Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification: --provenance false fails on Buildx 0.10.0, but works with 0.10.2? #1608

Closed
polarathene opened this issue Feb 8, 2023 · 2 comments
Closed

Clarification: --provenance false fails on Buildx 0.10.0, but works with 0.10.2? #1608

polarathene opened this issue Feb 8, 2023 · 2 comments

Comments

@polarathene
Copy link

polarathene commented Feb 8, 2023
edited
Loading

I looked at the release notes for buildx but there didn't seem to be any mention that would explain this.

Recently updated a Github CI action where it was required to opt out of attestations via provenance: false. When running buildx, our CI was inconsistent with versions used. 0.10.0 failed as shown below, while 0.10.2 was successful. There does not appear to be any difference in the logs beyond buildx version. Associated issue raised for Github Action build-push-action.

Docker Engine: 20.10.22
Buildx: 0.10.0

/usr/bin/docker buildx build --cache-from type=local,src=/tmp/.buildx-cache --iidfile /tmp/docker-build-push-AubJbU/iidfile --platform linux/amd64 --provenance false --tag mailserver-testing:ci --load --metadata-file /tmp/docker-build-push-AubJbU/metadata-file .

ERROR: attestations are not supported by the current buildkitd
Error: buildx failed with: ERROR: attestations are not supported by the current buildkitd

Docker Engine: 20.10.22
Buildx: 0.10.2

/usr/bin/docker buildx build --cache-from type=local,src=/tmp/.buildx-cache --iidfile /tmp/docker-build-push-ykKorz/iidfile --platform linux/amd64 --provenance false --tag mailserver-testing:ci --load --metadata-file /tmp/docker-build-push-ykKorz/metadata-file .

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 12.34kB done
#1 DONE 0.0s

Presumably this is a temporary issue, and buildx 0.10.2 will be more commonly used in future CI runs (several re-runs were done but the version on failed runners did not get bumped yet).

Any hints in the meantime as to why --provenance false is causing the error above? Is the option not properly handled in 0.10.0?

Failed attempt to resolve

I noticed this PR regarding --load, that was added to 0.10.1:

Detect invalid attestation configuration #1545

Perhaps we built with attestations previously as we were using the 3.3 version of docker/build-push-action where it seems it was enabled by default. That PR suggests the feature is not compatible with buildx --load? So 0.10.0 failed, and new releases of buildx handled it properly?

If that is it, clearing our CI image cache will probably resolve the issue 👍

UPDATE: Cleared entire CI cache and performed a full workflow re-run. No difference, still getting the same failure.
@polarathene polarathene mentioned this issue Feb 8, 2023
Closed
@polarathene
Copy link
Author

polarathene commented Feb 8, 2023
edited
Loading

Related issues (same error cited):

I have observed prior to upgrading docker/build-push-action from v3.3 to v4 (and our addition of provenance: false), the same Docker Engine and buildx versions worked fine. Just the omission of --provenance false. We can probably remove that opt-out and the CI will not encounter the error.

Next week Github should be upgrading Docker Engine to v23 which will bring a newer BuildKit version. Perhaps by then buildx 0.10.2 will be more common in runs too and this issue will be technically resolved 🤷‍♂️

Forgot to mention that the CI has a build workflow that uses buildx with the docker-container driver, exports the build cache to pull down in a dependent workflow, which uses buildx with the plain docker driver, hence lower BuildKit version.

We only need to --load the image into the local Docker daemon for running a container to perform testing. I assume the BuildKit version isn't too relevant at this point due to the full image cache being available, but perhaps that change in driver and BuildKit support is relevant? (but newer buildx releases are smarter / relaxed to avoid failing with that error?)

This was referenced Feb 8, 2023
Open
Merged
@polarathene
Copy link
Author

I am fairly certain I understand it now 👍

  • Affected workflow used docker driver instead of docker-container.
  • CI Docker Engine bundles BuildKit release from 2 years ago (soon to be resolved with v23 update).
  • docker/build-push-action appends --provenance option to buildx command if explicitly configured in the workflow (or compatible BuildKit version detected).
  • buildx 0.10.0 would fail early on attestation support with old BuildKit, before acknowledging opt-out with --provenance false. 0.10.1 or 0.10.2 presumably fixed that mishap to only fail when --provenance true (default, but presumably only when the BuildKit version supported it, hence no failure prior).

So, the only thing that changed was explicitly opting out with provenance: false in the action, added an explicit --provenance false option to buildx, mixed with bad timing of Github dependencies and the one workflow not using docker-container driver for newer BuildKit version 😅 (all while about to become a non-issue with Github as the CI in about a week)

Closing as I'm fairly confident in the troubleshooting and resolution 😎

@mkuznyetsov mkuznyetsov mentioned this issue Feb 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@polarathene