Skip to content

Fixes for imagetools create cross-registry authentication failures #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ianpittwood merged 19 commits into from
Jan 12, 2026
Merged

Fixes for imagetools create cross-registry authentication failures #298

ianpittwood merged 19 commits into from
Jan 12, 2026

Conversation

@ianpittwood
Copy link
Contributor

@ianpittwood ianpittwood commented Jan 7, 2026
edited
Loading

Fixes #294, #289

  • Overhaul the image merge process to bypass the cross-registry authentication issues we encountered in the above issues.
  • Add service for local in-memory registry for temporary image storage.
  • Add custom image inspection utility function to support index artifacts.
  • Surface log level in settings.

@github-actions
Copy link

github-actions bot commented Jan 7, 2026
edited
Loading

Test Results

862 tests   862 ✅  8m 7s ⏱️
  1 suites    0 💤
  1 files      0 ❌

Results for commit 41d27e2.

♻️ This comment has been updated with latest results.

@ianpittwood
Try docker buildkit driver on merge job
2a6b429
@ianpittwood
Merge branch 'main' into imagetools-create-auth-issues
52328f7
@ianpittwood
Try defining the registries in the buildkit config? Idk, I'm grasping…
d422017 
… at straws
@ianpittwood
Implement a local registry container service context manager
be5a4d6
@ianpittwood
Test registry container service
c72eba4
@ianpittwood
Expose log level at a global level for easier integration with third-…
dce2ea2 
…party package logging
@ianpittwood
Use temporary registry to bypass issues related to authentication wit…
12dd037 
…h `imagetools create`
@ianpittwood
Change runs-on arg to `merge-builder
14d9744
@ianpittwood
Raise some messages to info level
7a19a2c
@ianpittwood
Add custom implementation of imagetools inspect to get the index dige…
d6eb3ef 
…st of an image
@ianpittwood
Pull and push intermediary merged image by its hash to guarantee all …
53df4ba 
…platforms are considered

Print the resulting manifest for the image always
@ianpittwood
Merge branch 'main' into imagetools-create-auth-issues
d778059
@ianpittwood
Pull all platforms before pulling index
fa1dd36
@ianpittwood
Document the madness
565adfd
@ianpittwood ianpittwood marked this pull request as ready for review January 8, 2026 22:26
@ianpittwood
Copy link
Contributor Author

ianpittwood commented Jan 8, 2026

This worked in images-package-manager: https://github.com/posit-dev/images-package-manager/actions/runs/20824691296/job/59852468217#step:13:131

I since closed the PR as all changes were made in this PR instead. The failed dev build is from #304 and is unrelated to these changes.

bschwedler
bschwedler approved these changes Jan 12, 2026
View reviewed changes
Copy link
Contributor

@bschwedler bschwedler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The process, although convoluted, makes sense to me.

I am curious how much extra time pulling/pushing all the images locally adds.

posit-bakery/posit_bakery/cli/ci.py
manifest = target.merge(sources=sources, dry_run=dry_run)
if dry_run:
stdout_console.print_json(manifest.model_dump_json(indent=2, exclude_unset=True, exclude_none=True))
stdout_console.print_json(manifest.model_dump_json(indent=2, exclude_unset=True, exclude_none=True))
Copy link
Contributor

@bschwedler bschwedler Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to output this for every operation?

Copy link
Contributor Author

@ianpittwood ianpittwood Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It helps my sanity significantly to see that the result is multipltaform. We could disable it with --quiet or something if we wanted.

posit-bakery/posit_bakery/image/image_metadata.py
Comment on lines +19 to +22
if self.os:
s += self.os + "/"
if self.architecture:
s += self.architecture
Copy link
Contributor

@bschwedler bschwedler Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If architecture is None, this could conceivably end with a trailing slash.

Copy link
Contributor Author

@ianpittwood ianpittwood Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be a much larger problem I think if zero platforms were listed in an inspection, but I added s.rstrip("/") since I agree it's good practice.

posit-bakery/posit_bakery/settings.py
self.app_name = "bakery"
self.application_storage: Path = Path(typer.get_app_dir(app_name=self.app_name)).resolve()
self.temporary_storage: Path = Path(tempfile.gettempdir())
self.log_level: str | int = logging.INFO
Copy link
Contributor

@bschwedler bschwedler Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💜

posit-bakery/posit_bakery/image/image_target.py
Comment on lines +445 to +446
# Return the final manifest for the merged image as a sanity check.
return python_on_whales.docker.buildx.imagetools.inspect(self.tags[0])
Copy link
Contributor

@bschwedler bschwedler Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC this makes the call against the remote repository, which in our case is the image's final destination.

Is there any merit to comparing the results we get from that to manifest from the create call against the temp registry?

Copy link
Contributor Author

@ianpittwood ianpittwood Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is against the remote. I'm not sure if there would be. I suppose you could compare them and output an error if they don't match, but I would also hope that Docker's ops at this sort of level would just work.

@ianpittwood ianpittwood merged commit e1b6b5f into main Jan 12, 2026
14 checks passed
@ianpittwood ianpittwood deleted the imagetools-create-auth-issues branch January 12, 2026 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bschwedler bschwedler bschwedler approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Stop bakery clean commands from failing fast on request errors

3 participants

@ianpittwood @bschwedler