I have a base image in the root of my project, which all other images depend on. These images are trying to accept an arg and source that image from the arg.
I get an error in okteto that authorization is required.
ARG SOURCE_IMAGE=$SOURCE_IMAGE
FROM $SOURCE_IMAGE as builder
WORKDIR /app/builder
RUN npx nx build reactjs-todo --prod
FROM nginx:1.19.2
...rest of docker file
This is shortened as there are a few more services here but I think this is all the provided information needed for this. I didn’t want to overload this post.
If there is a better way to ensure that my images are using this base image, i’m happy to change, i just was unable to get it working.
I understand okteto.dev/namespace:tag gets parsed from that to the actual image in the okteto registry but i figured it was easier to just pass it in from the okteto.yml?
Oh, I missed that part in my first reading of your issue. I think it’s possible that may have something to do with it. I don’t believe the compose file should be playing a part, but it seems plausible there’s an issue. Essentially though I think you have build instructions in two places and it may be triggering a defect or just a usability bug. I’m going to share with the team on Monday and will also attempt further to reproduce it a bit.
I wonder if okteto build works in the absence of the compose file? If so, I do think the fastest resolution may be to just have an okteto manifest as I’m not sure the compose file will work in this case if just using it with local compose. I don’t know that it would know how SOURCE_IMAGE would easily get set if just running local compose with that file and it may be a simplification to use just the okteto manifest. It may be worth trying that out to get unblocked while on our side we work on figuring out the issue with the original attempt.
In my case i’d have to write a different deploy script for the okteto.yml.
The key thing here is that I just want to source the base image as the stage for various other services. I was trying to figure out how to get the okteto.dev/image:tag to work but i couldn’t figure out what that was supposed to be in my case.
So i figured the easiest way was to build the base image as a service in my okteto.yml, all other services use a depends_on: dev so that gets built first, and I use the okteto variable as an argument in the image for the stage.
If you want to make sure that your images use a base image, in this scenario, just run okteto build. This command will use your okteto.yml by default. On the other hand, I see that your okteto.yml has no deploy section so if you want to deploy your environment you should run okteto deploy -f docker-compose.yml previously having built your images with okteto build. It seems that your build using the manifest does not work. Can you check that the repo given as an example + including the compose file fits your scenario?
I shortened all my files for the purposes of sharing here. I do have a deploy section. it is like so
deploy:
compose:
file: docker-compose.yml
(This above seems to be the main difference between the examples). I am not sure if this just outright changes everything but its possible i’m not very experienced in docker/kubernetes.
When running in okteto, my dev base image builds fine. When building the next service I will get an error like this:
#3 [internal] load metadata for docker.io/library/base:latest
#3 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
#4 [internal] load metadata for docker.io/library/nginx:1.21.6
#4 CANCELED------> [internal] load metadata for docker.io/library/base:latest:
------error building service 'angular-todo':
error building image 'registry.cloud.okteto.net/pr-323-ryanbas21/forgerock-javascript-sdk-angular-todo:okteto':
You are not authorized to push image 'pr-323-ryanbas21/forgerock-javascript-sdk-angular-todo:okteto'
x Error building service 'angular-todo': error building image 'registry.cloud.okteto.net/pr-323-ryanbas21/forgerock-javascript-sdk-angular-todo:okteto':
You are not authorized to push image 'pr-323-ryanbas21/forgerock-javascript-sdk-angular-todo:okteto'
(sorry for formatting tried to make it prettier).
Basically my interpretation is that i get an authorization error because its trying to pull an image that just doesn’t exist which is probably because the arg variable is blank somehow. I assume, this is somehow a missing link between mysetup passing the arg in okteto.yml vs docker-compose.yml (which i am also passing it in)
Running my branch locally produces the same outputs
~/programming/forgerock-javascript-sdk on update-docker *23 okteto build ok
! $AM_URL secret is being overridden by a local environment variable by the same name.
! $API_URL secret is being overridden by a local environment variable by the same name.
! $CENTRAL_LOGIN_CLIENT secret is being overridden by a local environment variable by the same name.
! $REST_OAUTH_CLIENT secret is being overridden by a local environment variable by the same name.
! $REST_OAUTH_SECRET secret is being overridden by a local environment variable by the same name.
! $SCOPE secret is being overridden by a local environment variable by the same name.
! $TIMEOUT secret is being overridden by a local environment variable by the same name.
! $WEB_OAUTH_CLIENT secret is being overridden by a local environment variable by the same name.
i Building 'Dockerfile' in tcp://buildkit.cloud.okteto.net:443...
[+] Building 140.8s (9/9) FINISHED
=> [internal] load .dockerignore 0.5s
=> => transferring context: 178B 0.3s
=> [internal] load build definition from buildkit-2369565495 0.4s
=> => transferring dockerfile: 1.08kB 0.3s
=> [internal] load metadata for docker.io/library/node:16.17.0 0.6s
=> [1/4] FROM docker.io/library/node:16.17.0@sha256:a5d9200d3b8c17f0f3d7717034a9c215015b7aae70cb2a9d5e5dae7ff8aa6ca8 0.1s
=> => resolve docker.io/library/node:16.17.0@sha256:a5d9200d3b8c17f0f3d7717034a9c215015b7aae70cb2a9d5e5dae7ff8aa6ca8 0.1s
=> [internal] load build context 10.8s
=> => transferring context: 12.58MB 10.7s
=> CACHED [2/4] WORKDIR /app/builder 0.0s
=> [3/4] COPY . /app/builder/ 0.8s
=> [4/4] RUN npm install 82.2s
=> exporting to image 45.2s
=> => exporting layers 36.3s
=> => exporting manifest sha256:cbb4f9bac595412f13947dd7c426aa95df701c15e731cc830de0a936a63bb54a 0.0s
=> => exporting config sha256:139efbdf75fb617e9760306bc4068d8711de64bc5b52c9b2bc1baf80efb4f669 0.0s
=> => pushing layers 7.6s
=> => pushing manifest for registry.cloud.okteto.net/ryanbas21/forgerock-javascript-sdk-dev:okteto@sha256:cbb4f9bac595412f13947dd7c426aa95df701c15e731cc830de0a936a63bb54a 1.3s
✓ Image 'registry.cloud.okteto.net/ryanbas21/forgerock-javascript-sdk-dev:okteto' successfully pushed
i Building 'samples/angular-todo/Dockerfile' in tcp://buildkit.cloud.okteto.net:443...
[+] Building 1.4s (4/4) FINISHED
=> [internal] load build definition from buildkit-1912522520 0.9s
=> => transferring dockerfile: 309B 0.2s
=> [internal] load .dockerignore 0.8s
=> => transferring context: 178B 0.1s
=> ERROR [internal] load metadata for docker.io/library/base:latest 0.2s
=> CANCELED [internal] load metadata for docker.io/library/nginx:1.21.6 0.3s
------
> [internal] load metadata for docker.io/library/base:latest:
------
x Error building service 'angular-todo': error building image 'registry.cloud.okteto.net/ryanbas21/forgerock-javascript-sdk-angular-todo:okteto': You are not authorized to push image 'ryanbas21/forgerock-javascript-sdk-angular-todo:okteto'
I have been able to reproduce a similar behavior if the image that makes use of the base requires a private image for its build. Can you prove that your image that depends on the base image can be built independently?
That dev service is what i want my base image to be, so its built.
here is the okteto.yml for those two services.
# The build section defines how to build the images of your development environment
# More info: https://www.okteto.com/docs/reference/manifest/#build
build:
dev:
context: .
dockerfile: ./Dockerfile
args:
AM_URL: $AM_URL
API_URL: $API_URL
DEBUGGER_OFF: $DEBUGGER-OFF
REALM_PATH: $REALM_PATH
JOURNEY_LOGIN: $JOURNEY_LOGIN
JOURNEY_REGISTER: $JOURNEY_REGISTER
WEB_OAUTH_CLIENT: $WEB_OAUTH_CLIENT
REST_OAUTH_CLIENT: $REST_OAUTH_CLIENT
REST_OAUTH_SECRET: $REST_OAUTH_SECRET
# You can use the following env vars to refer to this image in your deploy commands:
# - OKTETO_BUILD_ANGULAR-TODO_REGISTRY: image registry
# - OKTETO_BUILD_ANGULAR-TODO_REPOSITORY: image repo
# - OKTETO_BUILD_ANGULAR-TODO_IMAGE: image name
# - OKTETO_BUILD_ANGULAR-TODO_TAG: image tag
angular-todo:
context: .
dockerfile: samples/angular-todo/Dockerfile
args:
AM_URL: $AM_URL
API_URL: $API_URL
DEBUGGER_OFF: $DEBUGGER-OFF
REALM_PATH: $REALM_PATH
JOURNEY_LOGIN: $JOURNEY_LOGIN
JOURNEY_REGISTER: $JOURNEY_REGISTER
WEB_OAUTH_CLIENT: $WEB_OAUTH_CLIENT
REST_OAUTH_CLIENT: $REST_OAUTH_CLIENT
REST_OAUTH_SECRET: $REST_OAUTH_SECRET
sorry, maybe I expressed myself wrongly. What I mean is that the service angular-todo seems to have a dependency on an image that you don’t have access to. I don’t mean dev but another one that you later use during its construction. For example, your secondary image has more FROM... instructions than the one using dev? That is how I was able to reproduce your scenario at least with the information you have given.
#4 [internal] load metadata for Docker #4 CANCELED
#3 [internal] load metadata for Docker #3 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
I tried to duplicate the setup, only it’s simplified to what I think you’re trying to accomplish. I used a fork of the go-getting-started repo, 
