search

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile
https://apko.dev
Apache License 2.0
1.21k stars 125 forks source link

bug: --cache-dir broken after in 0.19.3+ #1378

Closed isometry closed 2 weeks ago

isometry commented 3 weeks ago

Following the release of v0.19.3 (and including v0.19.6), explicitly setting a --cache-dir to either of the build or publish verbs breaks image builds referencing the wolfi-os keyring:

$ ./apko_0.19.3 build --cache-dir apks/cache images/trivial.yaml trivial:latest trivial.tar
2024/10/30 10:52:38 INFO Building images for 2 architectures: [arm64 amd64]
2024/10/30 10:52:39 INFO setting apk repositories: [https://packages.wolfi.dev/os]
Error: initializing apk: failed to initialize apk keyring: failed to fetch apk key: Get "https://packages.wolfi.dev/os/wolfi-signing.rsa.pub": unsafe etag value: "efbc77397d26fd228849b6a4b7763ec4"
2024/10/30 10:52:39 INFO error during command execution: initializing apk: failed to initialize apk keyring: failed to fetch apk key: Get "https://packages.wolfi.dev/os/wolfi-signing.rsa.pub": unsafe etag value: "efbc77397d26fd228849b6a4b7763ec4"

This worked without issue in v0.19.2.

Disabling the local cache is sufficient to workaround the issue, but is suboptimal:

$ ./apko_0.19.3 build images/trivial.yaml trivial:latest trivial.tar            
2024/10/30 10:58:11 INFO Building images for 2 architectures: [arm64 amd64]
2024/10/30 10:58:11 INFO setting apk repositories: [https://packages.wolfi.dev/os]
2024/10/30 10:58:12 INFO setting apk repositories: [https://packages.wolfi.dev/os]
2024/10/30 10:58:12 INFO installing ca-certificates-bundle (20241010-r1)
2024/10/30 10:58:12 INFO installing ca-certificates-bundle (20241010-r1)
2024/10/30 10:58:12 INFO installing wolfi-baselayout (20230201-r15)
2024/10/30 10:58:12 INFO installing wolfi-baselayout (20230201-r15)
2024/10/30 10:58:12 INFO setting apk repositories: [https://packages.wolfi.dev/os]
2024/10/30 10:58:12 INFO setting apk repositories: [https://packages.wolfi.dev/os]
2024/10/30 10:58:12 INFO built image layer tarball as /var/folders/sz/y9t0qm6x3t7c8g8rx7_pdsf80000gp/T/apko-temp-2327447651/apko-aarch64.tar.gz
2024/10/30 10:58:12 INFO built image layer tarball as /var/folders/sz/y9t0qm6x3t7c8g8rx7_pdsf80000gp/T/apko-temp-2327447651/apko-x86_64.tar.gz
2024/10/30 10:58:12 INFO OCI layer digest: sha256:3f98793a360c5519d0d9d9aafd724e6215fad6c2960ec855ca085dec9f0c76dd arch=aarch64
2024/10/30 10:58:12 INFO OCI layer diffID: sha256:71285fb5eea9414cd2b639552c8454806743428d116ebd9ac2a00782f64d3250 arch=aarch64
2024/10/30 10:58:12 INFO OCI layer digest: sha256:e03ba8713b9a7984feceaaf69f3742a1f57820a32cfe98489b1523d6de456754 arch=x86_64
2024/10/30 10:58:12 INFO OCI layer diffID: sha256:27f500f97ffb19fe20107d6d4c1fd98d66ed71551a1da17b9beb1bf90e170f76 arch=x86_64
2024/10/30 10:58:12 INFO built index file as /var/folders/sz/y9t0qm6x3t7c8g8rx7_pdsf80000gp/T/apko-temp-2327447651/index.json

It seems likely that this regression was introduced in #1327 ?

cc. @jonjohnsonjr

lyoung-confluent commented 3 weeks ago

@jonjohnsonjr I tracked down the root-cause of the error and it was introduced in #1327, specifically the following check is failing: https://github.com/chainguard-dev/apko/blob/c8b52a03eb1b6bb4285380c7b885ee660cb10349/pkg/apk/apk/cache.go#L320

This happens because cacheDir is not an absolute path when provided via the CLI. A fix could be to resolve cacheDir to an absolute path when initializing the cache transport.

@isometry as a work-around if you provide an absolute path via --cache-dir $PWD/apks/cache you won't hit this.