Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support different container registry to push and pull #1904

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Support different container registry to push and pull #1904

wants to merge 10 commits into from
+122 −55

Conversation

rgaiacs
Copy link
Contributor

@rgaiacs rgaiacs commented Jan 6, 2025

This covers #1903.

@rgaiacs rgaiacs self-assigned this Jan 6, 2025
@rgaiacs rgaiacs changed the title WIP: Support different container registry to push and pull Support different container registry to push and pull Jan 14, 2025
@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 14, 2025

When I run locally and request a launch for https://github.com/binder-examples/requirements, the output was

Waiting for build to start...
Picked Git content provider.
Cloning into '/tmp/repo2dockersul_16w8'...
HEAD is now at 50533eb Merge pull request #21 from minrk/default-branch
Building conda environment for python=3.10
Using PythonBuildPack builder
Step 1/50 : FROM docker.io/library/buildpack-deps:jammy
 ---> 9c6387be7092
...
Step 50/50 : CMD ["jupyter", "notebook", "--ip", "0.0.0.0"]
 ---> Running in ee6ff4f7fcc2
 ---> Removed intermediate container ee6ff4f7fcc2
 ---> 6a38d51aece6
{"aux": {"ID": "sha256:6a38d51aece6f13a0a23116b2b4050ddd094a00a87eea438317bc298af4d5800"}}Successfully built 6a38d51aece6
Successfully tagged gesiscss/binder-binder-2dexamples-2drequirements-55ab5c:50533eb470ee6c24e872043d30b2fee463d6943f
Exception ignored in: <function Application.__del__ at 0x7fad6b188900>
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1065, in __del__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1054, in close_handlers
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 687, in __get__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 666, in get
TypeError: 'NoneType' object is not callable
Built image, launching...
Launching server...
Launch attempt 1 failed, retrying...
Launch attempt 2 failed, retrying...
Launch attempt 3 failed, retrying...
Failed to create temporary user for gesiscss/binder-binder-2dexamples-2drequirements-55ab5c:50533eb470ee6c24e872043d30b2fee463d6943f

There are a minor error related with traitlets. We should catch it during code review.

The launch attempt fail because I was not running Jupyter Hub locally.

@rgaiacs rgaiacs requested review from minrk and manics January 14, 2025 14:23
manics
manics reviewed Jan 14, 2025
View reviewed changes
Copy link
Member

@manics manics left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My initial thoughts are that most BinderHubs will use the same prefix for push and pull, so how about just have image_prefix as the default property as at present, and maybe add just one new property, image_prefix_pull?

I think it's fine to keep using the *_push and *_pull variables in builder.py if you want though, for clarity.

binderhub/app.py Outdated
@@ -443,6 +443,42 @@ def _pod_quota_deprecated(self, change):
config=True,
)

image_prefix_push = Unicode(
help="""
Prefix for built docker images push to container registry.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Prefix for built docker images push to container registry.
Prefix for built docker images being pushed to the container registry.

binderhub/app.py Outdated

image_prefix_pull = Unicode(
help="""
Prefix for built docker images pull from container registry.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Prefix for built docker images pull from container registry.
Prefix for built docker images being pulled from container registry.

@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 15, 2025

My initial thoughts are that most BinderHubs will use the same prefix for push and pull

You are absolutely right. I think that 99% of BinderHubs will use a single registry. But there will be the 1% like GESIS that want to push to Docker Hub or GitHub Packages Registry and pull from a local Harbor that operates as proxy cache.

so how about just have image_prefix as the default property as at present, and maybe add just one new property, image_prefix_pull?

image_prefix is use as the default property, see https://github.com/rgaiacs/binderhub/blob/c322eabfdd78574e6b2ea03863f04ad4593060d7/binderhub/app.py#L460-L462 and https://github.com/rgaiacs/binderhub/blob/c322eabfdd78574e6b2ea03863f04ad4593060d7/binderhub/app.py#L478-L480. No change required to existing deployments.

@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 17, 2025

I forgot that the credentials to the registries might be different and must also be provided.

@manics @minrk @yuvipanda can I get a bit of help on how the registry credentials are handle? Thanks!

@rgaiacs rgaiacs force-pushed the 1903-container-registry-push-pull branch from c322eab to 8cd2bcb Compare January 27, 2025 14:34
@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 28, 2025

I tested this PR.

2025-01-28.10-07-48.mp4

The launch log shows

{"aux": {"ID": "sha256:2d912e494879159e4f8696e38f0b01e042824f3b0e65f9c4c2bfe001b3e93a04"}}Successfully built 2d912e494879
Successfully tagged harbor.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718
Successfully pushed harbor.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718Exception ignored in: <function Application.__del__ at 0x7f0c10c807c0>
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1065, in __del__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1054, in close_handlers
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 687, in __get__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 666, in get
TypeError: 'NoneType' object is not callable
Built image, launching...
Launching server...
Server requested
2025-01-28T09:11:04.551221Z [Normal] Successfully assigned binderhub-test/jupyter-rgaiacs-binderhubtest-bojlrpvl to docker-desktop
2025-01-28T09:11:06Z [Normal] Container image "quay.io/jupyterhub/k8s-network-tools:4.0.0" already present on machine
2025-01-28T09:11:08Z [Normal] Created container block-cloud-metadata
2025-01-28T09:11:08Z [Normal] Started container block-cloud-metadata
2025-01-28T09:11:10Z [Normal] Pulling image "nexus.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718"
2025-01-28T09:11:11Z [Normal] Successfully pulled image "nexus.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718" in 531ms (531ms including waiting). Image size: 545867993 bytes.
2025-01-28T09:11:11Z [Normal] Created container notebook
2025-01-28T09:11:11Z [Normal] Started container notebook

The container image was pushed to harbor.notebooks-test.gesis.org and pulled from nexus.notebooks-test.gesis.org. nexus.notebooks-test.gesis.org is configured to operate as a cache proxy to harbor.notebooks-test.gesis.org.

The Helm deployment was configured with the following values

config:
  BinderHub:
    use_registry: true
    image_prefix_push: harbor.notebooks-test.gesis.org/gesiscss/binder-
    image_prefix_pull: nexus.notebooks-test.gesis.org/gesiscss/binder-
    hub_url: http://jupyterhub.binbderhub.10.6.46.141.nip.io

service:
  type: ClusterIP

ingress:
  enabled: true
  annotations:
    # use the shared ingress-nginx
    kubernetes.io/ingress.class: "nginx"
  https:
      # This is unsafe! Only se for local development
      enabled: false
  hosts:
    - binderhub.10.6.46.141.nip.io

jupyterhub:
  proxy:
    service:
     type: ClusterIP
  ingress:
    enabled: true
    annotations:
      # use the shared ingress-nginx
      kubernetes.io/ingress.class: "nginx"
    hosts:
      - jupyterhub.binbderhub.10.6.46.141.nip.io

The secrets were

# https://binderhub.readthedocs.io/en/latest/zero-to-binderhub/setup-binderhub.html#if-you-are-using-azure-container-registry
registry:
  url: https://harbor.notebooks-test.gesis.org
  username: methodshub
  password: REDACTED

# https://z2jh.jupyter.org/en/stable/resources/reference.html#imagepullsecrets
jupyterhub:
  imagePullSecrets:
    # Created using
    # 
    # kubectl \
    # create \
    # secret \
    # docker-registry \
    # nexus.notebooks-test.gesis.org \
    # --docker-server=<your-registry-server> \
    # --docker-username=<your-name> \
    # --docker-password=<your-pword> \
    # --docker-email=<your-email> \
    # --namespace='binderhub-test'
    # 
    # Source: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line
    - "nexus.notebooks-test.gesis.org"

On a second launch, BinderHub is not checking if the container image exists in the registry but starts a new build. I will try to fix this. If you can share the location in the code where BinderHub decides to do a build, I will appreciate.

@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 28, 2025

@manics @minrk @yuvipanda my understanding is that in

binderhub/binderhub/builder.py

Lines 408 to 421 in 2ac9124

if self.settings["use_registry"]:
for _ in range(3):
try:
image_manifest = await self.registry.get_image_manifest(
image_without_tag, image_tag
)
image_found = bool(image_manifest)
break
except HTTPClientError:
app_log.exception(
"Failed to get image manifest for %s",
image_name,
)
image_found = False
BinderHub will contact the registry to check if the image exists. For a private registry, BinderHub will use the credentials available for the Docker client configured at

binderhub/binderhub/registry.py

Lines 139 to 146 in 2ac9124

username = Unicode(
help="""
Username for authenticating with docker registry
Default: retrieved from docker config.json.
""",
config=True,
)
and

binderhub/binderhub/registry.py

Lines 164 to 171 in 2ac9124

password = Unicode(
help="""
Password for authenticating with docker registry
Default: retrieved from docker config.json.
""",
config=True,
)

For this PR to move forward, the user will need to pass two credentials. One for the registry to push and another for the registry to pull. For this, backward compatibility will be broken. Can you advise me what is your preferable way to move this forward? Duplicate the credentials as done for the image name? Or use another format? Thanks!

@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 28, 2025

09051c4 has a backward compatibility change in the Helm chart. registry changed to be a list.

@rgaiacs
Copy link
Contributor Author

rgaiacs commented Jan 28, 2025

BinderHub is missing the existing image in the container registry because the DockerRegistry class is implemented to support only one registry as mentioned in

binderhub/binderhub/registry.py

Line 42 in 2ac9124

# default to first entry in docker config.json auths
And the Helm chart implementation of .docker/config.json in 09051c4 does not preserve the order from the Helm value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manics manics manics left review comments

@minrk minrk Awaiting requested review from minrk

Assignees

@rgaiacs rgaiacs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rgaiacs @manics