After updating to latest build (not sure if that triggered the issue), I am getting this: #39
Comments
|
Hello @johnnyggalt! The problem is most likely that you have private images pulled from Docker Hub and you haven't configured authentication for Cup. Please also read the docs for the configuration. Images which couldn't be checked are labelled as |
|
Thanks for your response, @sergi0g. Sorry, I really didn't provide enough context. I am using this script to periodically check for updates: #!/bin/bash
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}/cup.json:/config/cup.json -t ghcr.io/sergi0g/cup -c /config/cup.json check -iHere is my {
"insecure_registries": ["myregistry:5000"]
}I have been running this for a while without issue, but then cup itself was listed as having an update, so I pulled latest. After that I started getting token failures in the output for all Docker Hub images, which means they display as "unknown" in the results. But the thing is, none of the Docker Hub images are private. And they were all checking just fine before I updated cup. |
|
Thanks for clarifying! In this case, it would be helpful if you could give me a list of images labelled as unknown in the output and the token from the logs (don't worry, this isn't dangerous). |
|
OK, I just ran it again and checked the contents of the JWT once I saw the errors pop up (the process hadn't even finished yet). The token had already expired because it's taking significantly longer than 5 minutes to check the images, so perhaps the issue is that the token is assumed to be valid indefinitely, rather than requesting another token once it has expired? I don't know if that explains why it worked for me previously because I would always just start it running and then come back to it later, paying no attention to how long it was taking to execute. So perhaps it was executing faster in the previous version so as not to trigger this problem. In any case, here is the relevant info... OutputToken |
Thanks for debugging! Maybe handling timeouts would be a good idea, but the real issue here is the time it took. Cup should be finishing in seconds, not minutes! I'd suggest investigating both the network and the hardware (maybe it's too overloaded?). If you're getting errors like Finally, you can try checking with the old image ( |
|
I see, thanks. Running on my local machine is indeed very fast, though I do have different containers running. The problem occurs when running on my Synology server. It is not under-powered or overworked. Other network traffic is super fast (including torrents, for example). I do have network traffic routed through VPN, but I just tried disabling that and the problem persists. I tried running with I then tried going through each Docker Hub image individually and running a check against only that image. All such checks completed in under 2 seconds. Here's one example: sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -t ghcr.io/sergi0g/cup check nginx:1.25.4
✓ Done!
nginx:1.25.4 Up to date
INFO ✨ Checked 1 images in 1955msHowever, things got interesting when I tried the same against one of the images hosted in my own registry: sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}/cup.json:/config/cup.json -t ghcr.io/sergi0g/cup -c /config/cup.json check myregistry:5000/keycloak:latest
⠇ Checking...
WARN Connection to registry myregistry:5000 failed.
⠇ Checking...
WARN Connection to registry failed.
✓ Done!
myregistry:5000/keycloak:latest Unknown
INFO ✨ Checked 1 images in 1024777msI don't quite understand why such a long check time against the private registry would impact Docker Hub checks unless the auth token is obtained first, then the private registry is checked, then Docker Hub images are checked. However, it's the only thing I can find that makes some kind of sense. Unfortunately, it's not easy for me to remove those containers from my setup to try running cups without them in the picture, nor can I find a way to configure cups to straight-up ignore them. Is there a way to run cups with verbose output, so I can more easily see what's happening? Or anything else you'd suggest to move forward? |
This is exactly what's happening. It's necessary for all images to be checked concurrently, but I never thought about timeouts, since all registries I've tried are very fast. If I revert the code, Cup will be slower overall, so I'd suggest investigating why your local registry is taking so long. What I could do is implement a config option to ignore specific images. What do you think? |
|
Believe it or not, this came down to the difference between checking
I think this could well be useful. To be honest, I think the most useful thing would have been some form of verbose output though. |
|
Hey! I've never seen an issue like this before! Cup requests the image in the exact same way Docker does, so if a delay is being caused, it's either a weird network bug or an issue in one of the libraries Cup uses. I'll have to try to reproduce this and I'll let you know as soon as I can. |
|
After going to the trouble of switching my self-hosted images over to being tagged with And when I tried updating another part of my code stack, I got an error message that really drove it home: That caused me to do a quick google and find that, indeed, Docker requires the repository be all lowercase! So I feel a bit stuck here, though I don't think it's a cup problem. On the one hand, I am forced to tag with lowercase, but on the other my actual server name is capitalized, which causes something of a mismatch somewhere in the cup/Docker stack. At this point it feels like my only recourse is to either rename my server, or use DNS (I guess - I have no idea where resolution is actually going awry) so that it still resolves to my server. Pretty crazy! |
|
I'm getting the same messages: Using a Read-Only token, similar token works with Portainer |
|
@johnnyggalt I'm terribly sorry, I haven't had any time to reproduce your issue! Please don't change your server configuration or anything until I've done that.
I haven't made any code changes since your last comment. It just happened that the async tasks were scheduled in a particular order that worked. Update: I just noticed that in a previous comment you posted your config file and the hostname isn't capitalized there. Could that be the issue?
|
Hi @parasiteoflife! Your issue is unrelated to this one. It seems that Cup is trying to use a token that is null which will obviously not work. Please open a new issue that also includes your config file with sensitive info redacted (if you have one) and any additional info that could help with troubleshooting. Thanks! |
Ah, I see, luck of the draw.
Correct, it wasn't capitalized there because the image's registry name wasn't, which I had initially done without too much thought and presumably because something pushed me in that direction. In any case, it doesn't make a difference how I specify it in {
"insecure_registries": ["myregistry:5000","Myregistry:5000"]
}
No problem. OK, so to summarize from my perspective:
I will wait for your investigation. If it came down to it, being able to ignore those images (or that registry altogether) would be a decent workaround for me. Since they're self-hosted images, I'm probably not going to forget to pull and apply updates that I've just pushed to my registry. Probably 🙂 |
|
Hi @johnnyggalt! I've set up 2 VMs on the same network and they are discoverable through mDNS (I'm guessing that's your setup). One runs a registry to which I've pushed a test image and the other is for running Cup and trying to connect to it. They both have capitalized hostnames ( I've configured the local registry as insecure for both Docker and Cup and I've pulled the image. When running Cup, I get an error that the connection failed (which shouldn't happen), but the time taken is completely normal. The connection times out in less than 10 seconds. My next steps from here are debugging why the connection fails. I can't understand why there is such a huge delay on your end. I wish I had access to your system, but that can't happen. If this was my server, I would have installed Rust in a VM, created a development build of Cup and then tried to reproduce the issue. If it did occur, I'd run with samply and then analyze the output to see where the delay is caused. Of course, I completely understand that you may want to keep your server installation minimal and that you may not have the technical expertise to do this. I will try to debug this on my own, but your help would be valuable. |
|
I finally found why the local domain isn't resolving. Musl libc (with which Cup is compiled) doesn't support resolving local domains with mDNS and needs a sort of bridge to be running. Even if we compile with glibc, an mDNS service still needs to be running in the container for local domain resolution to work. To be honest, I don't really think implementing local domain resolution in a container is a good investment of time. It will probably increase the container size and complexity significantly. My conclusion is that whether your hostname is capitalized or not plays no role in whether Cup will be able to connect to it. If you're running a local DNS server, I'd suggest pointing an A record at your registry's IP and using that domain name. I think the best solution is to just filter out domain names that rely on mDNS. |
|
@sergi0g Thanks for looking into it. Would it be possible to add a config option to ignore certain registries? |
|
Sure! I'll try to add this in version 3 (hopefully coming soon). |
After updating to latest build (not sure if that triggered the issue), I am getting this:
Is there a way to remove the cached token? Might be nice to include that in the message.
Originally posted by @johnnyggalt in #18 (comment)
The text was updated successfully, but these errors were encountered: