copacetic icon indicating copy to clipboard operation
copacetic copied to clipboard
verified publisher icon project-copacetic

feat: add support to SUSE and openSUSE distros with Zypper

Open macedogm opened this issue 3 months ago โ€ข 15 comments

This PR adds support to patching SUSE related images based on SLES (SUSE Linux Enterprise Server), BCI (container images) and openSUSE (LEAP and Tumbleweed). It uses Zypper as the package manager and does the patching using a tooling image, because we consider that all patches are done against distroless images that don't have Zypper inside.

Disclosure: I work at SUSE and we are investigating copa to help bump packages in some of our images.

macedogm avatar Sep 11 '25 13:09 macedogm

Codecov Report

:x: Patch coverage is 74.72527% with 23 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 40.02%. Comparing base (a28f98b) to head (e21849d). :warning: Report is 26 commits behind head on main.

Files with missing lines Patch % Lines
pkg/pkgmgr/rpm.go 68.05% 20 Missing and 3 partials :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1294      +/-   ##
==========================================
- Coverage   48.83%   40.02%   -8.81%     
==========================================
  Files          38       42       +4     
  Lines        5316     5956     +640     
==========================================
- Hits         2596     2384     -212     
- Misses       2550     3373     +823     
- Partials      170      199      +29

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Sep 11 '25 13:09 codecov[bot]

A comment for the maintainers and reviewers: this PR is currently lacking tests (I already have some locally and I'm adding more), because first I would like to get feedback and validate if the overall approach that I took is acceptable or not. I took the route of splitting the logic between an rpm file and a zypper file to avoid adding more complexity and increasing the size of the former. All of the implemented RPM logic is reused in Zypper, with the exception of the chroot install logic done for Zypper. Once the approach if confirmed to be fine, I'll add the tests and update the docs. Thanks!

macedogm avatar Sep 11 '25 13:09 macedogm

@macedogm thanks for the contribution! Can we also add logic for updating all outdated packages in the case updates is nil? Also, it necessary to use zypper inside the tooling image if rpm also exists? It could be simpler to combine the logic with the existing rpm package manager and add a case for the zypper tooling image

ashnamehrotra avatar Sep 18 '25 03:09 ashnamehrotra

@macedogm thanks for the contribution!

@ashnamehrotra thanks for providing feedback!

Can we also add logic for updating all outdated packages in the case updates is nil?

Yes, I'll add it. ๐Ÿ‘๐Ÿป

Also, it necessary to use zypper inside the tooling image if rpm also exists? It could be simpler to combine the logic with the existing rpm package manager and add a case for the zypper tooling image

I thought about this, but rpm alone doesn't provide dependency resolution that might be needed when updating a package, which is handled natively by zypper. I believe that relying only on rpm would work for most of the cases that the package to be updated doesn't need any other dependencies to be updated too, but it would fail for the other case (and specially when doing a full update).

macedogm avatar Sep 19 '25 18:09 macedogm

It could be simpler to combine the logic with the existing rpm package manager and add a case for the zypper tooling image

@ashnamehrotra I can combine the zypper file inside the rpm.go, but it will make it bigger (and I was concerned with this and the extra complexity). I can combine them just for comparison purposes inside the PR if you want and then we can chose which route to take. WDYT?

macedogm avatar Sep 19 '25 18:09 macedogm

@macedogm that makes sense! We can try combining as you suggested - I think that would allow us to reuse a lot of the existing rpm functionality and just section out the relevant zypper calls

ashnamehrotra avatar Sep 19 '25 22:09 ashnamehrotra

@ashnamehrotra sorry for the delay. I believe that the PR now is on a better shape, with tests included for the zypper function. Please let me know what do you think.

macedogm avatar Sep 24 '25 16:09 macedogm

Hey @ashnamehrotra. I rebased the PR to get the lastest changes. There is a failing test which is unrelated to the PR, it's probably flaky, but I can't restart it.

macedogm avatar Sep 26 '25 11:09 macedogm

@sozercan thanks for adding this to the v0.13.0 milestone. I'll avoid constant rebases in the mean time. Please let me know when you think it's the appropriate time to do the final rebase. Thanks!

macedogm avatar Oct 08 '25 18:10 macedogm

@macedogm thanks for the updates! It looks good to me for the update all approach. When testing this with Trivy reports, it was unable to detect the osType:

./copa patch -i registry.suse.com/bci/bci-base:15.7-5.8.29 --debug -r reports --debug
DEBU[0000] Using report directory: reports              
DEBU[0000] Handling platform specific errors with ignore-errors=false 
DEBU[0000] Discovered platforms from manifest            platforms="[linux/amd64 linux/arm64 linux/ppc64le linux/s390x]"
DEBU[0000] Discovered platforms from report              platforms="[]"
DEBU[0000] No report found for platform linux/amd64, preserving original 
DEBU[0000] No report found for platform linux/arm64, preserving original 
DEBU[0000] No report found for platform linux/ppc64le, preserving original 
DEBU[0000] No report found for platform linux/s390x, preserving original 
INFO[0000] Platform linux/s390x marked for preservation, preserving original in manifest 
INFO[0000] Platform linux/arm64 marked for preservation, preserving original in manifest 
INFO[0000] Platform linux/amd64 marked for preservation, preserving original in manifest 
INFO[0000] Platform linux/ppc64le marked for preservation, preserving original in manifest 
Error: no images were processed, check the logs for errors

I think we need to add "suse linux enterprise server" in addition to "opensuse-..." for supported osTypes.

ashnamehrotra avatar Oct 31 '25 19:10 ashnamehrotra

@ashnamehrotra I'll review your comment and update the PR accordingly. Thanks for the feedback.

macedogm avatar Nov 01 '25 16:11 macedogm

Hey @ashnamehrotra. I tested the PR branch against the x86_64 arch image of registry.suse.com/bci/bci-base:15.7-5.8.29 and it worked. I pasted the full logs below. In your test you were trying to patch all archs of the image?

The OS type is sles - https://github.com/project-copacetic/copacetic/pull/1294/files#diff-6d133c3c71ba5072c34c343d7f897d81c2800c5a6fd52f0271935420cdeaf23dR20:

  "Metadata": {
    "Size": 124994048,
    "OS": {
      "Family": "sles",
      "Name": "15.7"
    },
See full log 
# /home/user/fork-copacetic/copacetic patch -i registry.suse.com/bci/bci-base:15.7-5.8.29 -r scan.json --debug
DEBU[0000] Using report file: scan.json                 
INFO[0000] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched 
DEBU[0000] Filtering out library updates based on pkg-types: [os] 
DEBU[0000] Filtered updates to apply: OS=10, Lang=0     
DEBU[0000] updates to apply: &{{{sles 15.7} {amd64 }} [{curl 8.6.0-150600.4.21.1 8.14.1-150600.4.28.1 SUSE-SU-2025:03198-1 sles os-pkgs} {krb5 1.20.1-150600.11.11.2 1.20.1-150600.11.14.1 SUSE-SU-2025:3699-1 sles os-pkgs} {libbrotlicommon1 1.0.7-3.3.1 1.0.7-150200.3.5.1 SUSE-SU-2025:03268-1 sles os-pkgs} {libbrotlidec1 1.0.7-3.3.1 1.0.7-150200.3.5.1 SUSE-SU-2025:03268-1 sles os-pkgs} {libcurl4 8.6.0-150600.4.21.1 8.14.1-150600.4.28.1 SUSE-SU-2025:03198-1 sles os-pkgs} {libopenssl-3-fips-provider 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs} {libopenssl3 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs} {libssh-config 0.9.8-150600.11.3.1 0.9.8-150600.11.6.1 SUSE-SU-2025:03369-1 sles os-pkgs} {libssh4 0.9.8-150600.11.3.1 0.9.8-150600.11.6.1 SUSE-SU-2025:03369-1 sles os-pkgs} {openssl-3 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs}] []} 
DEBU[0000] Trying docker driver                         
DEBU[0000] serving grpc connection                      
DEBU[0000] stopping session                             
DEBU[0000] Image name has tag or digest, using registry.suse.com/bci/bci-base:15.7-5.8.29 as tag 
DEBU[0000] local media type not found for registry.suse.com/bci/bci-base:15.7-5.8.29 using : Error response from daemon: No such image: registry.suse.com/bci/bci-base:15.7-5.8.29 
DEBU[0002] remote media type found for registry.suse.com/bci/bci-base:15.7-5.8.29: application/vnd.docker.distribution.manifest.list.v2+json 
WARN[0002] resolved media type is Docker                
DEBU[0002] serving grpc connection                      
#1 resolve image config for docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
DEBU[0002] Loading image stream using Docker API client 
#1 DONE 3.6s
DEBU[0005] latest unique RPMs: [{curl  8.14.1-150600.4.28.1   } {krb5  1.20.1-150600.11.14.1   } {libbrotlicommon1  1.0.7-150200.3.5.1   } {libbrotlidec1  1.0.7-150200.3.5.1   } {libcurl4  8.14.1-150600.4.28.1   } {libopenssl-3-fips-provider  3.2.3-150700.5.21.1   } {libopenssl3  3.2.3-150700.5.21.1   } {libssh-config  0.9.8-150600.11.6.1   } {libssh4  0.9.8-150600.11.6.1   } {openssl-3  3.2.3-150700.5.21.1   }] 
DEBU[0005] Using bci/bci-base:15.7 as basis for tooling image 

#2 docker-image://ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7
#2 resolve ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7
#2 resolve ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7 0.5s done
#2 ERROR: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Aproject-copacetic%2Fcopacetic%2Fbci%2Fbci-base%3Apull&service=ghcr.io: 403 Forbidden
DEBU[0006] Using bci/bci-base:15.7 as basis for tooling image 

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 resolve registry.suse.com/bci/bci-base:15.7
#3 resolve registry.suse.com/bci/bci-base:15.7 1.6s done
#3 DONE 1.6s

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 DONE 1.6s

#1 resolve image config for docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#1 DONE 4.0s

#4 docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#4 resolve registry.suse.com/bci/bci-base:15.7-5.8.29
#4 resolve registry.suse.com/bci/bci-base:15.7-5.8.29 0.5s done
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 0B / 47.32MB 0.2s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 4.19MB / 47.32MB 1.1s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 9.44MB / 47.32MB 1.4s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 12.58MB / 47.32MB 1.5s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 17.83MB / 47.32MB 1.8s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 20.97MB / 47.32MB 2.0s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 25.17MB / 47.32MB 2.1s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 29.36MB / 47.32MB 2.3s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 32.51MB / 47.32MB 2.4s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 36.70MB / 47.32MB 2.7s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 41.94MB / 47.32MB 3.1s
#4 sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 45.09MB / 47.32MB 3.2s
#4 DONE 4.0s

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 sha256:fac9e2e2ef7e07e3cedb5c7a5ab10cab361f7d203ad95ea27b7210dcffe8824c 46.91MB / 46.91MB 2.7s done
#3 extracting sha256:fac9e2e2ef7e07e3cedb5c7a5ab10cab361f7d203ad95ea27b7210dcffe8824c
#3 extracting sha256:fac9e2e2ef7e07e3cedb5c7a5ab10cab361f7d203ad95ea27b7210dcffe8824c 1.6s done
#3 DONE 5.9s

#4 docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#4 extracting sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24
#4 extracting sha256:6214587832424e698c39451d71a5bdfffecbd8e26180f7eeb75ed53c1f1afe24 1.3s done
#4 DONE 5.3s

#5 /bin/sh -c 
                if ! [[ -e "${COPA_RPM_DB_FILE}" ]]; then echo "RPM DB not found"; exit 1; fi
                zypper --non-interactive refresh
                zypper --non-interactive --installroot "${COPA_CHROOT_DIR}" up --no-recommends curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3
                zypper --installroot "${COPA_CHROOT_DIR}" clean --all
                rm -rf "${COPA_CHROOT_DIR}"/var/cache/zypp/* "${COPA_CHROOT_DIR}"/var/log/zypp/*
                rm -rf "${COPA_CHROOT_DIR}"/var/tmp/* "${COPA_CHROOT_DIR}"/usr/share/doc/packages/*
                rpm --dbpath "${COPA_CHROOT_DIR}"/var/lib/rpm -qa --qf="%{NAME}\t%{VERSION}-%{RELEASE}\t%{ARCH}\n" curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3 > "${COPA_MANIFEST_FILE}"
	
