Action started to push manifest indexes instead of images for a single platform #755
Comments
|
the first one works fine though the second one pushes wrong manifest indexes. it seems that buildkit version is culprit? |
|
I solved this by setting driver-opts in setup-buildx-action step - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
version: latest
endpoint: builders
driver-opts: 'image=moby/buildkit:v0.10.5' |
|
See my comment here:
Is there an issue with the single platform being uploaded as an index instead of a manifest? Is there a specific tool you're using that's giving issues? |
|
so in simple terms add |
|
@martadinata666 that's definitely a solution you can try 🎉 But yeah, not ideal - the idea for enabling provenance by default is to enable better introspection of built images, where they come from, how they were built, etc. We want to make it easier by default to understand where an image has come from, to make it easier to decide how and whether to trust random images on the internet. 🤞 Is there a reason that it matters whether buildkit outputs an index instead of an image manifest here? I'm not able to think of a use case where this should matter, except maybe for the known bug with In docker/buildx#1509 (comment), I give some workarounds for the |
tried this and got |
|
@Legomegger you'll need to set |
|
@jedevc thanks a lot for solving this mystery! |
Not now, just wait for #746 to land to use |
|
@jedevc |
|
docker actions wise, i personally set to specific version right now. |
|
@bubenkoff yup, buildx actually can do parallel native builds without needing to do manual manifest manipulation - however, it's definitely not as well presented as it could be. We're tracking that here: docker/buildx#1510. If there's something you think we should cover in relation to the topic, please do mention it in that thread 🎉 |
If it helps, it broke our Google Cloud Run deployments, they don't seem to support this new format under-the-hood (at least in our region it causes an |
This also broke our Cloud Run deployments that are pulling from Artifact Registry. It manifests as Cloud Run saying "Image '' not found". It is fixed by adding |
|
with the update to buildx v0.10.0 it started using manifest v1?! from the Manifest output: and that causes issues later on (during for comparison it used to look like this: @bekriebel's solution restored the previous behavior:
|
|
I've also hit issues with this, however setting EDIT: It looks like I'm also hitting this issue with EDIT2: Note that the |
|
Just adding that this also broke deployments to AWS lambda, which currently does not support multi-architecture containers. We were confronted with the following error: We noticed that the new builds (with buildx 0.10.0 instead of 0.9) added the following flags by default: We were able to solve this by setting IMHO it was not ideal to have this breaking change introduced without e.g. a major version bump. Going forward, should we expect breaking changes like this, i.e. should we rather pin to minor versions? Thanks! |
|
@Vaub @bekriebel @mgmarino I've done some investigation and opened a separate tracking issue for the GCR/Lambda failures: docker/buildx#1533. This is related to those platforms lack of support for multi-platform images - I've also given some other temporary workarounds in that thread. @jakeonfire the update to buildx causes the format of the output to upgrade from docker manifest v2 to oci v1. See the mediatypes:
See https://github.com/opencontainers/image-spec for more info. |
There's lack of support on the runners, but also a seeming lack of support on the container registries. In both Google Artifact Registry and GitHub Container registry, an image pushed without |
|
This also causing ArgoCD Image Updater to fails with Amazon ECR registry. It seems they're not supporting the new format. |
Was posting old v1 manifest verion. provenance: false solved the issue, see docker/build-push-action#755
|
Closing, this is a duplicate of several other issues, and should be resolved by #781 to ensure that v3 does not enable provenance by default. Upgrading to v4 will enable provenance by default. |
see the change here: docker/build-push-action#755 doesn't work well with cevi.tools registry.
- fix metadata parsing & manifest - add aarch64 dockerfile for jetson + rough runner - add debug variable to enable/disable image builds - add login step to push manifest - set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
|
@jedevc it seems like this breaks our tutorial for building two native images and compiling them into a manifest. https://actuated.dev/blog/how-to-run-multi-arch-builds-natively We can tell users to set Or is that no-longer going to be possible going forward if using provenance? |
Updates to docker/build-push-action@v4 whilst also fixing an issue introduced by this new version, referenced on docker/build-push-action#755 (comment) Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
|
@alexellis I'd personally recommend using |
@jedevc I have been using |
Did you get an answer? |
@seebeen As mentioned in the comment here using |
|
That doesnt work. No annotations get applied. It doesn't matter where you add them. |
|
Can you please share the steps you are trying so I can get an idea? Also, in case of annotations if you want to add them to final index then you must use We are using them here and works fine. |
|
Here is the entire workflow file name: Docker builds
on:
release:
types: [published]
permissions:
contents: read
packages: write
env:
REGISTRY_IMAGE: ghcr.io/oblakstudio/woosync
BUILDX_NO_DEFAULT_ATTESTATIONS: 1
jobs:
build:
name: Build image
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64
include:
- platform: linux/amd64
runner: amd64-builder
- platform: linux/arm64
runner: arm64-builder
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: oblakbot
password: ${{ secrets.OBLAK_BOT_TOKEN }}
- name: Docker Metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY_IMAGE }}
- name: Build Docker Image
id: build
uses: docker/build-push-action@v4
with:
context: ./
platforms: ${{ matrix.platform }}
push: ${{ github.event_name != 'pull_request' }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=${{ matrix.platform }}
cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.title=WooCommerce Sync Service v2,annotation.org.opencontainers.image.authors=Oblak Studio <support@oblak.studio>,annotation.org.opencontainers.image.source=https://github.com/oblakstudio/wcs,annotation.org.opencontainers.image.description=Docker Optimized WooSync v2,annotation.org.opencontainers.image.licenses=MIT
provenance: false
- name: Export Image Digest
run: |
mkdir -p /tmp/build-digest
digest="${{ steps.build.outputs.digest }}"
digest="${digest#sha256:}"
touch "/tmp/build-digest/$digest"
shell: bash
- name: Upload digest
uses: actions/upload-artifact@v3
with:
name: digests
path: /tmp/build-digest/*
if-no-files-found: error
retention-days: 1
- name: Clear temporary directory
run: |
rm -rf /tmp/build-digest/*
shell: bash
merge:
name: Merge manifest
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Download digests
uses: actions/download-artifact@v3
with:
name: digests
path: /tmp/build-digest
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY_IMAGE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
labels: |
org.opencontainers.image.source="https://github.com/oblakstudio/wcs"
org.opencontainers.image.authors="Oblak Studio <support@oblak.studio>"
org.opencontainers.image.title="WooCommerce Sync Service v2"
org.opencontainers.image.description="Docker Optimized WooSync v2"
org.opencontainers.image.licenses="MIT"
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
registry: ghcr.io
username: oblakbot
password: ${{ secrets.OBLAK_BOT_TOKEN }}
- name: Create manifest list and push
working-directory: /tmp/build-digest
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
- name: Delete artifact
uses: geekyeggo/delete-artifact@v2
with:
name: my-artifact
failOnError: false
``` |
|
The workflow you shared will only add the annotations to the individual (Also, can remove annotations from |
- Add individual dockerfiles. Currently, we support: gcc/g++, rust, go opencv/GPU opencv, tensorflow, torch, and jetson-inference - Add steps to build multi-arch container images, packing them up as manifests holding all archs in a single container image name - Introduce a manifest to drive the build. Add custom arch-specific tags that determine which runner the specific build will run on, as well as the type of runner (large/lite etc.). - Introduce build levels: first build the base image and then reference it on each of the images built on the next level. - Add debug variable to enable/disable image builds - Set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) - Use GH variables to control runtime parameters of the build (multi-arch manifest, success/failure etc.) Signed-off-by: Georgios Koletsos <gkol@nubificus.co.uk> Signed-off-by: Alexandros Karantzoulis <akaran@nubificus.co.uk> Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
- Add individual dockerfiles. Currently, we support: gcc/g++, rust, go opencv/GPU opencv, tensorflow, torch, and jetson-inference - Add steps to build multi-arch container images, packing them up as manifests holding all archs in a single container image name - Introduce a manifest to drive the build. Add custom arch-specific tags that determine which runner the specific build will run on, as well as the type of runner (large/lite etc.). - Introduce build levels: first build the base image and then reference it on each of the images built on the next level. - Add debug variable to enable/disable image builds - Set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) - Use GH variables to control runtime parameters of the build (multi-arch manifest, success/failure etc.) Signed-off-by: Georgios Koletsos <gkol@nubificus.co.uk> Signed-off-by: Alexandros Karantzoulis <akaran@nubificus.co.uk> Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
- Add individual dockerfiles. Currently, we support: gcc/g++, rust, go opencv/GPU opencv, tensorflow, torch, and jetson-inference - Add steps to build multi-arch container images, packing them up as manifests holding all archs in a single container image name - Introduce a manifest to drive the build. Add custom arch-specific tags that determine which runner the specific build will run on, as well as the type of runner (large/lite etc.). - Introduce build levels: first build the base image and then reference it on each of the images built on the next level. - Add debug variable to enable/disable image builds - Set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) - Use GH variables to control runtime parameters of the build (multi-arch manifest, success/failure etc.) Signed-off-by: Georgios Koletsos <gkol@nubificus.co.uk> Signed-off-by: Alexandros Karantzoulis <akaran@nubificus.co.uk> Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
- Add individual dockerfiles. Currently, we support: gcc/g++, rust, go opencv/GPU opencv, tensorflow, torch, and jetson-inference - Add steps to build multi-arch container images, packing them up as manifests holding all archs in a single container image name - Introduce a manifest to drive the build. Add custom arch-specific tags that determine which runner the specific build will run on, as well as the type of runner (large/lite etc.). - Introduce build levels: first build the base image and then reference it on each of the images built on the next level. - Add debug variable to enable/disable image builds - Set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) - Use GH variables to control runtime parameters of the build (multi-arch manifest, success/failure etc.) Signed-off-by: Georgios Koletsos <gkol@nubificus.co.uk> Signed-off-by: Alexandros Karantzoulis <akaran@nubificus.co.uk> Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
- Add individual dockerfiles. Currently, we support: gcc/g++, rust, go opencv/GPU opencv, tensorflow, torch, and jetson-inference - Add steps to build multi-arch container images, packing them up as manifests holding all archs in a single container image name - Introduce a manifest to drive the build. Add custom arch-specific tags that determine which runner the specific build will run on, as well as the type of runner (large/lite etc.). - Introduce build levels: first build the base image and then reference it on each of the images built on the next level. - Add debug variable to enable/disable image builds - Set provenance: false due to a build-and-push action issue: docker/build-push-action#755 (comment) - Use GH variables to control runtime parameters of the build (multi-arch manifest, success/failure etc.) Signed-off-by: Georgios Koletsos <gkol@nubificus.co.uk> Signed-off-by: Alexandros Karantzoulis <akaran@nubificus.co.uk> Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
Troubleshooting
Behaviour
Steps to reproduce this issue
Expected behaviour
Actual behaviour
The text was updated successfully, but these errors were encountered: