Onapsis initial cumulative changes #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…Tools#6732) * detect-buildx global config option for backward compatibility * cache-tag global config option to customize cache destination * new CacheTo in DockerArtifact in configuration yaml (for docker build --cache-to) * export LoadDockerConfig to read ~/.docker/config.json for buildx detection * fix avoid loading image via buildx if no docker daemon is accessible * fix remote lookup / import missing in buildx workaround * fix image import if no docker daemon is available (under buildx) * adjust cache reference preserving tag and default cacheTo if not given * parse buildx metadata to extract ImageID digest Initially based on ebekebe's GoogleContainerTools#8172 patch ebekebe@1c1fdeb Signed-off-by: [email protected]
Signed-off-by: <[email protected]>
for more info see https://github.com/orgs/community/discussions/45969 tl;dr buildx attestations include additional metadata that confuses registry tools (breaking the integration test) ``` docker buildx imagetools inspect localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... ``` ``` Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.oci.image.index.v1+json Digest: sha256:... Manifests: Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.oci.image.manifest.v1+json Platform: linux/arm64 Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.oci.image.manifest.v1+json Platform: linux/amd64 Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.oci.image.manifest.v1+json Platform: unknown/unknown Annotations: vnd.docker.reference.digest: sha256:... vnd.docker.reference.type: attestation-manifest Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.oci.image.manifest.v1+json Platform: unknown/unknown Annotations: vnd.docker.reference.digest: sha256:... vnd.docker.reference.type: attestation-manifest ``` Using `BUILDX_NO_DEFAULT_ATTESTATIONS=1` fixes the issue, removing the unknown platforms: ``` Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.docker.distribution.manifest.list.v2+json Digest: sha256:... Manifests: Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.docker.distribution.manifest.v2+json Platform: linux/arm64 Name: localhost:5000/my-app:v2.11.1-120-g8adcfa106-dirty@sha256:... MediaType: application/vnd.docker.distribution.manifest.v2+json Platform: linux/amd64 ```
Personal fork to test "transparent buildx support for remote buildkit" GoogleContainerTools#9648
* build (currently just for linux amd64) & upload artifact + sha256 * create & publish a release (draft or final, depending on git tag/ref)
Release GitHub action (for linux)
Workaround for some registries (AWS ECS/artifactory?) don't fully support non-standard blobs: * https://aws.amazon.com/blogs/containers/announcing-remote-cache-support-in-amazon-ecr-for-buildkit-clients/ * https://jfrog.com/help/r/artifactory-using-docker-buildx-cache-to-and-cache-from-with-artifactory-and-why-max-unique-tags-does-not-apply/artifactory-using-docker-buildx-cache-to-and-cache-from-with-artifactory-and-why-max-unique-tags-does-not-apply
* rewrite cache adjust logic (simplified and removed some magic) * moved out cache ref compute logic * templated env expansion for cacheFrom and cacheTo If no tag is specified in cache source and destination, artifact build tag will be used (if configured cache-tag is not set). This way, the cache tag could be used to override generated tag, useful to direct images to personal or custom dev tag.
New CACHE_TAG env to expand cache from / to references
* allow custom parameters to buildx cache-to * disable cache push if not set (to avoid auth errors) Example: ``` cache-flags: - type=registry - mode=max - image-manifest=true - oci-mediatypes=true ```
Use info log-level to avoid debug verbosity
Buildkit parser seems to return 'image:latest' when a FROM has a variable expansion instead of the real image template, like `$BASE` in the following stanza: ``` ARG BASE FROM $BASE AS base ``` This breaks input digest tagger for images that have a dependency to other skaffold build artifacts, as `parseOnbuild` later fails to pull the incorrect/inexistent image. Note that empty images in the from were being ignored, but no this incorrect value. So, as a workaround, this ondition is extended to include and ignore incorrect 'image:latest' values. Actual digest seems not affected, changes in parent base dockerfiles are still computed for the digest. A more complete fix would be inject the proper resolved image refs in `expandBuildArgs`, but this will need to solve the issue in buildkit parser to return the template. Also, probably it will require having pre-computed the previous image tags dependencies. Full error message: ``` generating tag: evaluating custom template component: parsing ONBUILD instructions: retrieving image \"image:latest\": GET https://index.docker.io/v2/library/image/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/image Type:repository]] ```
If using local clusters with a local registry (eg. localhost:32000 with microk8s), tryImport was failing as localhost is not a valid remote registry. The workaround will use a remote registry (default-repo global config) to override the local registry when pulling the image, and then re-tagging.
* add relative path if missing (dockerfile in different context, probably related to GoogleContainerTools#8226 and PR GoogleContainerTools#9666) * hash filename after content (so it can be compared with md5sum) * trace messages for debugging These changes are handly in cases where the MD5 hash doesn't match. For example, there could be some transformations in remote builders, like git core.autocrlf changing line endings, that were hard to troubleshoot.
Gh buildx buildkit cache improvements & several bugfixes
Do not copy container commands or arguments if not specified in skaffold.yaml If not, original command/argument defined in the job will be overwritten with nil.
fix: avoid verify empty container cmd/args
Workaround to avoid Docker Hub pull rate limits. Skaffold now will parse the name and replace default registry index.docker.io with a configured one. Configuration example: ``` skaffold config set registry-mirror mirror.gcr.io ``` Log with the fix: ``` time="2025-10-01T19:19:41-05:00" level=trace msg="Checking base image python:2.7-alpine for ONBUILD triggers." subtask=-1 task=DevLoop time="2025-10-01T19:19:41-05:00" level=info msg="Using registry-mirror=mirror.gcr.io from config" subtask=-1 task=DevLoop time="2025-10-01T19:19:41-05:00" level=info msg="Using default registry = mirror.gcr.io for reference parsing" subtask=-1 task=DevLoop ... time="2025-10-01T19:20:09-05:00" level=trace msg="--> GET https://mirror.gcr.io/v2/python/manifests/2.7-alpine" ... time="2025-10-01T19:20:09-05:00" level=trace msg="<-- 200 https://mirror.gcr.io/v2/python/manifests/2.7-alpine (215.992197ms)" ``` Previous log broken build (no mirror): ``` getting hash for artifact "...": getting dependencies for "...": parsing ONBUILD instructions: retrieving image "python:2.7-alpine": GET https://index.docker.io/v2/library/python/manifests/2.7-alpine: TOOMANYREQUESTS: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit ``` NOTE: not a full fix as go-containerregistry doesn't support `WithMirror` yet: google/go-containerregistry#1200
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Internal integration PR with several improvements and fixes developed at Onapsis Inc.
Major changes:
Minor changes:
Disclaimer: some test could be broken, will be fixed soon