#Init with python SDK + Custom docker engine

Hi,
I got custom certificates and following the documentation, I create an docker engine from dagger engine like

FROM registry.dagger.io/engine:v0.12.5

COPY custom.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates 

Then I run :

dagger init --sdk=python --source=./dagger

Before, I had a x509 error but now, I have this error :

    ✔ Directory.file(path: "dagger/pyproject.toml"): File! 0.1s
Error: failed to generate code: input: moduleSource.withContextDirectory.withName.withSDK.withSourceSubpath.withInit.asModule resolve: failed to create module: select: failed to update codegen and runtime: failed to generate code: failed to call sdk module codegen: select: call function "Codegen": process "/runtime" did not complete successfully: exit code: 2

Stdout:
marshal: json: error calling MarshalJSON for type *dagger.GeneratedCode: input: container.from resolve: failed to resolve image ghcr.io/astral-sh/uv:0.2.32@sha256:13be45299cae9fd573f553cb65a8c0267c8187ab985c3c9000f5bc1dc9a39fe7: failed to resolve source metadata for ghcr.io/astral-sh/uv:0.2.32@sha256:13be45299cae9fd573f553cb65a8c0267c8187ab985c3c9000f5bc1dc9a39fe7: failed commit on ref "unknown-sha256:13be45299cae9fd573f553cb65a8c0267c8187ab985c3c9000f5bc1dc9a39fe7": unexpected commit digest sha256:7776b85082706e1e4e80718abdd067318cf1cd50d5bd52bea84e87fe7f80749a, expected sha256:13be45299cae9fd573f553cb65a8c0267c8187ab985c3c9000f5bc1dc9a39fe7: failed precondition

This sha256 is the same as in this docker file :
https://github.com/dagger/dagger/blob/fa8f309eaf510e0d375f9e5b1205b00e6f889b9b/sdk/python/runtime/Dockerfile#L3

What could I do ?

Engine version is v0.12.5

👋 if you docker exec in the engine container, can you verify the certificate is currently working?

Hello, sorry @worldly condor . I didn't get any notifications.
Can you clarify what I need to do inside this engine ?

Also this is the full error log. I saw that there is things I cannot explain :

• ETOOBIG (not considered as an error ?)
• failed precondition
• version mismatch ? this line indicates python-sdk engineVersion v0.12.1 : ✔ Directory.withNewFile(contents: "{\n "name": "python-sdk",\n "sdk": "go",\n "source": ".",\n "engineVersion": "v0.12.1"\n}\n", path: "dagger.json", permissions: 420): Directory! 0.4s

I run this command for certificate check :
openssl x509 -in /usr/local/share/ca-certificates/mycertificate.crt -text -noout

👋 where are you running this?

does your "dagger.json" have v0.12.5 as well?

I enter in custom-dagger engine

and launching

I don't have any dagger.json. Isn't this the purpose of dagger init ?

oh, you're running dagger init gotcha

once in the custom dagger engine

can you run curl https://google.com or something?

just to make sure the certficate is working

don't you also need to set a custom proxy server or something?

this command returns the page

Do you mean setup an env variable to a proxy ?

Reading the logs. It was able to download packages (go, then image, etc.) but fails to have a coherent sha256 for astra-uv image

See line 92-95 of the logs

yes, I saw that

does this script work in the engine image?

#!/usr/bin/env bash

# public image's {USER}/{IMAGE}
USER_IMAGE=astral-sh/uv

# get token ('{"token":"***"}' -> '***')
TOKEN="$(
  curl "https://ghcr.io/token?scope=repository:${USER_IMAGE}:pull" |
  awk -F'"' '$0=$4'
)"

_curl(){ curl -H "Authorization: Bearer ${TOKEN}" "$1"; }

# get tags
_curl "https://ghcr.io/v2/${USER_IMAGE}/tags/list"

I have the suspicion that your transparent proxy server might be blocking the ghcr endpoint for some reason 🤔

seems like everything seems to work ok except for the ghcr image pull

curl command return all image from astra-sh/uv

{"name":"astral-sh/uv","tags":["initial","latest","0.1.37","0.1.38","0.1.39","0.1.40","0.1.41","0.1.42","0.1.43","0.1.44","0.1.45","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.2.9","0.2.10","0.2.11","0.2.12","0.2.13","0.2.14","0.2.15","0.2.16","0.2.17","0.2.18","0.2.19","0.2.20","0.2.21","0.2.22","0.2.23","0.2.24","0.2.25","0.2.26","0.2.27","0.2.28","0.2.29","0.2.30","0.2.31","0.2.32","0.2.33","0.2.34","0.2.35","0.2.36","0.2.37","0.3.0","0.3.1","0.3.2","0.3.3"]}

🤔 could you please restart your custom engine

and share the docker logs output of the engine after calling dagger init?

Here is the log. To understand the init part. It runs this ? github.com/dagger/dagger/tree/main/sdk/python/runtime

@proud viper just to re-validate both your engine and dagger CLI are in v0.12.5, correct?

👍

how are you running your custom engine?

mind sharing the command?

 docker run --rm --privileged -v /var/lib/dagger --name dagger-custom-engine --privileged 
--volume C:/Users/thomas.pedot/Developpements/dagger-hello/engine.toml:/etc/dagger/engine.toml --env GOINSECURE=* dagger-custom-engine

👍 mind doing a docker rm -fv dagger-custom-engine and starting it again?

and see if that helps ? 🙏

I have already done this. this morning.

😦

Is there any bypass ? I feel it is only related to ghcr.io ?

for exemple, if I start from this ? https://github.com/dagger/dagger/tree/ea6489ef18302593539239174d7198829ef5ff90/sdk/python/dev

@proud viper

mind running this script one last time pleasE?

#!/usr/bin/env bash

# public image's {USER}/{IMAGE}
USER_IMAGE=astral-sh/uv

# get token ('{"token":"***"}' -> '***')
TOKEN="$(
  curl -fsS "https://ghcr.io/token?scope=repository:${USER_IMAGE}:pull" |
  awk -F'"' '$0=$4'
)"

_curl(){ curl -fs -H "Authorization: Bearer ${TOKEN}" -H "Accept:application/vnd.oci.image.index.v1+json" "$1"; }

# get tags
#_curl "https://ghcr.io/v2/${USER_IMAGE}/tags/list"

# get manifest of the latest image
MANIFEST=`_curl "https://ghcr.io/v2/${USER_IMAGE}/manifests/0.2.32"`

echo "$MANIFEST"

echo -n "$MANIFEST" | sha256sum

I have this : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

I am testing something..

Okay. I feel a little ashamed. My engine.toml was this :

debug = true
insecure-entitlements = ["security.insecure"]

[registry."ghcr.io"]
  mirrors = ["docker.io"]

I removed [registry."ghcr.io"]

and it works...

I tried this before setting the certificates. But forget to remove it...

😢

But this error doesn't appear in the logs

lol, that was the issue 😄

yes. Can I share some feedbacks ?

this is not the same manifest I was gettiing locally

so somerhing was off. Your image was being pulled from somewher else 😬

the "bad" thing is that buildkit doesn't log anything about this when using registry mirrors. cc @fleet shard this has bitten me in the past also

I'll open an issue in the buildkit repo

My guess is that registry mirror was working. ghcr.io s mirrored by docker

yes

yes, but this is configured the other way around

but the log says it was pulled from the original

@proud viper I don't see the astral-sh/uv image in dockerhub

hum

and your configuraiton seems to be reversed

you generally want "ghcr.io" to be in the mirrors array

okay

I have this sha59 now : 13be45299cae9fd573f553cb65a8c0267c8187ab985c3c9000f5bc1dc9a39fe7

Thanks for your help anyway... I don't know if I can do something.

yes, that's the same SHA I'm getting locally also

I'll open an issue in the buildkit repo as these kind of errors definitely need some better messaging 🙏

I've also come across them in the past

When I had to setup a registry mirror and use crane to copy the image into the registry.

mmm is the idea that we'd want a downloading image to show it had come from a mirror?