Andrew
11/28/2023, 10:21 PMtask submitted to K8s
[ContainersNotReady|ContainerCreating]: containers with unready status: [f787e4fb7001d459f851-n0-0]|
[ContainersNotReady|ErrImagePull]: containers with unready status: [f787e4fb7001d459f851-n0-0]|rpc error: code = Unknown desc = failed to pull and unpack image "<location>-docker.pkg.dev/<project>/<repository>/<image_name>:MHon8F_9TgvC55qoS5mUtw..": failed to resolve reference "<location>-docker.pkg.dev/<project>/<repository>/<image_name>:MHon8F_9TgvC55qoS5mUtw..": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://<location>-docker.pkg.dev/v2/token?scope=repository%3A<project>%2F<repository>%2F<image_name>%3Apull&service=<location>-docker.pkg.dev: 403 Forbidden
Here are the patch steps I followed:
• Created service account and downloaded the .json key file
• kubectl create secret docker-registry artifact-json-key --docker-server=<http://pkg.dev|pkg.dev> --docker-username=_json_key --docker-password=(cat artifact_auth.json | string collect) --docker-email=<email>
• kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "artifact-json-key"}]}'
Samhita Alla
Andrew
11/29/2023, 2:28 PMSamhita Alla
Maybe I’ll have to give that one a try as well.okay. let me know if it still results in a failure.
Also, do you know if you’d have to manually patch the default service account under each namespace, for “flytesnacks.development”, “flytesnacks.staging” etc. as an example? Or if there’s a way to patch all of them and future ones? I tried manually for now to test the patch but with no luck.i'm not so sure. @David Espejo (he/him) do you know if this is a possibility?
David Espejo (he/him)
11/29/2023, 4:29 PMdefault
KSA uses is missing a role. Could you try adding to this list the "artifactregistry.reader"
role?David Espejo (he/him)
11/29/2023, 4:29 PMAndrew
11/29/2023, 4:43 PM"artifactregistry.dockerimages.get"
, not sure if that’s the only one it would needAndrew
11/29/2023, 4:44 PMAndrew
11/29/2023, 4:57 PM"artifactregistry.dockerimages.get",
"artifactregistry.dockerimages.list",
"artifactregistry.files.get",
"artifactregistry.files.list",
"artifactregistry.locations.get",
"artifactregistry.locations.list",
"artifactregistry.mavenartifacts.get",
"artifactregistry.mavenartifacts.list",
"artifactregistry.npmpackages.get",
"artifactregistry.npmpackages.list",
"artifactregistry.packages.get",
"artifactregistry.packages.list",
"artifactregistry.projectsettings.get",
"artifactregistry.pythonpackages.get",
"artifactregistry.pythonpackages.list",
"artifactregistry.repositories.downloadArtifacts",
"artifactregistry.repositories.get",
"artifactregistry.repositories.list",
"artifactregistry.repositories.listEffectiveTags",
"artifactregistry.repositories.listTagBindings",
"artifactregistry.repositories.readViaVirtualRepository",
"artifactregistry.tags.get",
"artifactregistry.tags.list",
"artifactregistry.versions.get",
#"artifactregistry.versions.list ",
For some reason just that last one caused a 400 error, saying it was an invalid permission.. but all of those are listed under that role you mentionedAndrew
11/29/2023, 4:57 PMAndrew
11/29/2023, 5:08 PMDavid Espejo (he/him)
11/29/2023, 5:58 PMDavid Espejo (he/him)
11/30/2023, 10:43 PMDavid Espejo (he/him)
11/30/2023, 10:56 PMflyteworkers
GSA (gcloud iam service-accounts keys create gcp-artifact.key --iam-account=flyte-gcp-flyteworkers@<your-project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
)
b. Login to Docker using the GSA (cat gcp-artifact.key| docker login -u _json_key --password-stdin https://<region>-<http://docker.pkg.dev|docker.pkg.dev>
)
c. Complete the rest of the process described here with a couple of nits:
• add `--namespace flytesnacks-development`to the `kubectl create secret...`command
• Patch the default
SA on the flytesnacks-development
ns
3. Your ImageSpec definition was rendering errors. Here is a description of how to specify the base image. In summary, I just tested it a couple of times using:
misc_image_spec = ImageSpec(
name="example-v2",
base_image="<http://ghcr.io/flyteorg/flytekit:py3.10-1.10.0|ghcr.io/flyteorg/flytekit:py3.10-1.10.0>", #This is, flytekit 1.10.0 and Python 3.10
packages=["pendulum==2.1.2"],
# apt_packages=["git"],
registry="<region>-docker.pkg.dev/<project>/flyte",
)
Considering that you will have a default
SA per every project-domain
combination, I'm not sure this is the best approach but I'm still getting familiar with the interesting IAM model on GCPAndrew
11/30/2023, 11:50 PMproject-domain
combo, but there may be a way around that later?David Espejo (he/him)
11/30/2023, 11:56 PMDavid Espejo (he/him)
11/30/2023, 11:58 PMAndrew
12/01/2023, 6:00 AMSamhita Alla
Andrew
12/01/2023, 2:41 PMSamhita Alla
Andrew
12/04/2023, 11:51 PMAndrew
12/05/2023, 4:48 AM12/5/2023 4:44:58 AM UTC task submitted to K8s
12/5/2023 4:44:58 AM UTC Scheduling
12/5/2023 4:44:58 AM UTC [ContainersNotReady|ContainerCreating]: containers with unready status: [f036bb5e57f094cc3883-n0-0]|
And in the task logs it got this:
"Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "pyflyte-fast-execute": executable file not found in $PATH: unknown"
So it looks like it may have gotten past the 403 error, but I’m not exactly sure how to interpret these errors.Samhita Alla
Andrew
12/05/2023, 5:34 AMDavid Espejo (he/him)
12/05/2023, 10:32 AMpyflyte
outside an active venvAndrew
12/05/2023, 3:51 PMDavid Espejo (he/him)
12/05/2023, 10:10 PM"${local.name_prefix}-registrywriter"
that you or a CI system can use to get a token and do a docker login as described here
• The workers now have the artifactregistry.reader
role to be able to pull imagesAndrew
12/06/2023, 11:11 PMDavid Espejo (he/him)
12/06/2023, 11:26 PMAndrew
12/06/2023, 11:29 PMAndrew
12/07/2023, 12:52 AMDavid Espejo (he/him)
12/07/2023, 11:07 AMAndrew
12/07/2023, 2:01 PM