stocky-helmet-22655
03/20/2023, 6:13 PMdocker_environment
? I have a private docker registry and thus setup docker.env_vars
in pants.toml - using docker_image
can pull from there just fine. When I try to use docker_environment
though I get a 500 “no basic auth credentials”. I don’t see anything in the docs about this, or about how to point a docker_environment
to a local docker_image
as a workaround.witty-crayon-22786
03/20/2023, 6:19 PM2.15.x
: sorry about that. will get out new release later today.witty-crayon-22786
03/20/2023, 6:20 PM2.15.x
branch with PANTS_SHA=a40b6fa8020aa4d33b8ab959ce493515531aee2c
though (see)stocky-helmet-22655
03/20/2023, 6:24 PMstocky-helmet-22655
03/20/2023, 6:34 PM14:32:49.67 [INFO] Completed: Pulling Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>` because the image is missing locally.
but then still fails on the same 500 “no basic auth credentials”witty-crayon-22786
03/20/2023, 6:37 PMstocky-helmet-22655
03/20/2023, 6:39 PM$ ./pants test ::
14:32:49.67 [INFO] Completed: Pulling Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>` because the image is missing locally.
14:32:49.67 [ERROR] 1 Exception encountered:
Engine traceback:
in `test` goal
in Run Pytest - (test/test_foobar.py:MyResolve, environment:manylinux)
Exception: Failed to pull image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: Failed to pull Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: DockerResponseServerError { status_code: 500, message: "Head \"https://<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/v2/public/quay.io/pypa/manylinux_2_24_x86_64/manifests/latest\|dkr.ecr.us-east-1.amazonaws.com/v2/public/quay.io/pypa/manylinux_2_24_x86_64/manifests/latest\>": no basic auth credentials" }
stocky-helmet-22655
03/20/2023, 6:39 PMwitty-crayon-22786
03/20/2023, 6:40 PMwitty-crayon-22786
03/20/2023, 6:41 PMwitty-crayon-22786
03/20/2023, 6:44 PMwitty-crayon-22786
03/20/2023, 6:46 PMstocky-helmet-22655
03/20/2023, 6:46 PM[docker]
as described in the pants docs and ./pants package ::
says it packages the docker image fine, but the error comes up when I try to use a docker_environment
with the same image in testswitty-crayon-22786
03/20/2023, 6:46 PMstocky-helmet-22655
03/20/2023, 6:47 PM[docker]
env_vars = ["DOCKER_CONFIG=%(homedir)s/.docker"]
tools = [
"docker-credential-desktop",
"docker-credential-ecr-login",
"docker-credential-osxkeychain",
"dirname",
"readlink",
"python3",
"cut",
"sed",
"bash"
]
stocky-helmet-22655
03/20/2023, 6:47 PMwitty-crayon-22786
03/20/2023, 6:50 PMAWS_PROFILE
isn’t being passed there).
@curved-television-6568: do you have any ideas about this one? there aren’t any additional environment variables being propagated to the docker plugin backend by default, are there?stocky-helmet-22655
03/20/2023, 6:52 PM[test]
extra_env_vars.add = [
'EXTRA_ARGS',
'CODEARTIFACT_AUTH_TOKEN',
'AWS_ACCESS_KEY_ID',
'AWS_SECRET_ACCESS_KEY',
'EC2_REGION',
'EC2_ACCOUNT',
'AWS_DEFAULT_REGION',
'AWS_AVAILABILITY_ZONE',
'AWS_TOKEN',
'PYTHONPATH',
'PYTHONDONTWRITEBYTECODE',
]
Not sure if that affects anything to do with docker though, being in the [test]
blockrefined-addition-53644
03/20/2023, 7:09 PMrefined-addition-53644
03/20/2023, 7:11 PM[docker].env_vars
'AWS_ACCESS_KEY_ID',
'AWS_SECRET_ACCESS_KEY',
witty-crayon-22786
03/20/2023, 7:13 PMstocky-helmet-22655
03/20/2023, 7:15 PMdocker_image
works using auth through docker-credential-ecr-login
and ~/.docker/config.json
, without setting AWS_ACCESS_KEY_ID
or AWS_SECRET_ACCESS_KEY
. Are you saying this cannot be done with docker_environment
?refined-addition-53644
03/20/2023, 7:16 PMdocker_environment
. Locally they arecurved-television-6568
03/20/2023, 7:17 PMwitty-crayon-22786
03/20/2023, 10:41 PMecr
login uses a credential helper process: https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol … and AFAICT, the crate that we’re using does not currently support interacting with them.
i’m going to open a new issue for this one.witty-crayon-22786
03/20/2023, 10:57 PMstocky-helmet-22655
03/24/2023, 6:17 PMPANTS_SHA=b23df09279ee61b06f8e64b65a97f4be17665231
though and run ./pants test ::
I still get this:
$ ./pants test ::
14:15:57.22 [INFO] Completed: Pulling Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>` because the image is missing locally.
14:15:57.23 [ERROR] 1 Exception encountered:
Engine traceback:
in `test` goal
IntrinsicError: Failed to pull image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: Failed to pull Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: Failed to retrieve credentials for server `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com|dkr.ecr.us-east-1.amazonaws.com>`: Credential helper returned non-zero response code
Do your changes require I do anything more to setup docker’s aws auth with pants?witty-crayon-22786
03/24/2023, 6:19 PMstocky-helmet-22655
03/24/2023, 6:21 PMwitty-crayon-22786
03/24/2023, 6:24 PMaws ecr get-login-password
dance to auth recently?witty-crayon-22786
03/24/2023, 6:25 PMaws ecr get-login-password | docker login --username AWS --password-stdin $repository
?stocky-helmet-22655
03/24/2023, 6:26 PMdocker system prune -a --volumes
to clear out the images and docker compose up
without using pants, it authenticates and downloads just finewitty-crayon-22786
03/24/2023, 6:29 PMstocky-helmet-22655
03/24/2023, 6:29 PMwitty-crayon-22786
03/24/2023, 6:38 PMPANTS_SHA=b147c5fe98b8ad39566c31cc51303830901153ed
from https://github.com/pantsbuild/pants/commits/stuhood/debug-docker-auth once the wheels shards go green there (about 30 minutes probably).stocky-helmet-22655
03/24/2023, 7:19 PMstocky-helmet-22655
03/24/2023, 9:39 PM$ ./pants test ::
17:37:39.93 [INFO] Completed: Pulling Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>` because the image is missing locally.
