kaniko
kaniko copied to clipboard
GoogleContainerTools
push image (with warmed base image(OCI format)) to Dockerhub got MANIFEST_INVALID error
Actual behavior
When push builded image, with base image(ubuntu:20.04) cached by warmer, will get error:
error pushing image: failed to push to destination luxurine/counter:latest: PUT https://index.docker.io/v2/luxurine/counter/manifests/latest:
MANIFEST_INVALID: manifest invalid; mediaType in manifest should be 'application/vnd.docker.distribution.manifest.v2+json'
not 'application/vnd.oci.image.manifest.v1+json'
(If there is no cache for base image, image push is ok)
Expected behavior Image should be pushed successfully.
Preliminary analysis
It looks like ubuntu:20.04 use "mediaType": "application/vnd.oci.image.manifest.v1+json", but dockerhub expect application/vnd.docker.distribution.manifest.v2+json.
The strange thing is, if build without base image cache, pushing image is just ok, I guess reasons could be:
- if build without base image cache, kaniko will do automatic transformation
- if build with base image cache, as cache dir is readonly in kaniko executor's view, it will build on top of the cache
kaniko can cache images in a local directory that can be volume mounted into the kaniko pod. To do so, the cache must first be populated,
as it is read-only. We provide a kaniko cache warming image at gcr.io/kaniko-project/warmer
Some proposal:
- warmer add flag to control transformation, like OCI --> Docker
- executor support base image cache(assume cache dir is readwrite)(related issue #2257 )
- or, executor copy cached base image and do some transformation before build
To Reproduce Steps to reproduce the behavior:
- prepare manifests
λ tree .
.
├── Dockerfile
├── bin
│ └── counter
└── config.json
2 directories, 5 files
- warm base image
$ docker run -v $(pwd):/workspace gcr.io/kaniko-project/warmer:v1.9.1 --cache-dir=/workspace/cache --image="ubuntu:20.04"
INFO[0000] Retrieving image manifest ubuntu:20.04
INFO[0000] Retrieving image ubuntu:20.04 from registry index.docker.io
- build and push image
$ docker run -ti --rm -v `pwd`:/workspace -v `pwd`/config.json:/kaniko/.docker/config.json:ro gcr.io/kaniko-project/executor:v1.9.1-debug --cache=true --cache-dir=/workspace/cache --dockerfile=Dockerfile --destination=luxurine/counter:latest
INFO[0002] Retrieving image manifest ubuntu:20.04
INFO[0002] Retrieving image ubuntu:20.04 from registry index.docker.io
INFO[0005] Found sha256:3626dff0d616e8ee7065a9ac8c7117e904a4178725385910eeecd7f1872fc12d in local cache
INFO[0005] Found manifest at /workspace/cache/sha256:3626dff0d616e8ee7065a9ac8c7117e904a4178725385910eeecd7f1872fc12d.json
INFO[0005] Built cross stage deps: map[]
INFO[0005] Retrieving image manifest ubuntu:20.04
INFO[0005] Returning cached image manifest
INFO[0005] Found sha256:3626dff0d616e8ee7065a9ac8c7117e904a4178725385910eeecd7f1872fc12d in local cache
INFO[0005] Found manifest at /workspace/cache/sha256:3626dff0d616e8ee7065a9ac8c7117e904a4178725385910eeecd7f1872fc12d.json
INFO[0005] Executing 0 build triggers
INFO[0005] Building stage 'ubuntu:20.04' [idx: '0', base-idx: '-1']
INFO[0005] Unpacking rootfs as cmd COPY bin/ /app requires it.
INFO[0007] COPY bin/ /app
INFO[0007] Taking snapshot of files...
INFO[0007] WORKDIR /app
INFO[0007] Cmd: workdir
INFO[0007] Changed working directory to /app
INFO[0007] No files changed in this command, skipping snapshotting.
INFO[0007] ENTRYPOINT ["/app/counter"]
INFO[0007] No files changed in this command, skipping snapshotting.
