-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default image output in buildx v0.10 cannot be pushed to Yandex Cloud Container Registry #1513
Comments
Since you've redacted the I assume it's a self-hosted/internal registry? What registry software is it using? |
After GitHub Actions updated Ubuntu image (actions/runner-images/pull/6942, buildx was upped to If I lock buildx version to I use |
@langovoi i use same cloud and get same error, but after your response i finally fix that problem, thanks |
Issue doesn't seem to be limited to Yandex alone, I'm having the same issue with GCR. @langovoi 's solution fixed it for me |
@pimvandenbroek do you have log messages from the push to GCR? We've been successfully pushing the new provenance attestations to GCR without too much of a problem 👀 |
The initial error we received was: "registry cache exporter requires ref". I unfortunately don't have any other logs anymore. |
@pimvandenbroek I think this is unrelated to this issue, looks like moby/buildkit@c5242ba is the source of the error message that was introduced in the newest BuildKit. I think this is related to a generic caching issue, instead of a GCR-specific issue; could you open a separate issue/discussion or share on #buildkit in the community slack? |
Sure, I will check that out. |
@pimvandenbroek Doesn't just setting |
@crazy-max Not sure, I will have to test.
|
@pimvandenbroek This is a build option so in build-push-action: -
name: Build and push
uses: docker/build-push-action@v3
with:
push: true
provenance: false
tags: user/app:latest Or if you invoke buildx directly then
Please that would help thx! |
Clear. |
@crazy-max I tested It works. |
@crazy-max tested it, however apparently, the environment where the buildx command is generated is using an older version of buildkit and we received the following error: |
Interesting, if you could add |
Signed-off-by: Adam Warner <[email protected]>
Same Issue here: Error shown in Nexus is:
buildx 0.10.0 seems to break the manifest generation.
The Suggestion disabling the provenance via Edit: @crazy-max here is the log output as requested. I will try to get a nexus oss update to version 3.40.0+ as mentioned in the ticket you have linked. |
@violen Can you post the logs of the build command please? If you can also enable debug logs and post BuildKit logs that would be handy:
It seems Nexus support OCI format since Looks also related to this issue using Best guess is Nexus does not fully support OCI spec (Index spec in particular). Edit: Yes can confirm Nexus does not fully support the OCI spec
|
Workaround to opt-out of unsupported manifest until it's supported. Fix is from: docker/buildx#1509 (comment) Watchtower autoupdater should work again: containrrr/watchtower#1529
Context: docker/buildx#1513 (comment)
@crazy-max Finally had the time to do a bit of a deepdive, and got the following result.
Buildx / Buildkit:
We've added --provenance false to the buildx build command like so: However, unfortunately we are currently getting: Maybe it is really obvious, but I'm unable to find the solution |
@pimvandenbroek I don't think this error is related to the image being pushed but the cache. Does it work if you remove
|
@crazy-max Yes, without |
Does this mean that --cache-to isn't working in this version? Or do you perhaps know of a workaround so we can still use it? |
Looks related to issues with Quay moby/buildkit#1440 and Harbor moby/buildkit#2479 (comment) If you could post the BuildKit logs too that would be handy but best guess is Yandex does not properly support OCI mediatypes. Can you try with:
|
@crazy-max Unfortunately, that didn't work either:
|
@pimvandenbroek Can you create another BuildKit container with |
|
Looks to be an issue with Yandex registry 😟 |
@crazy-max I'm not using Yandex, I'm using GCR |
Ah I'm confused, thought it was same issue as OP 😣 Maybe related to moby/buildkit#1143 (comment) in your case. Also switching to GAR is recommended: https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr |
That's odd, as the issues began when 0.10.0 was pushed. For now I think we'll disabled caching, or maybe revert to 0.9.1 untill we have the time to migrate to GAR. Thanks for your help untill now. If you do have any ideas to solve this (without migrating to GAR), I'm all ears :) |
As a data point: also repro'ing this issue running a
We noted a new line in the output from buildx v0.10.0 while exporting the image: Looking at the docs for the --provenance option, there didn't appear anyway to turn it off. So we reverted to buildx version v0.9.1, which fixed our issue. Returning to buildx v0.10.0 and using the undocumented It appears OCI support came to Artifactory 7.11.1. We're upgrading in a few weeks but until then can't confirm/deny if Artifactory fully complies with the index spec. I've attached the buildkit log. One discrepancy I noted is the logs mention |
😱 oops, yup, that's an oversight, I've PRed some docs in.
Version mismatch is because buildkit and buildx releases do not necessarily line up. It's slightly unfortunate they're so close to each other, since it means it's easy to mistake one for the other - but this is expected, those are both part of the latest release series for their respective projects. |
@pimvandenbroek Hello, you can configure an environment variable to solve this problem, it's same like export BUILDX_NO_DEFAULT_ATTESTATIONS=1 |
Hello I have a similar issue on gitea :
unfortunatly Using the following pipeline (My server needs a client certificate) :
|
@sleeperss have you tried a more recent version ? The latest is 3.0.0. We had similar problems back when 0.10 came out and since we upgraded past 1.1.0 (IIRC) we did not have these problems anymore. |
@vfiset I tried v1 v2 v3 and master, unfortunatly, each of them leads to the same results :( |
Is it possible that the gitea_url does not support HEAD requests ? Try to do a similar HEAD request on the same endpoint. Then a GET. |
Do you have a curl example that I can try to run ? |
It is definitly linked to the client certificat, If I disable ssl_verify_client on my reverse proxy, evrything works correctly. |
Below are the steps:
The text was updated successfully, but these errors were encountered: