search

docker / buildx

Docker CLI plugin for extended build capabilities with BuildKit
Apache License 2.0
3.58k stars 482 forks source link

GHCR build with inline cache attempts to export cache to registry.docker.io #2731

Closed effigies closed 1 month ago

effigies commented 1 month ago

Contributing guidelines

I've found a bug and checked that ...

Description

Configuring a new build on GitHub Actions to push to GHCR. Using --cache-to inline and --push attempts to authenticate against registry.docker.io.

--label tags removed, backslashes inserted for readability:

/usr/bin/docker buildx build \
    --cache-from type=registry,ref=ghcr.io/effigies/buildx-repro:main \
    --cache-to inline \
    --iidfile /tmp/docker-actions-toolkit-OhbN4w/iidfile \
    --tag ghcr.io/effigies/buildx-repro:main \
    --metadata-file /tmp/docker-actions-toolkit-OhbN4w/metadata-file \
    --push \
    .

Expected behaviour

I expect registry.docker.io not to be exported to.

Actual behaviour

The image is pushed to the GHCR registry, but the job is crashing with

ERROR: failed to solve: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2Finline%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized

Buildx version

github.com/docker/buildx v0.17.1 257815a6fbaee88976808020bf04274388275ae8

Docker info

Client: Docker Engine - Community Version: 26.1.3 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.17.1 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.27.1 Path: /usr/libexec/docker/cli-plugins/docker-compose

Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 15 Server Version: 26.1.3 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: false userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c runc version: v1.1.14-0-g2c9f560 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.5.0-1025-azure Operating System: Ubuntu 22.04.5 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 15.61GiB Name: fv-az1780-864 ID: f45fc31b-ef18-4a5f-be2b-7f841a08fbe4 Docker Root Dir: /var/lib/docker Debug Mode: false Username: githubactions Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false

Builders list

NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS builder-d4eeffb1-11c7-4afe-b581-5b0ac3be6ebf* docker-container
_ builder-d4eeffb1-11c7-4afe-b581-5b0ac3be6ebf0 _ unix:///var/run/docker.sock running v0.16.0 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386 default docker
_ default _ default running v0.13.2 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386

Configuration

FROM ubuntu:jammy-20240125

RUN echo "Not much"
name: Docker build

on:
  workflow_dispatch:
  push:
    branches: [ "main" ]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-container:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2

      - run: docker buildx ls

      - name: Log into registry ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v4
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=${{ fromJSON(steps.meta.outputs.json).tags[0] }}
          cache-to: inline

Build logs

/usr/bin/docker buildx build --cache-from type=registry,ref=ghcr.io/effigies/buildx-repro:main --cache-to inline --iidfile /tmp/docker-actions-toolkit-OhbN4w/iidfile --label org.opencontainers.image.created=2024-10-10T17:11:00.573Z --label org.opencontainers.image.description=Reproducing a bug for buildx --label org.opencontainers.image.licenses= --label org.opencontainers.image.revision=f230570a860d4b8d929818cc50b18e20b932da8d --label org.opencontainers.image.source=https://github.com/effigies/buildx-repro --label org.opencontainers.image.title=buildx-repro --label org.opencontainers.image.url=https://github.com/effigies/buildx-repro --label org.opencontainers.image.version=main --tag ghcr.io/effigies/buildx-repro:main --metadata-file /tmp/docker-actions-toolkit-OhbN4w/metadata-file --push .
#0 building with "builder-d4eeffb1-11c7-4afe-b581-5b0ac3be6ebf" instance using docker-container driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 85B done
#1 DONE 0.0s
#2 [auth] library/ubuntu:pull token for registry-1.docker.io
#2 DONE 0.0s
#3 [internal] load metadata for docker.io/library/ubuntu:jammy-20240125
#3 DONE 0.5s
#4 [internal] load .dockerignore
#4 transferring context: 2B done
#4 DONE 0.0s
#5 [1/2] FROM docker.io/library/ubuntu:jammy-20240125@sha256:e9569c25505f33ff72e88b2990887c9dcf230f23259da296eb814fc2b41af999
#5 resolve docker.io/library/ubuntu:jammy-20240125@sha256:e9569c25505f33ff72e88b2990887c9dcf230f23259da296eb814fc2b41af999 done
#5 DONE 0.0s
#6 [auth] effigies/buildx-repro:pull token for ghcr.io
#6 DONE 0.0s
#7 importing cache manifest from ghcr.io/effigies/buildx-repro:main
#7 ERROR: failed to configure registry cache importer: ghcr.io/effigies/buildx-repro:main: not found
#5 [1/2] FROM docker.io/library/ubuntu:jammy-20240125@sha256:e9569c25505f33ff72e88b2990887c9dcf230f23259da296eb814fc2b41af999
#5 sha256:57c139bbda7eb92a286d974aa8fef81acf1a8cbc742242619252c13b196ab499 3.15MB / 29.55MB 0.2s
#5 sha256:57c139bbda7eb92a286d974aa8fef81acf1a8cbc742242619252c13b196ab499 14.68MB / 29.55MB 0.3s
#5 sha256:57c139bbda7eb92a286d974aa8fef81acf1a8cbc742242619252c13b196ab499 20.97MB / 29.55MB 0.5s
#5 sha256:57c139bbda7eb92a286d974aa8fef81acf1a8cbc742242619252c13b196ab499 29.55MB / 29.55MB 0.6s done
#5 extracting sha256:57c139bbda7eb92a286d974aa8fef81acf1a8cbc742242619252c13b196ab499
#5 extracting sha256:57c139bbda7eb92a286d974aa8fef81acf1a8cbc742242619252c13b196ab499 0.7s done
#5 DONE 1.2s
#8 [2/2] RUN echo "Not much"
#8 0.083 Not much
#8 DONE 0.2s
#9 [auth] effigies/buildx-repro:pull,push token for ghcr.io
#9 DONE 0.0s
#10 exporting to image
#10 exporting layers 0.0s done
#10 exporting manifest sha256:60fa18de7f19531e117be0c63b7b6d9ac449cdd7c9f77d0db848e6db73f1d6f4 done
#10 exporting config sha256:d69b94a9f2ea07318ca00e9f400028b0c546977764f06695cfd13c21206b7197 done
#10 exporting attestation manifest sha256:630b012405067b083156290eff07154620666c4060e2c4bef8c0674283acea2e done
#10 exporting manifest list sha256:ce0a8da03a1f6aa96e05ae0016d80f5c9a69847a4b87e6b467689bd6a56efa1e done
#10 pushing layers
#10 pushing layers 1.1s done
#10 pushing manifest for ghcr.io/effigies/buildx-repro:main@sha256:ce0a8da03a1f6aa96e05ae0016d80f5c9a69847a4b87e6b467689bd6a56efa1e
#10 pushing manifest for ghcr.io/effigies/buildx-repro:main@sha256:ce0a8da03a1f6aa96e05ae0016d80f5c9a69847a4b87e6b467689bd6a56efa1e 1.0s done
#10 DONE 2.1s
#11 exporting cache to registry
#11 preparing build cache for export
#11 ...
#12 [auth] library/inline:pull,push token for registry-1.docker.io
#12 DONE 0.0s
#11 exporting cache to registry
#11 writing layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
#11 preparing build cache for export 0.3s done
#11 writing layer sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 0.3s done
#11 ERROR: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2Finline%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized
------
 > importing cache manifest from ghcr.io/effigies/buildx-repro:main:
------
------
 > exporting cache to registry:
------
ERROR: failed to solve: error writing layer blob: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2Finline%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized

Additional info

Note that I am using docker/build-push-action, but there is not an error I can see in the construction of the buildx command. Apologies if this is mistargeted.

tonistiigi commented 1 month ago

it is --cache-to type=inline . Just "inline" would mean Docker image at docker.io/library/inline (like "docker run ubuntu" means "docker.io/library/ubuntu")