-
Notifications
You must be signed in to change notification settings - Fork 795
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support namespaced logins for quay.io #1104
Conversation
@barthy1 PTAL, is this acceptable? And don't feel bad, this is an unfortunate quirk of quay which just occurred to me while trying to add |
09424c2
to
02f737f
Compare
Hi @cevich, well, still my bad :( I tested the code with my own quay.io org, and obviously didn't have to use 2 accounts, so missed this problem :( Thank you so much for your help here! Regarding the proposed code, I tried to do small test with sample Makefile on s390x and amd64 archs
and when I ran it I got an error
When I replace |
Nope, this is super-duper easy to overlook...and not at all obvious, even from the docs, until you actually go to create the account and see it forces a user/org. prefix.
Assuming you used a valid username/password...yeah that's a problem, thanks for testing. I now have access to create the real robot accounts, so I'll use those with a fix... |
...oh, I see the problem. I mixed up the username and password parameters in |
02f737f
to
955c43a
Compare
Fixed, and I added the necessary env. vars. for the two new robot accounts. |
@barthy1 After fixing my u/p mixup, I tried similar test w/ both accounts, using actual robot account values and get:
|
@rhatdan @TomSweeneyRedHat PTAL, I think this is ready. Once it merges, I'll activate a travis cron job to run master...say, weely? (Daily, Monthly are also options) |
955c43a
to
f9d0d48
Compare
LGTM |
@cevich I'd not do it weely, weekly maybe. |
I'm assuming you mean "monthly" |
No, I'd prefer "Weekly". |
Service accounts (a.k.a. robots) in `quay.io` are forcably namespaced to the user or orginization under which they are created. Therefore, it is impossible to use a common login/password to push images for both `skopeo` and `containers` namespaces. Worse, because the authentication is recorded against `quay.io`, multiple login sessions are required. Fix this by adding a function definition which verifies non-empty username/password arguments, before logging in. Call this function as needed from relevant targets, prior to pushing images. Signed-off-by: Chris Evich <[email protected]>
a8111e2
to
958c361
Compare
Oh okay, no problem. For ref., it's simply a drop-down box in the Travis settings (bottom of the page). |
Just had a look at first successful multi-arch build and push https://travis-ci.org/github/containers/skopeo/builds/744183408 🎆 🎆 🎆 Thank you @cevich for quick fix! |
@barthy1 You're the driver on this one and a big thank you back to you and to @cevich too for the follow up assist. @barthy1, any chance I could ask you to write a blog post and/or an addition to https://github.com/containers/skopeo/tree/master/contrib/skopeoimage? |
Can we get this to happen in podman and buildah images? |
I can work on podman and buildah next month, when I get back access to Travis, as this month I spent already all free resources for my account and cannot run any jobs there :( Or would be happy just see, that somebody from the team will do it :) @TomSweeneyRedHat you are absolutely right, documentation also should be updated! I will prepare update to https://github.com/containers/skopeo/blob/master/contrib/skopeoimage/README.md, mentioning about multi-arch images availability. If you have a good place to post a blog, I can also do that. Or feel free to do it on your own (however I guess better to cover podman, buildah and skopeo together in the future) |
@barthy1 Probably the best place to point the log at would be enable sysadmin. Basically, a post introducing the new images and then a bit on how to use them. I think you're right, probably best to do the post after Buildah and Podman are done too. I'm more than happy to help with the blog and to get you in contact with the folks at that site. |
@TomSweeneyRedHat sorry for touching this old PR, but here we discussed buildah/podman multi-arch builds, similar to what was done for skopeo. Is it still something you are still interested in? I have some time and can prepare the code to use Github actions for multi-arch buildah/podman builds pretty fast (I hope). |
This is definitely something we would want. |
ok, great, then I will work on it. |
@barthy1 I just checked, and don't see any non-x86 hardware supported by Github Actions...IIRC, that's specifically why Travis is used here, no? If host architecture doesn't matter, whatever can be done in Github Actions, can be done in Cirrus-CI but with a greater choice of VMs & distro. versions. For the sake of simplicity and ease of future maintenance, would you consider working with me to put this into Cirrus-CI instead? Unless of course I'm mistaken, and you have some magic way to access non-x86 VMs in github-actions...then please ignore me 😄 |
@cevich Github actions has predefined code to use QEMU emulation(via docker buildx) to run multi-arch builds on x86 architecture - https://github.com/docker/build-push-action#multi-platform-image . It's very easy and short way to get multi-arch builds. |
First-off, thanks for the detailed explanations and effort to understand my position. It makes life easier for everybody.
I understand, and yes, there is no built-in magic-sauce similar to "actions", within cirrus (it's more general-purpose). Though it seems easily possible to pull this off, it would be wheel-re-implementation. At the same time, I (and probably the containers community) would look negatively on relying on Docker long-term. So we may end up implementing this in Cirrus anyway....but that's up to the future.
Interesting...since it sounds like the reasons are unknown, would it make sense to take a similar approach as skopeo (Makefile driven) and just use Travis? This also brings the benefit of native architectures and a more flexible design based on commonly-understood tooling. All that said, I'm okay now with you doing this in github actions + buildx. It sounds like you've already done some work here, and I understand that CI system well enough to offer reviews/feedback. It also sounds like it would bring these images to the community sooner, rather than later. Again, thanks for taking the time to explain your reasoning, I appreciate it. Please let me know what secure variables you need set (e.g. for quay.io push access), I'm happy to create them for you. |
@cevich yeah Travis was the best CI tool in the past for real multi-architecture support. And it would be easy to move the same code from skopeo to other repos. Also I truly believe that github actions is the best tool in your case for multi-arch builds in terms of simplicity and usability. To sum up :) I can use Travis, if you prefer it, or Github Actions. Cirrus-CI is interesting option to learn for me, but I suspect it will take much more time and effort, so not brave enough here :( |
If this is being done via emulation, we could theoretically also do this in cirrus with buildah. Which would seem to be better. buildah bud --arch arm64 .... Should work as long as you have qemu-user-static installed. If one of you wants to try this out. Latest podman should also support this. The issue I have with it is doing this on Fedora, since the dnf -y update takes a huge amount of time in emulation mode. |
I tried Tried to run the build via container with I guess my env has some problems. If you have instructions how to setup working env from scratch I can try one more time |
Created separate issue in buildah repo, just to have proper place for this discussion containers/buildah#2958 |
Service accounts (a.k.a. robots) in
quay.io
are forcably namespacedto the user or orginization under which they are created. Therefore,
it is impossible to use a common login/password to push images for
both
skopeo
andcontainers
namespaces. Worse, because theauthentication is recorded against
quay.io
, multiple login sessionsare required.
Fix this by adding a function definition which verifies non-empty
username/password arguments, before logging in. Call this function
as needed from relevant targets, prior to pushing images.
Signed-off-by: Chris Evich [email protected]