Closed kapilt closed 3 months ago
Hey @kapilt, thanks for bringing this to our attention. I tried to reproduce locally but was able to get both images to build (attached my terminal log). There could be a difference in our build environments though, so I'd like to check a few things.
Could you confirm the digest for the docker hub image matches the digest for the cgr image? The crane command makes it easy
/private/tmp/wolfi-repro via 🐳 desktop-linux took 11s
➜ crane digest cgr.dev/chainguard/wolfi-base
sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92
/private/tmp/wolfi-repro via 🐳 desktop-linux
➜ crane digest chainguard/wolfi-base
sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92
confirmed on image hash matches (output below).. so a bit baffled. on an arm64 re mac, I started going down this road due to our only wolfi based image which uses public docker hub registry (vs commercial chain guard registry) started timing out on cross compile from GitHub actions over the last few weeks on our one image that was using wolfi-base vs ubuntu and was trying to debug locally when I and ran into this.
❯ crane digest cgr.dev/chainguard/wolfi-base
sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92
❯ crane digest chainguard/wolfi-base
sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92
also re wolfi based image having weird timeouts, this is an oss project, so here's the timeline on the build starting to fail, its all timeout based. either 14m for cross arch docker image build to be good or fail on the one wolfi image (c7n-left) after 6 hrs, at a slightly different step of doing poetry install.
,
https://github.com/cloud-custodian/cloud-custodian/actions/workflows/docker.yml
anyways.. I can still reproduce the originally reported error if you want any more info.
In the logs from latest cloud-custodian build, I noticed the use of docker buildx build
:
/usr/bin/docker buildx build --build-arg POETRY_VERSION=1.5.1
...
It seems somewhat likely to be related 🤷
Interesting, good to know. I cloned the cloud-custodian project and still built the c7n-left
image successfully with
docker build --no-cache -t c7n-left -f docker/c7n-left .
I don't see a reference to the image sha in your local build command, all I see is
...
=> [stage-1 1/7] FROM docker.io/chainguard/wolfi-base:latest
...
Can you double check you are building with the latest wolfi-base image locally? I can see CI uses the 3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92
sha but as you said, it's timing out rather than throwing an SSL error like you see locally
➜ docker images --digests | grep chainguard/wolfi-base
chainguard/wolfi-base latest sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 91668ee15d7f 4 days ago 13.4MB
➜ docker pull chainguard/wolfi-base
Using default tag: latest
latest: Pulling from chainguard/wolfi-base
Digest: sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92
Status: Image is up to date for chainguard/wolfi-base:latest
docker.io/chainguard/wolfi-base:latest
doh, that was it stale local image, aka user error :/ sorry about the noise. closing this.
the ci issue is indeed separate, its a bit unclear to me why it only exhibits on our wolfi based image, but I'll get back to debugging that.
❯ docker images --digests | grep chainguard/wolfi-base
cgr.dev/chainguard/wolfi-base latest sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 91668ee15d7f 4 days ago 13.4MB
chainguard/wolfi-base latest sha256:07d99e3cca939979cbfaa458b702a8910e55f0b6e6a68a2a8ec5ae41f2d9e639 b91dd14cdbfa 2 months ago 31.2MB
Which image/versions are related to this issue/feature request?
wolfi-base:latest
Issue/Feature description
Given a simple docker file below, using wolfi-base from docker hub appears to be broken, while using it from chain guard registry works...
building against chain guard registry, no issues, but building against docker hub registry
what gives?