-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to load docker desktop containerd managed images to cluster #3795
Comments
That error message is coming from ctr when we ask it to import the image saved from docker. Unfortunately I can't run docker desktop at work, will have to find another way to reproduce this. Can you look at the same image exported the way kind does with docker save,
or provide a tarball from that somewhere? That would speed things up (can replicate the rest with kind load image-archive) this sounds like a containerd/docker bug but we need to confirm how before contacting them. The part kind is doing could be bugged but is pretty straightforward once we decide we need to load the image because it's not already available |
kind
cluster
Could be a small sample image like busybox if you can confirm the bug still applies to that image and share the containerd vs dockerd mode versions that would speed things up. Otherwise it may be difficult to reproduce due to the licensing of the application and/or my employer's policies, I'll have to see if this is something I can replicate in some other way. |
I'm hitting what seems to be the same issue in kuttl's integration tests. Kuttl embeds kind, currently v0.25.0. Interestingly this works on CI (GHA, ubuntu 20.04 runner) but on my desktop this fails with the same message as for @iamvinov-atlassian What I've been able to figure out using
So it seems like from the PoV of I'm running:
|
@BenTheElder you might be able to reproduce this with:
Unfortunately the actual error is hidden as |
We came across similar in our environment, we're not using docker desktop but have configured Docker to use containerd as the image store per these docs. I'm not sure if this is exactly the same as what @porridge reports, as it doesn't involve an attestation blob. However I can simply reproduce this with:
Versions:
Note this does need Docker that has multi-platform support, so I don't see this on Docker 24 on another system. I've not checked all versions but definitely it happens with Docker 27 on the host. For the nginx image this happens because there's a reference to something for platform 386, which in some cases matches amd64 (containerd's platform matching code). Therefore a workaround is:
Obviously that's not ideal, because #2957 wanted So that means |
Do we know why this works? Is it potentially fetching references from a remote (and therefore broken airgapped)? |
@BenTheElder It's not fetching from a remote cc @AkihiroSuda -- could you help decide if this is a containerd bug or a docker issue? i.e. is docker generating a bad OCI image or is containerd mishandling it? In order to reproduce this all that is needed is a Docker instance configured to use containerd (CE edition is fine), then run There are three potential issues here:
(2 is why |
Seems to be a bug of containerd. |
We should circle back to see if it's still a bug after upgrading, I am working on shipping v1.7.24 (current 1.7.x) |
At HEAD the default node image is on Kubernetes 1.32.0 + containerd 1.7.24, there are a lot of changes in containerd and I wonder if any of them fixed the bug. #3768 tracks containerd 2.0, that one is a bigger can of worms for our users and might be a bit, but also AIUI the fix isn't necessarily in 2.0 if not in 1.7, it's just that this particular issue can be avoided by using the transfer service, but we should also report a bug to containerd if it's still present in current releases without using the transfer service. |
@BenTheElder do I need to upgrade anything on my workstation to test whether the issue is fixed in my case? Or should it be enough to bump the version of kind to current HEAD? 🤔 Because just using the current kind snapshot is not helping:
|
It's the node image at HEAD, so if you use the default image then bumping to HEAD would test it, but if you're setting the node image to use then you'd have to change that. Thanks for testing. |
xref #3828 (comment) |
FWIW we will be moving to the transfer API hopefully (since we prefer to use defaults and plan to upgrade to containerd 2.0), pending a fix to We should probably still report a bug with details to containerd. #3795 (comment) I haven't had time to locally reproduce and I'd appreciate if one of you would file with containerd, thanks! |
FTR Unfortunately I don't really understand the pieces involved so I'm not able to formulate a report in containerd terms. And I'm a bit swamped with other work so no time to learn this. |
We're working on upgrading to containerd 2.0.2 (after a 2.x fix related to image import landed), which uses the transfer service by default and I think may fix this. |
In the meantime if anyone hits this: recommend opting out of containerd managed images at least until the containerd 2.x upgrade is available, though you could instead try #3805 (which should be obviated by the 2.x upgrade) |
At HEAD / the latest commit we're using containers 2.x with the default import transport. Can someone with this issue test it? You can checkout the repo and run make build or make install to get a binary. |
What happened:
I am attempting to load Docker images into
kind
cluster:kind load docker-image busybox -n nebulae
but getting the following error:❯ kind load docker-image busybox -n nebulae Image: "busybox" with ID "sha256:5b0f33c83a97f5f7d12698df6732098b0cdb860d377f6307b68efe2c6821296f" not yet present on node "nebulae-control-plane", loading... ERROR: failed to load image: command "docker exec --privileged -i nebulae-control-plane ctr --namespace=k8s.io images import --all-platforms --digests --snapshotter=overlayfs -" failed with error: exit status 1 Command Output: ctr: content digest sha256:83e82a8dd385e27d95f2118c1332d414684aa665552f7f837f86da33674308c4: not found
What you expected to happen:
I expected the image to load successfully. I already have this image pulled locally using
docker pull busybox
. Upon further investigation, it seems to me thatkind
or (containerd
) expects the image for all platforms to be present on the host for theload
command to succeed.How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
From looking at other answers on the internet, it seems generally this error occurs when the image arch doesn't match the host arch. But this is not the case. I did perform
docker images --tree
and made sure the images match my host (M3 MacBook Pro) OS.Environment:
kind v0.25.0 go1.23.3 darwin/arm64
docker info
,podman info
ornerdctl info
):MacOS Sonoma v14.7
kubectl version
):The text was updated successfully, but these errors were encountered: