nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

Provenance flag is not handled correctly for boolean passed

Open Shubhranshu153 opened this issue 6 months ago • 5 comments

Description

sudo nerdctl build . --provenance=false -t test:0.1

creates a unkown/unkown image tag

[shubhum@lima-finch Test]$ sudo nerdctl image ls
REPOSITORY                                                   TAG                 IMAGE ID        CREATED          PLATFORM           SIZE       BLOB SIZE
test                                                         0.1                 3e7b5c47d20a    7 seconds ago    linux/amd64        8.978MB    3.798MB
test                                                         0.1                 3e7b5c47d20a    7 seconds ago    unknown/unknown    0B         3.099kB

Steps to reproduce the issue

  1. sudo nerdctl build . --provenance=false -t test:0.1

[shubhum@lima-finch Test]$ sudo nerdctl image ls
REPOSITORY                                                   TAG                 IMAGE ID        CREATED          PLATFORM           SIZE       BLOB SIZE
test                                                         0.1                 3e7b5c47d20a    7 seconds ago    linux/amd64        8.978MB    3.798MB
test                                                         0.1                 3e7b5c47d20a    7 seconds ago    unknown/unknown    0B         3.099kB

Describe the results you received and expected

It should not create image with platform unknown/unknown

What version of nerdctl are you using?

nerdctl 2.1.2

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response

Shubhranshu153 avatar Jun 19 '25 18:06 Shubhranshu153

HI @Shubhranshu153

I wasn't able to reproduce this issue with the following environment:

nerdctl version
Client:
 Version:       v2.1.2-53-g4bde79d5
 OS/Arch:       linux/amd64
 Git commit:    4bde79d58aa6e67ad4bcd86598ea0a25fc9d4338
 buildctl:
  Version:      v0.18.1
  GitCommit:    eb68885955169461d72dc2b7e6d084100fcaba86

Server:
 containerd:
  Version:      v2.0.0
  GitCommit:    207ad711eabd375a01713109a8a197d197ff6542
 runc:
  Version:      1.2.2
  GitCommit:    v1.2.2-0-g7cb36325

The output is:

nerdctl image ls |grep test
test                                   0.1                cba336ff2032    5 minutes ago    linux/amd64      4.407MB    2.146MB

I think I might have missed something, but I'm not sure what it is.

yankay avatar Jun 20 '25 03:06 yankay

The change is coming from the new buildctl version i think v0.21.1

shubhum@147ddaa42911 BATSHelloWorldDockerImageTransform % finch version
Client:
 Version:	v1.8.3
 GitCommit:	f392d597b321535ea9d46896ad7000d84a6ebe73
 OS/Arch:	linux/amd64
 nerdctl:
  Version:	v2.1.2
  GitCommit:	2a2834dd1c926528aa141726a9a9132eb1665568
 buildctl:
  Version:	v0.21.1
  GitCommit:	66735c67040bc80e6ed104f451683e094030a4e1

Server:
 containerd:
  Version:	v2.1.1
  GitCommit:	cb1076646aa3740577fafbf3d914198b7fe8e3f7
 runc:
  Version:	1.3.0
  GitCommit:	v1.3.0-0-g4ca628d
shubhum@147ddaa42911 BATSHelloWorld

Shubhranshu153 avatar Jun 20 '25 04:06 Shubhranshu153

@yankay are you on arm or x86?

Shubhranshu153 avatar Jun 20 '25 15:06 Shubhranshu153

I went back to some of the older versions still seeing it when provenance is set.

[root@lima-finch Test]# nerdctl version
Client:
 Version:	v2.0.4
 OS/Arch:	linux/amd64
 Git commit:	39058fbce68e29feecc9cec992ade74b272817d8
 buildctl:
  Version:	v0.18.1.m
  GitCommit:	eb68885955169461d72dc2b7e6d084100fcaba86.m

Server:
 containerd:
  Version:	v2.0.0-rc.1-716-g207ad711e
  GitCommit:	207ad711eabd375a01713109a8a197d197ff6542
 runc:
  Version:	1.3.0
  GitCommit:	v1.3.0-0-g4ca628d

Based on the image config it makes sense that it would show up just not able to pin point how it got introduced. Will do some further digging.

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:eca6b9d7be4965b84ccb1bcc9182388f1b49f0f9736240e5dbfe10e2ad8698f8",
      "size": 480,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:43f1245025dc90ef771367ec4c9a4c1cd738d851147f1d78cc0b73d61894755d",
      "size": 566,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:eca6b9d7be4965b84ccb1bcc9182388f1b49f0f9736240e5dbfe10e2ad8698f8",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
  ]

Shubhranshu153 avatar Jun 20 '25 15:06 Shubhranshu153

It looks like when we pass --provenance=false to nerdctl, it passes the flag --opt=attest:provenance=disabled=true to buildctl. And buildctl does not seem to recognize disabled option. As per the docs, an empty attestation flag like --opt attest:provenance= is considered as attestation enabled in buildctl, which is why we see a generated attestation artifact even when we pass --provenance=false to nerdctl.

@Shubhranshu153 Looking at the image config you provided, do you think that nerdctl should not list the second manifest when we run nerdctl image ls because the manifest clearly says that it is an attestation manifest and not an image manifest, which probably also explains why we see unknown for arch/os:

"annotations": {
    "vnd.docker.reference.digest": "sha256:eca6b9d7be4965b84ccb1bcc9182388f1b49f0f9736240e5dbfe10e2ad8698f8",
    "vnd.docker.reference.type": "attestation-manifest"
},

Swapnanil-Gupta avatar Jul 21 '25 16:07 Swapnanil-Gupta