Default image output from buildx v0.10 cannot run on Google Cloud Run or AWS Lambda #1533
Comments
Builds were failing with the error: > OCI index found, but Accept header does not support OCI indexes The suggested fix is to temporarily disable provenance until better support for OCI indexes arrives. docker/buildx#1533
Builds were failing with the error: > OCI index found, but Accept header does not support OCI indexes The suggested fix is to temporarily disable provenance until better support for OCI indexes arrives. docker/buildx#1533
Builds were failing with the error: > OCI index found, but Accept header does not support OCI indexes The suggested fix is to temporarily disable provenance until better support for OCI indexes arrives. docker/buildx#1533
Builds were failing with the error: > OCI index found, but Accept header does not support OCI indexes The suggested fix is to temporarily disable provenance until better support for OCI indexes arrives. docker/buildx#1533
Builds were failing with the error: > OCI index found, but Accept header does not support OCI indexes The suggested fix is to temporarily disable provenance until better support for OCI indexes arrives. docker/buildx#1533
Builds were failing with the error: > OCI index found, but Accept header does not support OCI indexes The suggested fix is to temporarily disable provenance until better support for OCI indexes arrives. docker/buildx#1533
|
Cloud Run PM here, we received many reports about this. At the moment, Cloud Run doesn't support multi architecture images. We were tracking this work item, but we do not have an delivery date to communicate yet. |
You gotta be kidding me. See: docker/buildx#1533
You gotta be kidding me. See: docker/buildx#1533
You gotta be kidding me. See: docker/buildx#1533
|
@steren If you are Cloud Run PM then I have a request that can help save few hours of debugging for everyone. Would be nice to return proper error message when we try to use multi-platform images with cloud run instead of returning It clearly exist in artifact registry since I choose it from select list when creating cloud run service. Message like: Would probably reduce debug time to 15 min instead of 6h. Thanks |
|
@steren and buildx team, Cloud Run supports SLSA Build level 3 through provenance, see https://cloud.google.com/software-supply-chain-security/docs/sds/deploy-run-view-security-insights#build |
compatibility issues with google cloud and provenance. docker/buildx#1533
|
Cloud Run was supporting the old Docker "fat manifest" manifest lists It just doesn't support the new OCI format |
|
I would also note that the Docker documentation seemingly isn't up to date on covering this change: https://docs.docker.com/registry/spec/manifest-v2-2/ |
ghcr/quay have been giving unknown/unknown images since I released 0.12.0 docker/build-push-action#900 (comment)
ghcr/quay have been giving unknown/unknown images since I released 0.12.0 docker/build-push-action#900 (comment)
support attestations to build AWS/Lambda "compatible" images * https://stackoverflow.com/a/76323686/1559300 * docker/buildx#1533 * https://repost.aws/questions/QUIZjd2sL_TtCuoqtg5Q30LA/does-lambda-not-support-multi-architecture-container-images-manifests * https://docs.docker.com/build/bake/reference/#targetattest * https://docs.docker.com/build/attestations/slsa-provenance/ change-type: patch
- bump buildx to latest - support attestations to build AWS/Lambda "compatible" images * https://stackoverflow.com/a/76323686/1559300 * docker/buildx#1533 * https://repost.aws/questions/QUIZjd2sL_TtCuoqtg5Q30LA/does-lambda-not-support-multi-architecture-container-images-manifests * https://docs.docker.com/build/bake/reference/#targetattest * https://docs.docker.com/build/attestations/slsa-provenance/ change-type: patch
There is currently a potential incompatibility with the default behavior of the version of buildx being used. A default image generated is built with provenance, which is something we would like to have, but these default images can run on neither Google Cloud Run nor AWS Lambda. Please see docker/buildx#1533 for mroe information. Since we want to retain support for creating AWS Lambda images we add a commented out disabling of this functionality that can be enabled in a downstream repository if needed.
|
Is there any way to use newer version of setup-buildx-action but changing mediaType to "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json" ? |
|
@majidakbaridh you can use |
docker/buildx#1533 our ecr repository has multiple shards of different images and it's hard to tell when vulnerability scans are accurate or not when the images are in multiple pieces like they are now. also bumps other action versions to more current versions
Artifact Registry may support this. See: docker/buildx#1533 (comment) This reverts commit 216249d.
docker/buildx#1533 Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
As of Buildx 0.10, images are built with provenance -- this behavior is opt-out, and can be disabled with
--provenance=falseif using the buildx build cli, orprovenance: falseif using docker/build-push-action.Images built with these default attestations that use the attestation storage from buildkit cannot be run on Google Cloud Run or AWS Lambda. While both Cloud Run and Lambda support the OCI format, they do not support multi-platform images.
From Google Cloud Run docs (emphasis mine):
From Lambda docs (emphasis mine):
Ideally, GCR and Lambda should support multi-platform images, and detect the current platform from the Docker manifest list / OCI index.
As a temporary workaround (in order of preference):
--provenance=falseon buildx build, or setprovenance: falseon docker/build-push-actionThe text was updated successfully, but these errors were encountered: