Unable to skopeo copy from multi platform oci-archive to registry.

[kaovilai]

Came from https://github.com/paketo-buildpacks/builder-jammy-tiny/issues/425

❯ skopeo copy --insecure-policy -a oci-archive:/Users/tiger/git/jammy-tiny-stack/build/run.oci docker://ttl.sh/tiny-jammy:1h
FATA[0000] initializing source oci-archive:/Users/tiger/git/jammy-tiny-stack/build/run.oci:: more than one image in oci, choose an image 

dunno way out here.. the archive is multi-platform IIUC.

Originally posted by @kaovilai in #1136

[mtrmac]

Thanks for reaching out.

Can you paste the full contents of the index.json file at the root of the archive, maybe formatted with python3 -mjson.tool, please?

The oci-archive:/oci: transports only support some shapes of indices / manifests — as a guess, a multi-platform image directly stored in the OCI format as a top-level index is not supported; it needs to be an index which contains a nested multi-platform image index.

[kaovilai]

index.json from build/run.oci generated from ./scripts/create.sh in above repo

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.oci.image.index.v1+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 755,
         "digest": "sha256:7e3d4631e9c027d3eb5083b1d261a40235caf7470565d08a741e4072e048fa85",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 755,
         "digest": "sha256:4c58342e4e45fe40e4a51112d497b92fc5af9853af0af2fd4457fbb59d263938",
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      }
   ]
}

[kaovilai]

is not supported

not working yet, but never will, or not now but maybe?

[kaovilai]

If I am presented with an oci archive from a build, do you have any suggestions on how to get it running on macOS?

tl;dr: my root issue is I am unable to run this oci archive with docker run or podman run on macos https://github.com/containers/podman/issues/24634

And one way is to skopeo copy to remote registry in a way that will allow podman run to work.

[mtrmac]

“not now but maybe”.

How was that OCI archive created? Is that some widely-available software?

---

In general I’d strongly recommend using registries over plain-file archives: using registries means that the redundant/unchanged layers, incl. all of the base image, can be reused instead of copied every single time.

[mtrmac]

as a guess, a multi-platform image directly stored in the OCI format as a top-level index is not supported

For the record, yes, this is the case here.

[kaovilai]

How was that OCI archive created?

from ./scripts/create.sh in https://github.com/containers/skopeo/issues/2463#issue-2679812617 repo

This dockerfile essentially. https://github.com/paketo-buildpacks/jammy-tiny-stack/blob/main/stack/run/run.Dockerfile

Paketo Buildpacks

Paketo are Modular Buildpacks written in Go that leverage and contribute to the Cloud Native Buildpacks framework. They provide different packaging flavors for different kind of systems, written using different programming languages, for different purposes.

A customized CNCF Buildpacks essentially.

blogpost about paketo buildpacks

I would not claim to know the details of how buildpacks work.. but I am trying to fix false positive CVE and testing if the scanners no longer report false positive.

[kaovilai]

I’d strongly recommend using registries over plain-file archives

not my choice, it's not meant to be used this way tho. these archive would eventually push to https://hub.docker.com/r/paketobuildpacks/run

[kaovilai]

Seems like oci archive is required by jam CLI, which they used in the script. I think it's not going be an easy suggestion to purely rely on registries.

[kaovilai]

paketobuildpacks are part of the linux foundation with over 10M docker pulls on the run image alone.

https://hub.docker.com/search?q=paketobuildpacks shows other more popular buildpacks one of which has over 50M pulls

So I hope that it's considered widely-available software

[kaovilai]

Looks like docker import command works.. and I was able to supposedly push something to ttl.sh