-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi-module maven project with parallel builds fail with UNAUTHORIZED. #3733
Comments
@tommyulfsparre Thank you -- great investigation! @chanseokoh What would be the best approach to fixing this in your opinion -- 1) only using the cache if all layers are available, 2) keeping current caching behavior but finding real auth credentials, 3) something else? |
Hmm... it's hard to say what is the best approach unless I review the code holistically, which I don't think I'll do. The problem I think is that Jib assumes a base image is cached as long as there exists a manifest JSON (saved and retrieved via But the direction of 1) doesn't sound bad. It may not be that hard to add a logic to check if all the layer files described in a manifest are present, but I don't really know. 2) is also thinkable, but there'll will be situations where it retrieves credentials only to never use it. Retrieving credentials may cause frictions, and it delays the start of downloading anything from a registry. Another option I can think of is to save the manifest (calling |
Thank you for the thorough explanation @chanseokoh! +1 to both your and @elefeint's suggestions. Option 1 where we add an additional check to verify that all the layer files are present along with checking if the manifest exists sounds like a viable change! For the option to add another async Step, I'm guess this new step will be different from BuildManifestListOrSingleManifestStep? |
Closing via #3767 which implements approach 1 to check for layers presence in cache, which should address the issue for this race condition. Please re-open if needed, and thanks again for the investigation! |
|
Environment:
Description of the issue:
Building a multi-module Maven project with parallelized builds fails with
UNAUTHORIZED
when each container uses the same base image. The build needs to run with an empty cache.Maven command:
mvn clean verify -Djava.util.logging.config.file=logging.properties -T 1C
We enabled jib debug logs and could see that the request to fetch the layer didn’t contain an authorization token for one or more of the concurrent build steps.
We were able to reproduce this issue locally and are fairly certain that this happens when the cache is empty and then gets partially populated (
manifests_configs.json
exists but not all the layers). This led us to this section: https://github.com/GoogleContainerTools/jib/blob/master/jib-core/src/main/java/com/google/cloud/tools/jib/builder/steps/PullBaseImageStep.java#L134-L140 that links to: #2220 which describes the issue we are observing. Removing this branch makes the parallel build pass.We are fairly certain that this is the same issue as seen in: #2007 (comment)
Expected behavior:
Multiple parallel builds should correctly use the same base image (either cached or not) and build the proper tar artifacts.
Steps to reproduce:
mvn clean verify -Djava.util.logging.config.file=logging.properties -DskipTests -T 1C
jib-maven-plugin
Configuration:Log output:
The text was updated successfully, but these errors were encountered: