Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding SBOM fails with trying to send message larger than max (25286341 vs. 16777216): unknown #5327

Open
ifalatiksetlog opened this issue Sep 12, 2024 · 10 comments
Open

adding SBOM fails with trying to send message larger than max (25286341 vs. 16777216): unknown #5327

ifalatiksetlog opened this issue Sep 12, 2024 · 10 comments
Labels
kind/bench-candidate Candidate for https://github.com/moby/buildkit-bench

Comments

@ifalatiksetlog
Copy link

I have a quite specific use case:

I'm building a container which has a bunch of tools installed which is supposed to be used for CI runs.

When trying to add a SBOM during building (docker buildx build --sbom=true) the build succeeds but the exporting to image step fails with

------
 > exporting to image:
------
ERROR: failed to solve: error writing data blob sha256:7b5af02ce619d513c5fed786b397d5d2365ce1f3736e4f3379a27058004b0b43: failed to copy: failed to send write: trying to send message larger than max (25286341 vs. 16777216): unknown

My best guess is, that this is happening due to the SBOM being too large.
@tonistiigi
Copy link
Member

Do you have example reproduction steps?

@tonistiigi
Copy link
Member

Also, please post all buildkit version information as something like this was already fixed quite a long time ago.

@ifalatiksetlog
Copy link
Author

I haven't had the chance to build a reproduction Dockerfile, as the image I'm building is quite large, and includes some of our internal tools, I'll have to somehow work around those.
Regarding version I can only give you this:

> docker build ...
level=info msg="starting syft scanner for buildkit v1.4.0"

> docker version
Client:
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:17:17 2024
 OS/Arch:           windows/amd64
 Context:           desktop-linux

Server: Docker Desktop 4.34.1 (166053)
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:15 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.20
  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

If there's a way to get the BuildKit version specifically I'd need you to point me in the right direction there.

@crazy-max crazy-max added the kind/bench-candidate Candidate for https://github.com/moby/buildkit-bench label Sep 13, 2024
@ifalatiksetlog
Copy link
Author

Here's the reproduction:
PowerShell invocation:

& docker buildx build --no-cache -t buildkit-sbom:test --sbom=true -f .\Dockerfile --progress=plain . 2>&1 | Out-File docker-build.log

Dockerfile:

FROM ubuntu@sha256:8a37d68f4f73ebf3d4efafbcf66379bf3728902a8038616808f04e34a9ab63ee
# (24.04)

ENV DEBIAN_FRONTEND=noninteractive

# misc tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    apt-utils \
    openssh-client \
    ca-certificates \
    build-essential libz-dev zlib1g-dev \
    git \
    wget \
    curl \
    nano \
    colorized-logs \
    asciidoctor \
    httpie \
    unzip \
    zip \
    gpg \
    lsb-release \
    xz-utils \
    rsync \
    gettext-base \
    genisoimage \
    jq \
    pip \
    bridge-utils \
    dhcping \
    osslsigncode \
    file\
    iftop \
    iperf3 \
    iproute2 \
    iptables \
    iptraf-ng \
    mtr \
    mysql-client \
    netcat-openbsd \
    nftables \
    ngrep \
    nmap \
    strace \
    tcpdump \
    iputils-ping \
    python-is-python3 \
    libxml2-utils \
    python3-jmespath \
    && apt-get -y autoremove

# python
RUN apt-get update && apt-get install -y --no-install-recommends \
    python3.12 \
    python3-pip \
    python3.12-venv \
    && rm -rf /var/lib/apt/lists/*

# java
RUN mkdir -p /tmp/app && cd /tmp/app
RUN APP_DIR="/usr/local/bin/jdk-8" && \
    APP_URL="https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u412-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u412b08.tar.gz" && \
    echo "b9884a96f78543276a6399c3eb8c2fd8a80e6b432ea50e87d3d12d495d1d2808  app.tar.gz" > SHA256SUMS && \
    wget --progress=bar:force:noscroll "${APP_URL}" -O app.tar.gz && \
    sha256sum -c SHA256SUMS && \
    mkdir -p "${APP_DIR}" && \
    tar -x --strip-components 1 --directory "${APP_DIR}" -f app.tar.gz
RUN APP_DIR="/usr/local/bin/jdk-21" && \
    APP_URL="https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.3%2B9/OpenJDK21U-jdk_x64_linux_hotspot_21.0.3_9.tar.gz" && \
    echo "fffa52c22d797b715a962e6c8d11ec7d79b90dd819b5bc51d62137ea4b22a340  app.tar.gz" > SHA256SUMS && \
    wget --progress=bar:force:noscroll "${APP_URL}" -O app.tar.gz && \
    sha256sum -c SHA256SUMS && \
    mkdir -p "${APP_DIR}" && \
    tar -x --strip-components 1 --directory "${APP_DIR}" -f app.tar.gz
RUN APP_DIR="/usr/local/bin/jdk-graalvm"  && \
    APP_URL="https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-21.0.2/graalvm-community-jdk-21.0.2_linux-x64_bin.tar.gz" && \
    DIGEST_URL="https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-21.0.2/graalvm-community-jdk-21.0.2_linux-x64_bin.tar.gz.sha256" && \
    sha256sum -c SHA256SUMS && \
    wget --progress=bar:force:noscroll "${APP_URL}" -O app.tar.gz && \
    wget --progress=bar:force:noscroll "${DIGEST_URL}" -O SHA256SUMS && echo " app.tar.gz" >> SHA256SUMS && \
    sha256sum -c SHA256SUMS && \
    mkdir -p "${APP_DIR}" && \
    tar -x --strip-components 1 --directory "${APP_DIR}" -f app.tar.gz
RUN rm /usr/local/bin/jdk*/src.zip || true && \
    rm /usr/local/bin/jdk*/lib/src.zip || true && \
    rm -r /tmp/app

# go
RUN mkdir -p /tmp/app && cd /tmp/app
RUN APP_DIR="/usr/local/bin/go-1.23.1" && \
    APP_URL="https://go.dev/dl/go1.23.1.linux-amd64.tar.gz" && \
    echo "49bbb517cfa9eee677e1e7897f7cf9cfdbcf49e05f61984a2789136de359f9bd  app.tar.gz" > SHA256SUMS && \
    wget --progress=bar:force:noscroll "${APP_URL}" -O app.tar.gz && \
    sha256sum -c SHA256SUMS && \
    mkdir -p "${APP_DIR}" && \
    tar -x --strip-components 1 --directory "${APP_DIR}" -f app.tar.gz && \
    rm -rf ${APP_DIR}/api && \
    ln -s ${APP_DIR} /usr/local/bin/go-latest && \
    curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /root/go/bin v1.61.0 && \
    export PATH=$PATH:/root/go/bin && \
    golangci-lint --version && \
    rm -r /tmp/app

# node
RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
    NODE_MAJOR=18 && \
    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
    apt-get update && apt-get install --install-recommends -y nodejs

# cleanup
RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
    apt-get clean && \
    apt-get autoremove -y --purge

the full output log: docker-build.log.

@dreamworlds1234
Copy link

I have a quite specific use case:

I'm building a container which has a bunch of tools installed which is supposed to be used for CI runs.

When trying to add a SBOM during building (docker buildx build --sbom=true) the build succeeds but the exporting to image step fails with

------
 > exporting to image:
------
ERROR: failed to solve: error writing data blob sha256:7b5af02ce619d513c5fed786b397d5d2365ce1f3736e4f3379a27058004b0b43: failed to copy: failed to send write: trying to send message larger than max (25286341 vs. 16777216): unknown

My best guess is, that this is happening due to the SBOM being too large.

I am having the same error after I enabling the "--sbom=true -o type=local,dest=out"

@tonistiigi
Copy link
Member

@dreamworlds1234 Are you enabling containerd image store in Docker for --sbom=true to work or creating a builder instance with buildx create ?

I couldn't reproduce on mac, I get some warnings on sbom generation but otherwise seems to work fine:

#20 [linux/arm64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1
#20 0.069 time="2024-09-13T22:28:29Z" level=info msg="starting syft scanner for buildkit v1.4.0"
#20 6.074 [0006]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1423641467/archive-test-badbase.zip): unable to open ZipReadCloser @ "/tmp/syft-archive-contents-1423641467/archive-test-badbase.zip": zip: not a valid zip file location=/usr/local/bin/go-1.23.1/src/archive/zip/testdata/test-badbase.zip
#20 6.074 [0006]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-2888149883/archive-test-baddirsz.zip): unable to open ZipReadCloser @ "/tmp/syft-archive-contents-2888149883/archive-test-baddirsz.zip": zip: not a valid zip file location=/usr/local/bin/go-1.23.1/src/archive/zip/testdata/test-baddirsz.zip
#20 7.433 [0007]  WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/bin/go-1.23.1/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic
#20 8.777 [0008]  WARN unable to process executable "/usr/local/bin/go-1.23.1/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic" error=unable to determine executable kind: unable to read first sector of file: EOF
#20 DONE 11.0s

@ifalatik
Copy link

@tonistiigi yeah those errors occur for me too. So I guess it's environment specific? What could it depend on?

@dreamworlds1234
Copy link

@dreamworlds1234 Are you enabling containerd image store in Docker for --sbom=true to work or creating a builder instance with buildx create ?

I couldn't reproduce on mac, I get some warnings on sbom generation but otherwise seems to work fine:

#20 [linux/arm64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1
#20 0.069 time="2024-09-13T22:28:29Z" level=info msg="starting syft scanner for buildkit v1.4.0"
#20 6.074 [0006]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1423641467/archive-test-badbase.zip): unable to open ZipReadCloser @ "/tmp/syft-archive-contents-1423641467/archive-test-badbase.zip": zip: not a valid zip file location=/usr/local/bin/go-1.23.1/src/archive/zip/testdata/test-badbase.zip
#20 6.074 [0006]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-2888149883/archive-test-baddirsz.zip): unable to open ZipReadCloser @ "/tmp/syft-archive-contents-2888149883/archive-test-baddirsz.zip": zip: not a valid zip file location=/usr/local/bin/go-1.23.1/src/archive/zip/testdata/test-baddirsz.zip
#20 7.433 [0007]  WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/bin/go-1.23.1/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic
#20 8.777 [0008]  WARN unable to process executable "/usr/local/bin/go-1.23.1/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic" error=unable to determine executable kind: unable to read first sector of file: EOF
#20 DONE 11.0s

I created the builder (builderx) for cache purpose, and using it like this:

docker buildx build --sbom=true -o type=local,dest=out -f config/docker/Dockerfile.prod . --tag testbuild --iidfile testbuildiidfile

However, I found the error is related to the "containerd max message size", which can increase in the configuration for send and receive max size.

However, what I don't understand is why sbom needs such large size, is it a bug in the docker/nerdcli?

@tonistiigi
Copy link
Member

However, I found the error is related to the "containerd max message size", which can increase in the configuration for send and receive max size.

We don't have such configuration options in buildkitd config https://github.com/moby/buildkit/blob/master/cmd/buildkitd/config/config.go . If you mean containerd config then don't see how this is related to the buildx builder. You said you created builder instance with buildx create and that instance does not rely on containerd daemon.

I see you are using -o type=local,dest=out. I don't think this can cause the issue but there is a known issue exporting big images with local exporter grpc/grpc-go#4722 that can cause deadlocks. Local exporter is for exporting individual files directly to client (eg. if you are building a release binary in Dockerfile). It does not make sense to export full image rootfs like this as the image would not be runnable anyway (you will not have layers, the ownership of files would be changed to your local user, special files can't be written). If you want to export an image without layers you should use -o type=tar that preserves the file ownerships, or -o type=image/-o type=oci if you want to export image.

@ifalatiksetlog
Copy link
Author

@tonistiigi if it helps I'm using the containerd docker desktop registry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bench-candidate Candidate for https://github.com/moby/buildkit-bench
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tonistiigi @crazy-max @dreamworlds1234 @ifalatik @ifalatiksetlog