INFO[0007] Pushing image to luxurine/counter:latest
error pushing image: failed to push to destination luxurine/counter:latest: PUT https://index.docker.io/v2/luxurine/counter/manifests/latest: MANIFEST_INVALID: manifest invalid; mediaType in manifest should be 'application/vnd.docker.distribution.manifest.v2+json' not 'application/vnd.oci.image.manifest.v1+json'
Additional Information
- Dockerfile
FROM ubuntu:20.04
COPY bin/ /app
WORKDIR /app
ENTRYPOINT ["/app/counter"]
- Kaniko Image: gcr.io/kaniko-project/executor:v1.9.1-debug
ref:
- https://docs.docker.com/registry/spec/manifest-v2-2/
- https://github.com/opencontainers/image-spec/blob/main/manifest.md
- https://github.com/moby/moby/issues/44898
I've just experienced a similar issue building a local development image and pushing it to our own GitLab Registry instance (albeit without the useful error message - I just got MANIFEST_INVALID: manifest invalid; map[]
I'm not sure how you worked around this @luxurine, but my solution was to build the Ubuntu base image myself:
# Based on: https://git.launchpad.net/cloud-images/+oci/ubuntu-base/tree/?h=focal-20.04
FROM scratch
ADD source/ubuntu-focal-oci-amd64-root.tar.gz /
I think this is related to https://github.com/GoogleContainerTools/kaniko/issues/1836
I believe this is a dupe of #1836 which was recently fixed and in the latest kaniko release (v1.15.0). Closing, feel free to re-open if there is more to address here
I've just tried kaniko-project/executor:v1.17.0 again, still the same problem. Could you please reopen this issue? @aaron-prindle
manifest
# Dockfile
FROM ubuntu:20.04 # with OCI format
WORKDIR /app
step
- warmup image
$ docker run -v $(pwd):/workspace gcr.io/kaniko-project/warmer:v1.17.0 --cache-dir=/workspace/cache --image=ubuntu:20.04
# output
INFO[0000] Retrieving image manifest ubuntu:20.04
INFO[0000] Retrieving image ubuntu:20.04 from registry index.docker.io
- build and push
$ docker run -ti --rm -v `pwd`:/workspace -v `pwd`/config.json:/kaniko/.docker/config.json:ro gcr.io/kaniko-project/executor:v1.17.0-debug --cache=true --cache-dir=/workspace/cache --dockerfile=Dockerfile --destination=luxurine/demo:latest --verbosity=debug
# output
INFO[0002] Retrieving image manifest ubuntu:20.04
INFO[0002] Retrieving image ubuntu:20.04 from registry index.docker.io
INFO[0006] Found sha256:218bb51abbd1864df8be26166f847547b3851a89999ca7bfceb85ca9b5d2e95d in local cache
INFO[0006] Found manifest at /workspace/cache/sha256:218bb51abbd1864df8be26166f847547b3851a89999ca7bfceb85ca9b5d2e95d.json
INFO[0006] Built cross stage deps: map[]
INFO[0006] Retrieving image manifest ubuntu:20.04
INFO[0006] Returning cached image manifest
INFO[0006] Found sha256:218bb51abbd1864df8be26166f847547b3851a89999ca7bfceb85ca9b5d2e95d in local cache
INFO[0006] Found manifest at /workspace/cache/sha256:218bb51abbd1864df8be26166f847547b3851a89999ca7bfceb85ca9b5d2e95d.json
INFO[0006] Executing 0 build triggers
...
INFO[0006] Pushing image to luxurine/demo:latest
error pushing image: failed to push to destination luxurine/demo:latest: PUT https://index.docker.io/v2/luxurine/demo/manifests/latest: MANIFEST_INVALID: manifest invalid; mediaType in manifest should be 'application/vnd.docker.distribution.manifest.v2+json' not 'application/vnd.oci.image.manifest.v1+json'
I've also seen this with 1.18.0 and 1.19.0. Seems possibly related to newer issue #2883. We're using GitLab Container Registry and not AWS ECR.
Ran into this issue on executor-v1.23.2 and recent warmer-latest (doesn't report a version) to a gitlab v16.11.5 container registry.
Ran into this issue on executor-v1.23.2 and recent warmer-latest (doesn't report a version) to a gitlab v16.11.5 container registry.
@mhio here is a temporary fix you can try:
- fork kaniko repo
- update func
func (c *cachedImage) Manifest() (*v1.Manifest, error)in pkg/cache/cache.go and return tabball's manifest by default. - build image
[!WARNING]
target image is always indockerformat
func (c *cachedImage) Manifest() (*v1.Manifest, error) {
if c.mfst == nil {
return c.Image.Manifest()
}
return c.mfst, nil
}
->
func (c *cachedImage) Manifest() (*v1.Manifest, error) {
mfst, err := c.Image.Manifest()
if mfst != nil {
return mfst, err
}
return c.mfst, nil
}
Thanks @luxurine we'll give that a try, disabling the warmed cache was the quick workaround.