singularity icon indicating copy to clipboard operation
singularity copied to clipboard

Published 20 hours ago verified publisher icon sylabs

Adding Remote Endpoint - passed parameter "--insecure" is ignored

Open j-danek opened this issue 2 years ago • 1 comments

Version of Singularity Running SingularityCE 3.10.2-jammy

Describe the bug I want to pull docker images from a private registry and encounter error x509: certificate signed by unknown authority. So I want to add Remote Endpoint with --insecure option, so I do not have to bother with this issue in the future. But after adding the Endpoint, the parameters do not seem to be accepted by singularity.

To Reproduce starting with $ sudo singularity remote add --global --insecure TEST http://registry.test.com $ sudo singularity remote use TEST and seeing that /etc/singularity/remote.yaml contains the proper entry:

Active: SylabsCloud Remotes: TEST: URI: registry.test.com System: true Exclusive: false Insecure: true SylabsCloud: URI: cloud.sylabs.io System: true Exclusive: false

but command $ sudo singularity remote list yields following results:

NAME URI ACTIVE GLOBAL EXCLUSIVE INSECURE TEST registry.test.com YES YES NO NO SylabsCloud cloud.sylabs.io NO YES NO NO

Expected behavior I would expect that the command singularity remote list lists the INSECURE option as YES for TEST endpoint and that I do not have to use option --no-https anymore when pulling from that endpoint.

OS / Linux Distribution On Ubuntu 22.04.1

Installation Method I downloaded the deb package _ singularity-ce_3.10.2-jammy_amd64.deb _ and installed it with apt.

Additional context

j-danek avatar Sep 29 '22 10:09 j-danek

Hi @j-danek

The singularity remote add http://xxxxx command won't actually do anything for docker:// sources. Adding a remote like that is for the Sylabs Cloud Library, a Singularity Enterprise installation, or other projects that provide the library:// protocol.

Remotes shown at the top of singularity remote list are for library://, the remote builder, and keystore. Docker / OCI registry configuration is listed separately, below.

You can add authentication information for a Docker / OCI registry and set an insecure flag at the same time with singularity remote login e.g. docker run -d -p 5000:5000 --restart=always --name registry registry:2

However, at present this is not useful for non-authenticated pulls. A workaround is to use the fact that Singularity pulls OCI / Docker images with a library that reads registries.conf

See - https://www.redhat.com/sysadmin/manage-container-registries which shows how to add an entry to set a registry as insecure.

We're aware that all of this is confusing, and that the difference between a 'remote' (i.e. library://, remote builder, keystore) and a configure docker / OCI registry is confusing. We aim to completely overhaul the CLI in future, as tracked in #78. Prior to that I'll try to update the documentation, and look for any short-term improvements we can make without breaking the CLI. We can't change it in a non-backward compatible way until Singularity 4.0.

dtrudg avatar Sep 30 '22 09:09 dtrudg

Hopefully this is cleared up by the split from remote -> keyserver / registry commands in 4.0.0

dtrudg avatar Sep 20 '23 10:09 dtrudg