awslabs/soci-snapshotter

[Bug] SOCI snapshotter not working insecure container registry

amalthundiyil opened this issue · 2 comments

amalthundiyil commented

Description

When using SOCI with an insecure container registry, SOCI fails to pull the container image. SOCI error logs are below:

{"error":"skipping mounting layer sha256:a99509a323905a80628005e4f3bc26ac15ebaf3ffdb08a9646a7f2d110ab38f9 as FUSE mount: no ztoc for layer","key":"default/33/extract-128831236-kfhG sha256:781d5934416a582cf712c35212a8f92940c0223da02c1360d9ebb834d0f2c873","level":"warning","msg":"failed to prepare remote snapshot","parent":"sha256:9bb22d850b6e163c76b5cee00494067210e96c4cf585e2cd9d68898e31f43f69","remote-snapshot-prepared":"false","time":"2024-06-13T14:49:30.132049905Z"}
...
...
{"error":"cannot unpack the layer: cannot fetch layer: unable to fetch descriptor (sha256:a99509a323905a80628005e4f3bc26ac15ebaf3ffdb08a9646a7f2d110ab38f9) from remote store: Get \"https://localhost:5000/v2/python/blobs/sha256:a99509a323905a80628005e4f3bc26ac15ebaf3ffdb08a9646a7f2d110ab38f9\": context canceled","key":"default/33/extract-128831236-kfhG sha256:781d5934416a582cf712c35212a8f92940c0223da02c1360d9ebb834d0f2c873","level":"warning","msg":"failed to prepare snapshot; deferring to container runtime","parent":"sha256:9bb22d850b6e163c76b5cee00494067210e96c4cf585e2cd9d68898e31f43f69","time":"2024-06-13T14:49:30.363771421Z"}
...
...
{"error":"cannot unpack the layer: cannot fetch layer: unable to fetch descriptor (sha256:a99509a323905a80628005e4f3bc26ac15ebaf3ffdb08a9646a7f2d110ab38f9) from remote store: Get \"https://localhost:5000/v2/python/blobs/sha256:a99509a323905a80628005e4f3bc26ac15ebaf3ffdb08a9646a7f2d110ab38f9\": unknown \"unknown\": giving up request after 9 attempt(s): Get \"https://localhost:5000/v2/python/blobs/sha256:a99509a323905a80628005e4f3bc26ac15ebaf3ffdb08a9646a7f2d110ab38f9\": http: server gave HTTP response to HTTPS client","key":"default/34/extract-776892714-Ki3b sha256:781d5934416a582cf712c35212a8f92940c0223da02c1360d9ebb834d0f2c873","level":"warning","msg":"failed to prepare snapshot; deferring to container runtime","parent":"sha256:9bb22d850b6e163c76b5cee00494067210e96c4cf585e2cd9d68898e31f43f69","time":"2024-06-13T14:49:44.089475833Z"}

This is the configuration I'm using for the containerd client.

# /etc/containerd/config.toml

version = 2
[plugins."io.containerd.grpc.v1.cri".containerd]
    disable_snapshot_annotations = false
[proxy_plugins]
    [proxy_plugins.soci]
        type = "snapshot"
        address = "/run/soci-snapshotter-grpc/soci-snapshotter-grpc.sock"

Steps to reproduce the bug

  1. nerdctl run -d -p 5000:5000 --restart=always --name registry registry:2.7
  2. nerdctl pull registry.hub.docker.com/library/python:3.9
  3. nerdctl image tag registry.hub.docker.com/library/python:3.9 localhost:5000/python:3.9
  4. nerdctl --insecure-registry push --snapshotter soci localhost:5000/python:3.9
  5. nerdctl rmi localhost:5000/python:3.9
  6. nerdctl --insecure-registry pull --snapshotter soci localhost:5000/python:3.9
  7. journalctl -u soci-snapshotter

Describe the results you expected

I expect the SOCI to work with the insecure registry like other snapshotters (eg: stargz).

Host information

  1. OS: Ubuntu 20.04.3 LTS
  2. Snapshotter Version: v0.6.1
  3. Containerd Version: v1.7.16

Any additional context or information about the bug

No response

Kern-- commented

Related to #276.

This should allow plain http for localhost, but it doesn't seem to be working.

soci-snapshotter/fs/fs.go

Line 211 in 145a438

return docker.ConfigureDefaultRegistries(docker.WithPlainHTTP(docker.MatchLocalhost))(imgRefSpec.Hostname())

amalthundiyil commented

Great! Thank you @Kern--!