17:37:39.94 [ERROR] 1 Exception encountered:
Engine traceback:
in `test` goal
IntrinsicError: Failed to pull image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: Failed to pull Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: Failed to retrieve credentials for server `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com|dkr.ecr.us-east-1.amazonaws.com>`: Credential helper returned non-zero response code:
stdout:
stderr:
Failed to fire hook: while creating logrus local file hook: user: Current requires cgo or $USER set in environment
[2023-03-24T21:37:39.934745000Z][docker-credential-desktop][F] user: Current requires cgo or $USER set in environment
[common/pkg/paths.Home()
[ common/pkg/paths/paths.go:108 +0x6d
[common/pkg/paths.Container()
[ common/pkg/paths/user_darwin.go:30 +0x1d
[common/pkg/paths.Data()
[ common/pkg/paths/paths_darwin.go:27 +0x19
[common/pkg/paths.setCurrentDirectory()
[ common/pkg/paths/paths.go:61 +0x1d
[common/pkg/paths.Init(0x0?)
[ common/pkg/paths/paths.go:45 +0x1e
[main.main()
[ common/cmd/docker-credential-desktop/main.go:50 +0x2e
witty-crayon-22786
03/24/2023, 9:40 PMwitty-crayon-22786
03/24/2023, 9:43 PMPANTS_SHA=cb2e850e3f8bbeb83803b563a9a1b21028b79ede
from the same branch.
while that builds, you might try with --no-pantsd
(which should have all environment variables present)stocky-helmet-22655
03/25/2023, 4:09 AMstocky-helmet-22655
03/25/2023, 4:09 AMwitty-crayon-22786
03/25/2023, 4:10 AMstocky-helmet-22655
05/16/2023, 4:16 PMwitty-crayon-22786
05/16/2023, 4:25 PM2.15.1rc3
) and 2.16.x (2.16.0rc2
) rcs should contain all known fixeswitty-crayon-22786
05/16/2023, 4:25 PMstocky-helmet-22655
05/16/2023, 4:45 PMstocky-helmet-22655
05/16/2023, 4:45 PM2.15.1rc3
is workingwitty-crayon-22786
05/16/2023, 4:45 PMstocky-helmet-22655
05/22/2023, 6:19 PM2.15.1
now (I saw that just got released) and it's working great on Mac. I'm now trying to get setup with CICD though which runs on a Linux box but I'm getting an issue:
[2023-05-22T18:11:51.316Z] Exception: Failed to pull image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: Failed to pull Docker image `<ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64:latest>`: DockerResponseServerError { status_code: 404, message: "pull access denied for <ACCOUNT_ID>.<http://dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64|dkr.ecr.us-east-1.amazonaws.com/public/quay.io/pypa/manylinux_2_24_x86_64>, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::<ID>:assumed-role/jenkins-2/i-<ID> is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:<ACCOUNT_ID>:repository/public/quay.io/pypa/manylinux_2_24_x86_64 because no resource-based policy allows the ecr:BatchGetImage action" }
The job has been authenticated with docker login
and works fine if I pull a docker image using docker, but Pants isn't able to pull it. I tried your previous hash with the extra logging and didn't get anything additional. I did get it working fine using --no-pantsd
, so my guess is it is a missing environment variable? I haven't been able to figure out which one it might be though. I can use --no-pantsd
going forward if I have to, but that seems like a bad solutionwitty-crayon-22786
05/22/2023, 6:34 PMenv
and determine what isn’t present here that needs to be, that would help: https://github.com/pantsbuild/pants/blob/ae520ccfc86378dac3bbc651e322c41e8cdfaa05/src/python/pants/pantsd/pants_daemon.py#L39-L52stocky-helmet-22655
05/22/2023, 7:14 PMprintenv
on the CI machine and added every variable name in the list to [docker].env_vars.add
but it still failed with the same issue. Is there somewhere else I should whitelist environment variables?witty-crayon-22786
05/22/2023, 7:14 PMstocky-helmet-22655
05/22/2023, 7:17 PMstocky-helmet-22655
05/22/2023, 7:18 PMrefined-addition-53644
05/22/2023, 7:33 PMstocky-helmet-22655
05/22/2023, 7:33 PMstocky-helmet-22655
05/22/2023, 7:33 PM--no-pantsd
is usedrefined-addition-53644
05/22/2023, 7:34 PMstocky-helmet-22655
05/22/2023, 7:36 PMstocky-helmet-22655
05/22/2023, 7:37 PMstocky-helmet-22655
05/22/2023, 9:21 PMAWS_SESSION_TOKEN
PATH
SHELL
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
PATH and SHELL seem obvious (PATH is even in the list you linked me) so the AWS ones seem to be what we wantstocky-helmet-22655
05/22/2023, 9:22 PMwitty-crayon-22786
05/22/2023, 9:24 PMwitty-crayon-22786
05/22/2023, 9:25 PMstocky-helmet-22655
05/22/2023, 9:31 PM