From 2188d8f7ada15caddd8b721745a0a4b6f61ce111 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Wed, 12 Sep 2018 16:44:58 -0700 Subject: libpod/image/pull: Return image-pulling errors from doPullImage We were already writing these to our debug logs. But collecting them and including them in the error message will make it easier for callers who don't have debugging enabled to figure out what's going wrong. Using multierror gives us both pretty formatting (when we print this for the user) and programmatic access (for any callers that need to inspect the constituent errors). With this commit and a config like: $ cat /etc/containers/registries.conf [registries.search] registries = ['registry.access.redhat.com', 'quay.io', 'docker.io'] pulling an unqualified missing image looks like: $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required A qualified image looks like: $ podman pull quay.io/does-not/exist Trying to pull quay.io/does-not/exist...Failed error pulling image "quay.io/does-not/exist": unable to pull quay.io/does-not/exist: unable to pull image: Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: Error reading manifest latest in quay.io/does-not/exist: unauthorized: access to the requested resource is not authorized If one of the searched repositories was offline, you'd get a more useful routing error for that specific registry. For example: $ cat /etc/hosts 127.0.0.1 quay.io $ podman pull does-not/exist Trying to pull registry.access.redhat.com/does-not/exist:latest...Failed Trying to pull quay.io/does-not/exist:latest...Failed Trying to pull docker.io/does-not/exist:latest...Failed error pulling image "does-not/exist": unable to pull does-not/exist: 3 errors occurred: * Error determining manifest MIME type for docker://registry.access.redhat.com/does-not/exist:latest: Error reading manifest latest in registry.access.redhat.com/does-not/exist: unknown: Not Found * Error determining manifest MIME type for docker://quay.io/does-not/exist:latest: pinging docker registry returned: Get https://quay.io/v2/: dial tcp 127.0.0.1:443: connect: connection refused * Error determining manifest MIME type for docker://does-not/exist:latest: Error reading manifest latest in docker.io/does-not/exist: errors: denied: requested access to the resource is denied unauthorized: authentication required This is our first direct dependency on multierror, but we've been vendoring it for a while now because opencontainers/runtime-tools uses it for config validation. Signed-off-by: W. Trevor King Closes: #1456 Approved by: rhatdan --- libpod/image/pull.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'libpod/image') diff --git a/libpod/image/pull.go b/libpod/image/pull.go index ce3e8e73e..9eac2b988 100644 --- a/libpod/image/pull.go +++ b/libpod/image/pull.go @@ -20,6 +20,7 @@ import ( "github.com/containers/image/types" "github.com/containers/libpod/pkg/registries" "github.com/containers/libpod/pkg/util" + multierror "github.com/hashicorp/go-multierror" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -234,6 +235,7 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa return nil, err } var images []string + var pullErrors *multierror.Error for _, imageInfo := range goal.refPairs { copyOptions := getCopyOptions(sc, writer, dockerOptions, nil, signingOptions, "", nil) if imageInfo.srcRef.Transport().Name() == DockerTransport { @@ -254,6 +256,7 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa io.WriteString(writer, fmt.Sprintf("Trying to pull %s...", imageInfo.image)) } if err = cp.Image(ctx, policyContext, imageInfo.dstRef, imageInfo.srcRef, copyOptions); err != nil { + pullErrors = multierror.Append(pullErrors, err) logrus.Debugf("Error pulling image ref %s: %v", imageInfo.srcRef.StringWithinTransport(), err) if writer != nil { io.WriteString(writer, "Failed\n") @@ -273,10 +276,12 @@ func (ir *Runtime) doPullImage(ctx context.Context, sc *types.SystemContext, goa } // If the image passed in was fully-qualified, we will have 1 refpair. Bc the image is fq'd, we dont need to yap about registries. if !goal.usedSearchRegistries { + if pullErrors != nil && len(pullErrors.Errors) > 0 { // this should always be true + return nil, errors.Wrap(pullErrors.Errors[0], "unable to pull image") + } return nil, errors.Errorf("unable to pull image, or you do not have pull access") } - return nil, errors.Errorf("unable to find image on registries defined in %s, or you do not have pull access", registryPath) - + return nil, pullErrors } return images, nil } -- cgit v1.2.3-54-g00ecf