Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to pull image, content digest sha256 not found #142

Open
pizzapim opened this issue Jun 30, 2024 · 5 comments
Open

Failed to pull image, content digest sha256 not found #142

pizzapim opened this issue Jun 30, 2024 · 5 comments

Comments

@pizzapim
Copy link

Hello! First I would like to thank you for this awesome project! I have come across an issue while using it.

Context: I am running a k3s cluster on top of NixOS. I have already deployed nix-snapshotter successfully on my nodes. I can confirm my setup works as I was able to pull and run a Redis image from the Nix store.

However, I am now encountering a problem with a particular Docker image, mpepping/cyberchef. More specifically, I am using the image created by:

pkgs.dockerTools.pullImage {
  finalImageName = "mpepping/cyberchef";
  finalImageTag = "latest";
  imageDigest = "sha256:5044c72dd8070fb6e0595e720fc4440bf6168493b2433db06a1c966406398ba2";
  imageName = "mpepping/cyberchef";
  sha256 = "177yjfbz0ijc8lfqfr50fhqqmjk72373c0igyrxv3wwg0pyrgpv4";
}

When I use the Nix store path to this image, I receive the following events on the Kubernetes pod:

  Normal   Scheduled  19s   default-scheduler  Successfully assigned default/cyberchef-65769f8c78-7cmxv to lewis
  Normal   Pulling    19s   kubelet            Pulling image "nix:0/nix/store/frpcl21jwz0zhr2whmi21affqbfn9dqw-docker-image-mpepping-cyberchef-latest.tar"
  Warning  Failed     12s   kubelet            Failed to pull image "nix:0/nix/store/frpcl21jwz0zhr2whmi21affqbfn9dqw-docker-image-mpepping-cyberchef-latest.tar": content digest sha256:1ca8358066425ba22dd40a3bb562a1be846e7a721255ddfedcfb8468b028308f: not found
  Warning  Failed     12s   kubelet            Error: ErrImagePull
  Normal   BackOff    11s   kubelet            Back-off pulling image "nix:0/nix/store/frpcl21jwz0zhr2whmi21affqbfn9dqw-docker-image-mpepping-cyberchef-latest.tar"

The logs of nix-snapshotter show no problem:

msg="[image-service] Loading nix image archive"
msg="Importing image" ref="docker.io/mpepping/cyberchef:latest"
msg="Creating image" ref="docker.io/mpepping/cyberchef:latest"
msg="Created image" ref="docker.io/mpepping/cyberchef:latest"

It does look like this is an upstream containerd issue: containerd/containerd#9873
Do you have any ideas how to avoid this issue?
@elpdt852
Copy link
Collaborator

So pkgs.dockerTools.pullImage produces a regular image, and nix-snapshotter is able to run those, but doesn't know how to pull them. I don't think it's possible to use nix-snapshotter as an image service (i.e. using nix:0/nix/store/...) to resolve those, so you will need to specify the reference in your kubernetes deployment to point to docker.io/mpepping/cyberchef:latest directly, or build the image using pkgs.nix-snapshotter.buildImage.

@elpdt852
Copy link
Collaborator

That said, nix-snapshotter image service could be potentially extended to pull regular images via the nix:0 path, but not currently supported.

@pizzapim
Copy link
Author

Thanks for your response! I see, the images pulled using pkgs.dockerTools.pullImage are indeed not OCI compliant. I've found a partial workaround by passing the pulled Docker image to nix-snapshotter.buildImage in the fromImage attribute. E.g.:

  pkgs.nix-snapshotter.buildImage {
    name = "cyberchef";
    resolvedByNix = true;
    fromImage = dockerImage;
  };

While that copies the files of the image, it does not copy the configuration of it. There is probably a smarter way, but I created a small function to get the configuration of a Docker image:

  getDockerImageConfig = dockerImage:
    let
      configJson = pkgs.runCommand "config.json"
        {
          nativeBuildInputs = [ pkgs.skopeo pkgs.jq ];
        }
        ''
          skopeo --tmpdir $TMPDIR --insecure-policy inspect docker-archive:${dockerImage} --config | jq '.config' > $out
        '';
    in
    builtins.fromJSON (builtins.readFile configJson);

And I just pass it like this to the bulidImage function:

  pkgs.nix-snapshotter.buildImage {
    name = "cyberchef";
    resolvedByNix = true;
    fromImage = dockerImage;
    config = getDockerImageConfig dockerImage;
  };

This seems to work at least for the docker.io/mpepping/cyberchef:latest image!

@bglgwyng
Copy link
Contributor

That said, nix-snapshotter image service could be potentially extended to pull regular images via the nix:0 path, but not currently supported.

Would you happen to have any idea how to do it? Could you please share the outline?
I think pulling it from that machine is possible when the derivation is already built in some other machine.
However, when it's not found in any other machine, how can we trigger a new build from the current nix:0 path?

@elpdt852
Copy link
Collaborator

Hi @bglgwyng I answered more in the new issue you opened here: #147 (comment)

To be clear, nix-snapshotter does not build derivations on-demand and works with pre-built Nix store paths. These could be substituted on-demand but they operate at the Nix store path level, not Nix derivations (or Nix expressions).

That said, you can evaluate, build and deploy a nix:0 image to Kubernetes as demonstrated in the demo VMs because its fully declarative, but the "build on-demand" (and evaluation) is a feature of Nix, and nix-snapshotter itself doesn't understand derivations or Nix expressions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bglgwyng @pizzapim @elpdt852