Cannot include an image in a manifest list/index which is already a multi-platform image

[tboerger]

I have tried to push image manifests recently starting with 2.0.6 coming from the old 1.x.x version. The container build process has not changed, I was just getting strange errors from my Github actions where I thought it's finally time to upgrade manifest-tool.

The old 1.x.x version was resulting in messages like this:

time="2023-02-15T09:41:01Z" level=error msg="Error trying v2 registry: unsupported manifest format"

Now with the latest release of manifest-tool I'm getting this:

time="2023-02-15T11:41:04Z" level=fatal msg="Cannot include an image in a manifest list/index which is already a multi-platform image: webhippie/minecraft-vanilla:latest-amd64"

On DockerHub everythin is looking fine, it just says webhippie/minecraft-vanilla:latest-amd64 is simply linux/amd64 like I expect, just with manifest-tool inspect webhippie/minecraft-vanilla:latest-amd64 I'm getting a strange other OS combination with unknown/unknown:

Name:   webhippie/minecraft-vanilla:latest-amd64 (Type: application/vnd.oci.image.index.v1+json)
Digest: sha256:2e898ed47b0cc212956944ca91d1f3b6e17a709a7bb4460024cd9a120de56930
 * Contains 2 manifest references:
[1]     Type: application/vnd.oci.image.manifest.v1+json
[1]   Digest: sha256:15fb09c9dc23386848ba892215dbb3a3d42af8be0926d25f6c4ef3306309aced
[1]   Length: 3149
[1] Platform:
[1]    -      OS: linux
[1]    -    Arch: amd64
[1] # Layers: 15
     layer 01: digest = sha256:846c0b181fff0c667d9444f8378e8fcfa13116da8d308bf21673f7e4bea8d580
     layer 02: digest = sha256:a139e8ec6e08c6ef979ee26c521cde1f30a6d9edf1d1754c7abd3c10b4ef154e
     layer 03: digest = sha256:1536e092ae695fc13a78bf37a2fe6895b7cd7f35c2526a03605a43288036458e
     layer 04: digest = sha256:36288272a8673a0431007b9bf394a43f1a5c780010ed9bf28bf135fa509f2f11
     layer 05: digest = sha256:ed49731d6776c16b5df87520f7825ee137bf8817947107f5c9f7e01bc1fecc4f
     layer 06: digest = sha256:f58c439f78f199fe887d094004c068c78fbc182e20812e34707c860de56293f9
     layer 07: digest = sha256:a2c71924525c3162ffe32e7595836a269da0bb796d36030e8ae2a384fac174e2
     layer 08: digest = sha256:82a54c6f6de248c3e396f8bd8e1d09e041481ade6be194068c008bb7ccc56acf
     layer 09: digest = sha256:e8d7b0e67eb9b6ddef054b74979b744124ad71beb2583fe1cb498005d88cbec6
     layer 10: digest = sha256:16928463d4e72171c6ddb38c55001c504f0449cf1d7c873fbc0498448acd54af
     layer 11: digest = sha256:3f41ade7520bd97dff9e837fd864d7f42e7e43c78c084ca0743827e15bd39f71
     layer 12: digest = sha256:c41d04f278fe2abacac4aa5bf63ecafac40efa5ec570a6b5c63571e32549569f
     layer 13: digest = sha256:6e3efa78361338878199160883cbf8f7016fa73f9a32b90b8a2341919f44e99e
     layer 14: digest = sha256:851a4fb17f322b34d7896dfde56025ce4f2e4965a285b132ce9cbccd5cfd45e2
     layer 15: digest = sha256:3693cde3bca5f2515eb421f02a7f907a726d50f1caf7a1a67def0256d2bff077

[2]     Type: application/vnd.oci.image.manifest.v1+json
[2]   Digest: sha256:14a0dac154de209c8cf55096724295c7d793df2c40813b7c84f19351ddf29e5b
[2]   Length: 567
[2] Platform:
[2]    -      OS: unknown
[2]    -    Arch: unknown
[2] # Layers: 1
     layer 01: digest = sha256:3900c1ac101304a775a3afc9a25ddd240f6e5e8409a1a51919222f3b1adccdd5

Maybe somebody got an idea how to solve that? Have I run into a bug within manifest-tool? Or is this something totally different? You can see the whole workflow at https://github.com/dockhippie/minecraft-vanilla/blob/master/.github/workflows/docker.yml#L225-L332.

[tboerger]

Ok, I have updated the build and push action before which introduced provenance, manifest-tool thinks that this attestation manifest means this is already a multi arch image...

$ docker buildx imagetools inspect  webhippie/minecraft-vanilla:latest-amd64
Name:      docker.io/webhippie/minecraft-vanilla:latest-amd64
MediaType: application/vnd.oci.image.index.v1+json
Digest:    sha256:3b44887ef33025b311ec7232899fd61fbb579fb9527fb807bcf3d9e438c4c156

Manifests:
  Name:      docker.io/webhippie/minecraft-vanilla:latest-amd64@sha256:db2bc91383f5af8bce063769cc487ace4ff3eda8aee230faceb9822f240bbbfb
  MediaType: application/vnd.oci.image.manifest.v1+json
  Platform:  linux/amd64

  Name:      docker.io/webhippie/minecraft-vanilla:latest-amd64@sha256:56b59fb018b092a89be65e663e1b226456a36d34346bb20218c804556697f76f
  MediaType: application/vnd.oci.image.manifest.v1+json
  Platform:  unknown/unknown
    vnd.docker.reference.digest: sha256:db2bc91383f5af8bce063769cc487ace4ff3eda8aee230faceb9822f240bbbfb
    vnd.docker.reference.type:   attestation-manifest

[tboerger]

I have downgraded docker/build-push-action to v3 within my workflows in the meantime to get my images building again.

[estesp]

Hmm, yes, manifest-tool does not yet handle the fact that a very recent version of buildkit now adds attestation records, using the image index format instead of a single image manifest. I will need to make changes to, first, recognize that an index that only has an attestation added as an index entry is still a "single image," and then secondly, preserve the attestation manifest for any/all constituent images in the assembly of the final manifest list/image index for this to work properly.

[snowdream]

https://github.com/snowdreamtech/frp/actions/runs/4191483587/jobs/7265955127

I have got the same error.

time="2023-02-16T06:55:54Z" level=fatal msg="Cannot include an image in a manifest list/index which is already a multi-platform image: ***techamd64/frpc:latest"

[estesp]

Just FYI: #204 contains the easier half of the implementation--manifest-tool inspect will now show attestations properly as distinct from images within an index/manifest list.

Will now work on push to handle indexes.

[waddles]

EDIT: my apologies, I was doing it wrong.