-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Artifactory 406 Error when fetching tags #3078
Comments
I think we may have a compatibility problem with Artifactory. To start with, does your Artifactory Docker registry require any authentication? |
The mirror repository of that artifactory do not need authentication (afaik). As stated before it works like a a charm when the base image in the dockerfile already contains a digest. In such case we already received a merge request to update the digest. |
The only thing that changed between the success case and the failed case is: Failure case: |
I agree with your assessment. Seems like this URL may be the culprit:
Can you try accessing it through a browser or perhaps Postman to see what the response is? Strange thing is the space at the end there unless you added it by accident when search/replacing? |
Also can you confirm what exactly the tags/hashes look like when it works and doesn't work? e.g. |
I replayed the URL with Restlet Client and received the same result.
If I remove the "accept" header I get ERROR 404 with:
|
The tags in the success and failure case look exactly as stated before: Success case: Failure case: In the success case with the hash digest renovate also made an update-merge-request:
|
What if you add an sha256 to the node image and test again? I wonder if this is related to node and not necessarily to digest pinning |
I am going to check it out. The solr image hash digest is in its own branch. The master still contains: When I let run renovate against the master branch it fails in the very same way as the node variant. NOTE: the solr and the node dockerfiles are in different GitLab repositories, but the URL to the docker registry is always the same. |
I double checked that the registry url is always the same. |
Do you get the same error message if you manually pull the tags for the “solr” image rather than “node”? |
you mean |
I was able to pull all images manually without any errors:
Before I pulled them I deleted all images and after each pull I deleted the recently pulled one. |
Further Information! |
@mmkonrad can you explain it to me with example URLs that work/fail? i.e. not "docker" commands but something you'd GET using Restlet |
Or maybe I understand already. Would this explanation be right?
Conclusion: Artifactory doesn't like our tags query. |
correct |
Alright I just tested the assumption again and it looks like that it is correct.
|
Thank you again for help in troubleshooting this. I think the right way to probably to fix this is to use Joyent's docker registry library for retrieving tags. If you don't mind, I'll first send you a test file you can run that will double check that this new approach will successfully retrieve tags from Artifactory? |
Can you tell me more about that library and the script you want to send me? |
Currently we query Docker registries using "hand written" API queries. But it sounds like we're probably not fully compliant with all the way to request tags, because Artifactory is rejecting us. There's an open source client for Docker written by Joyent we could switch to, if it solves the problem. There was a PR by @mikebryant that got most of the work done already that we could resuscitate: https://github.com/renovatebot/renovate/pull/2908/files |
Nice, I guess the easiest way to test this is to provide a docker image available by the official docker registry. Currently we use That would require me to only change a line -> the renovate image in the gitlab-ci |
Actually no, I wanted to test it first before patching Renovate - otherwise it's 50 lines of refactoring that might not even work. I would provide you a repo with:
You'd fun "npm install" and then "node index.js" and see if it errors or prints a list of tags. So if that query worked and returned the list of tags, we'd know it's worth refactoring renovate. If not, then Artifactory has a bigger problem than we thought. Sound ok? |
Okay, I will setup a Node container....so ia have a clean node version and installation. |
node 8 or 10 should be fine |
🎉 This issue has been resolved in version 13.175.13 🎉 The release is available on: Your semantic-release bot 📦🚀 |
@mmkonrad please try testing with this new release and see if it resolves the tags problem. If not, please reopen |
It still nor working for the c/d-repositories: c) node:8.9.4 / solr:7.4 As I said I have to look into the issue of us depending so much on fixed versions and what registries are actually included in the mirror repository. |
@mmkonrad if you update your Dockerfiles to use the The problem is this:
|
Unless you have an exact version of Renovate's image, you may be running a cached version. Your logs will print which version is being run anyway, right near the top of each repository. Anyway, please attach the new logs |
package.json and "node lib/renovate.js" state version 13.180.0 If it is not the latest version: which is it, so that I can add that to the gitlab-ci.yml image descriptor |
Latest release can change every 10 minutes, but that one you ran should have had the changes in it necessary. Can you take a look at the latest logs/failures? |
According to that log, the URL that fails is But earlier you wrote:
And I can't see any difference in URLs. In which case, is it something in our headers? It says:
Are you able to try again using Restlet? By the way, do you know if the Docker Compose instructions for Artifactory Docker setup work as simply as they describe? Are you running Artifactory as Docker-only or for other types of packages on the same server? |
Weird. Now I get 406, too (with restlet) Afaik serves our Artifactory as mirror for Docker registries, npm and maven |
Now I’m at a bit of a loss and wondering if I have the root cause wrong! BTW I knew Artifactory can do many types of packages but wasn’t sure if the same server does everything or you end up running separate ones for each protocol. |
Shall we summarize what we know and what we have to find out? |
we were inspecting this behavior and found out there are two overlaying causes
My Pull-Request fixes both obove and is testet against dockerhub und artifactory. |
Artifactory 406 Error when fetching tags
@TKappatsch thanks. Both of these make logical sense. The implicit "library/" prefix is a historical convention for Docker Hub only so when Artifactory proxies it, you can never be sure. |
🎉 This issue has been resolved in version 14.3.20 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This is a:
Please describe the issue:
Fun Fact upfront: renovate works like a charm as described below when the dockerfiles already contain a
sha256-Digest
.Log of Renovate states:
I saw a similar issue with the same error code that got it solved, but we use renovate not with that command but defined everything in an openshift template like:
What additional information do you need?
Where did I go wrong?
The text was updated successfully, but these errors were encountered: