher-agent:v2.7.2 using the following command fails:

sudo podman pull server-fqdn:5000/rancher/rancher-agent:v2.7.2

Output of podman pull
Trying to pull server-fqdn:5000/rancher/rancher-agent:v2.7.2...
Error: initializing source docker://server-fqdn:5000/rancher/rancher-agent:v2.7.2: reading manifest v2.7.2 in server-fqdn:5000/rancher/rancher-agent: manifest unknown: manifest unknown

Tested podman pull for ubuntu:latest using the following command completes:

sudo podman pull server-fqdn:5000/ubuntu:latest

Output of podman pull
Trying to pull server-fqdn:5000/ubuntu:latest...
Getting image source signatures
Copying blob 2ab09b027e7f done
Copying config 08d22c0ceb done
Writing manifest to image destination
Storing signatures
08d22c0ceb150ddeb2237c5fa3129c0183f3cc6f5eeb2e7aa4016da3ad02140a

Tested podman pull for grafana/grafana:latest using the following command completes:

sudo podman pull server-fqdn:5000/grafana/grafana:latest

Output of podman pull
Trying to pull server-fqdn:5000/grafana/grafana:latest...
Getting image source signatures
Copying blob f56be85fc22e done
Copying blob 1b5ffa41f0e9 done
Copying blob b17497c45dda done
Copying blob 248e15d7d195 done
Copying blob 4e597c5c043e done
Copying blob 17d73df52784 done
Copying blob 1dc4a8958453 done
Copying blob 6e256c8b8ffc done
Copying blob 51afe8b92c30 done
Copying config f22d965afa done
Writing manifest to image destination
Storing signatures
f22d965afab6c64d9484b2fce38cc27007560e9469c8f698a6476d1bb322e22b

Comments:
It appears that there is still something with the manifest for rancher/rancher-agent:v2.7.2 and rancher/fleet-agent:v0.6.0 out of the rancher images/tags that zot cannot handle.

@eusebiu-constantin-petu-dbk
Copy link
Collaborator

Hello,
@bfreidank @rchincha
the error was from sync itself when it tried to copy non distributable layers.

I made a PR fixing this: #1421

@rchincha
Copy link
Contributor

rchincha commented May 4, 2023

@bfreidank we will cut another RC release shortly, but if you want to try this fix sooner, feel free to build/deploy zot (from top of main)

@bfreidank
Copy link
Author

Hello,
@peusebiu @rchincha pulled the changes, rebuilt the binary and was able to successfully pull the rancher image using the following:

sudo podman pull server-fqdn:5000/rancher/rancher-agent:v2.7.2

I then built a new rancher cluster and set the registries section to point to the zot server and successfully deployed while pointed to the zot server.

Thank you for working through this and getting it squared away!

@bfreidank
Copy link
Author

Closing issue. Fix currently merged into main branch. Changes expected to be implemented on next RC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eusebiu-constantin-petu-dbk eusebiu-constantin-petu-dbk

Labels
awaiting-answers bug Something isn't working rm-external Roadmap item submitted by non-maintainers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: non-distributable layers may not exist rchincha/zot
3 participants
@eusebiu-constantin-petu-dbk @rchincha @bfreidank