Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when using --cache=true, kaniko fail to push cache layer and (sometimes) fail to push image #1459

Open
stavalfi opened this issue Oct 17, 2020 · 4 comments
Open

when using --cache=true, kaniko fail to push cache layer and (sometimes) fail to push image #1459

stavalfi opened this issue Oct 17, 2020 · 4 comments
Labels
area/caching For all bugs related to cache issues area/cli bugs related to kaniko CLI area/errorhandling For all bugs having to do with handling problems during kaniko execution kind/bug Something isn't working priority/p2 High impact feature/bug. Will get a lot of users happy

Comments

@stavalfi
Copy link

stavalfi commented Oct 17, 2020
edited
Loading

Actual behavior

when using --cache=true, kaniko fail to push cache layer.

  • in other repo, it failed to push the image it self because of the error.

error uploading layer to cache: failed to push to destination index.docker.io/stavalfi/kaniko-bug-reproduce/cache:64aaab8ce6f9a13b378fce81d74c2dd80d337417b4d0be39e0b879cf994c2e3d: HEAD https://index.docker.io/v2/stavalfi/kaniko-bug-reproduce/cache/blobs/sha256:79d3ac01f6735e269ed8804ee46cb0d5616826e6eaf4538f4e07f2b1c5c53835: unsupported status code 401

Expected behavior
there shouldn't be any failures

To Reproduce
Steps to reproduce the behavior:

I created a repo to reproduce the bug: https://github.com/stavalfi/kaniko-bug-reproduce
the secret was created using the instruction of kaniko "getting started": https://github.com/GoogleContainerTools/kaniko/blob/master/docs/tutorial.md

Additional Information

  • Dockerfile
FROM ubuntu
RUN echo "this line should not be printed in the log of the second build"
ENTRYPOINT ["/bin/bash", "-c", "echo hello"]
  • pod.yaml:
apiVersion: v1
kind: Pod
metadata:
  name: kaniko
spec:
  containers:
    - name: kaniko
      image: gcr.io/kaniko-project/executor:debug-v1.2.0
      args: [
        '--cache=true',
        '--dockerfile=./dockerfile',
       '--context=git://github.com/stavalfi/kaniko-bug-reproduce.git#refs/heads/master',
        '--destination=stavalfi/kaniko-bug-reproduce:1.0.0'
        ]
      volumeMounts:
        - name: kaniko-secret
          mountPath: /kaniko/.docker
  restartPolicy: Never
  volumes:
    - name: kaniko-secret
      secret:
        secretName: regcred
        items:
          - key: .dockerconfigjson
            path: config.json
    - name: dockerfile-storage
      persistentVolumeClaim:
        claimName: dockerfile-claim
  • Kaniko Image (fully qualified with digest)

gcr.io/kaniko-project/executor debug-v1.2.0 c91ffaa6289b
(im not sure how to give more info)

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@stavalfi
Copy link
Author

after investigation, a workaround is:

specifying --cache-repo that is different compared to --destination=stavalfi/kaniko-bug-reproduce:1.0.0 solved it:

'--cache-repo=stavalfi/kaniko-bug-cache',

I would expect from kaniko to have an error about it (if thats the desired behavior)

@bitsofinfo
Copy link

experiencing the same issue, seems random

@gaplo917
Copy link

gaplo917 commented Nov 30, 2020
edited
Loading

experiencing the same issue. Added --cache=true will not able to push

INFO[0262] Pushing layer asia.gcr.io/xxxx/xxxx:3d99e9f12e13a0741b105f976920493168d520fc1b8d2a2566d4600b2410155f to cache now 

WARN[0263] error uploading layer to cache: failed to push to destination asia.gcr.io/xxxx/xxxx:yyyyyyy: GET https://asia.gcr.io/v2/token?scope=repository%xxxx%2Fxxxx%3Apush%2Cpull&service=asia.gcr.io: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

Removing --cache=true is able to push

Seems using --cache=true --cache-repo=xxx is not work with GOOGLE_APPLICATION_CREDENTIALS

In GitLab CI,

variables:
  GOOGLE_APPLICATION_CREDENTIALS: $CI_PROJECT_DIR/google_auth.json
  IMAGE_URL: asia.gcr.io/xxx/$CI_PROJECT_NAME

publish:
  tags:
    - microk8s
  image: gcr.io/kaniko-project/executor:debug-v1.3.0
  stage: publish
  script:
    - cp $gcr_key $CI_PROJECT_DIR/google_auth.json
    - >
      /kaniko/executor
      --cache=true 
      --cache-repo=$IMAGE_URL
      --log-timestamp=true
      --snapshotMode=redo
      --context $CI_PROJECT_DIR
      --dockerfile $CI_PROJECT_DIR/Dockerfile
      --destination $IMAGE_URL:$TAG
      --build-arg=DEPLOY_VERSION=${TAG}

@michael-burt
Copy link

I am experiencing something similar. When I specify both --no-push and also --cache-repo in a single Kaniko build step, the Kaniko executor is unable to push to the cache registry. In the same cloubuild.yaml configuration file, subsequent build steps are able to push the their respective registries.

My use case is building a base image which shares a common cache repository with downstream stages to reduce build time.

@aaron-prindle aaron-prindle added area/caching For all bugs related to cache issues area/errorhandling For all bugs having to do with handling problems during kaniko execution area/cli bugs related to kaniko CLI priority/p2 High impact feature/bug. Will get a lot of users happy kind/bug Something isn't working labels May 29, 2023
patchew-importer pushed a commit to patchew-project/qemu that referenced this issue May 16, 2024
@spotlesstofu
gitlab-ci: Replace Docker with Kaniko
ff1f9ca 
Enables caching from the qemu-project repository.

Uses a dedicated "$NAME-cache" tag for caching, to address limitations.
See issue "when using --cache=true, kaniko fail to push cache layer [...]":
GoogleContainerTools/kaniko#1459

Does not specify a context since no Dockerfile is using COPY or ADD instructions.

Does not enable reproducible builds as
that results in builds failing with an out of memory error.
See issue "Using --reproducible loads entire image into memory":
GoogleContainerTools/kaniko#862

Previous attempts, for the records:
  - Alex Bennée: https://lore.kernel.org/qemu-devel/[email protected]/
  - Camilla Conte (me): https://lore.kernel.org/qemu-devel/[email protected]/

Signed-off-by: Camilla Conte <[email protected]>
Message-Id: <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/caching For all bugs related to cache issues area/cli bugs related to kaniko CLI area/errorhandling For all bugs having to do with handling problems during kaniko execution kind/bug Something isn't working priority/p2 High impact feature/bug. Will get a lot of users happy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bitsofinfo @aaron-prindle @gaplo917 @stavalfi @michael-burt