#5 0.295 Refreshing service 'container-suseconnect-zypp'.
#5 0.305 Retrieving repository 'SLE_BCI' metadata [............done]
#5 1.209 Building repository 'SLE_BCI' cache [....done]
#5 1.460 All repositories have been refreshed.
#5 1.566 Refreshing service 'container-suseconnect-zypp'.
#5 1.576 Loading repository data...
#5 1.586 Reading installed packages...
#5 1.605 Resolving package dependencies...
#5 1.623 
#5 1.624 The following 10 packages are going to be upgraded:
#5 1.624   curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3
#5 1.624 
#5 1.624 The following 10 packages are not supported by their vendor:
#5 1.624   curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3
#5 1.624 
#5 1.624 10 packages to upgrade.
#5 1.624 
#5 1.624 Package download size:     6.3 MiB
#5 1.624 
#5 1.624 Package install size change:
#5 1.624               |      15.9 MiB  required by packages that will be installed
#5 1.624   -170.4 KiB  |  -   16.0 MiB  released by packages that will be removed
#5 1.624 
#5 1.624 Backend:  classic_rpmtrans
#5 1.624 Continue? [y/n/v/...? shows all options] (y): y
#5 1.635 
#5 1.635 Checking for file conflicts: [...done]
#5 1.636 Warning: 10 packages had to be excluded from file conflicts check because they are not yet downloaded.
#5 1.636 
#5 1.636     Note: Checking for file conflicts requires not installed packages to be downloaded in advance in
#5 1.636     order to access their file lists. See option '--download-in-advance / --dry-run --download-only'
#5 1.636     in the zypper manual page for details.
#5 1.636 
#5 1.649 Retrieving: libbrotlicommon1-1.0.7-150200.3.5.1.x86_64 (SLE_BCI) (1/10),  64.7 KiB    
#5 1.651 Retrieving: libbrotlicommon1-1.0.7-150200.3.5.1.x86_64.rpm [..done]
#5 1.820 ( 1/10) Installing: libbrotlicommon1-1.0.7-150200.3.5.1.x86_64 [...done]
#5 2.648 Retrieving: libopenssl3-3.2.3-150700.5.21.1.x86_64 (SLE_BCI) (2/10),   2.0 MiB    
#5 2.649 Retrieving: libopenssl3-3.2.3-150700.5.21.1.x86_64.rpm [...done (805.9 KiB/s)]
#5 2.929 ( 2/10) Installing: libopenssl3-3.2.3-150700.5.21.1.x86_64 [....done]
#5 3.909 Retrieving: openssl-3-3.2.3-150700.5.21.1.x86_64 (SLE_BCI) (3/10),   1.5 MiB    
#5 3.911 Retrieving: openssl-3-3.2.3-150700.5.21.1.x86_64.rpm [..done (531.4 KiB/s)]
#5 4.048 ( 3/10) Installing: openssl-3-3.2.3-150700.5.21.1.x86_64 [.....done]
#5 4.967 Retrieving: libssh-config-0.9.8-150600.11.6.1.x86_64 (SLE_BCI) (4/10),  21.3 KiB    
#5 4.968 Retrieving: libssh-config-0.9.8-150600.11.6.1.x86_64.rpm [.done]
#5 5.004 ( 4/10) Installing: libssh-config-0.9.8-150600.11.6.1.x86_64 [..done]
#5 5.040 Retrieving: libbrotlidec1-1.0.7-150200.3.5.1.x86_64 (SLE_BCI) (5/10),  29.8 KiB    
#5 5.041 Retrieving: libbrotlidec1-1.0.7-150200.3.5.1.x86_64.rpm [.done]
#5 5.081 ( 5/10) Installing: libbrotlidec1-1.0.7-150200.3.5.1.x86_64 [...done]
#5 5.863 Retrieving: libopenssl-3-fips-provider-3.2.3-150700.5.21.1.x86_64 (SLE_BCI) (6/10), 709.0 KiB    
#5 5.864 Retrieving: libopenssl-3-fips-provider-3.2.3-150700.5.21.1.x86_64.rpm [..done (303.7 KiB/s)]
#5 5.973 ( 6/10) Installing: libopenssl-3-fips-provider-3.2.3-150700.5.21.1.x86_64 [..done]
#5 6.037 Retrieving: krb5-1.20.1-150600.11.14.1.x86_64 (SLE_BCI) (7/10), 635.8 KiB    
#5 6.038 Retrieving: krb5-1.20.1-150600.11.14.1.x86_64.rpm [.done]
#5 6.129 ( 7/10) Installing: krb5-1.20.1-150600.11.14.1.x86_64 [.....done]
#5 7.025 Retrieving: libssh4-0.9.8-150600.11.6.1.x86_64 (SLE_BCI) (8/10), 191.5 KiB    
#5 7.026 Retrieving: libssh4-0.9.8-150600.11.6.1.x86_64.rpm [.done]
#5 7.102 ( 8/10) Installing: libssh4-0.9.8-150600.11.6.1.x86_64 [...done]
#5 7.893 Retrieving: libcurl4-8.14.1-150700.7.2.1.x86_64 (SLE_BCI) (9/10), 600.1 KiB    
#5 7.894 Retrieving: libcurl4-8.14.1-150700.7.2.1.x86_64.rpm [..done (512.2 KiB/s)]
#5 7.999 ( 9/10) Installing: libcurl4-8.14.1-150700.7.2.1.x86_64 [...done]
#5 8.815 Retrieving: curl-8.14.1-150700.7.2.1.x86_64 (SLE_BCI) (10/10), 546.6 KiB    
#5 8.817 Retrieving: curl-8.14.1-150700.7.2.1.x86_64.rpm [.done]
#5 8.899 (10/10) Installing: curl-8.14.1-150700.7.2.1.x86_64 [..done]
#5 9.029 All repositories have been cleaned up.
#5 DONE 9.6s
DEBU[0023] Required updates: [{curl  8.14.1-150600.4.28.1   } {krb5  1.20.1-150600.11.14.1   } {libbrotlicommon1  1.0.7-150200.3.5.1   } {libbrotlidec1  1.0.7-150200.3.5.1   } {libcurl4  8.14.1-150600.4.28.1   } {libopenssl-3-fips-provider  3.2.3-150700.5.21.1   } {libopenssl3  3.2.3-150700.5.21.1   } {libssh-config  0.9.8-150600.11.6.1   } {libssh4  0.9.8-150600.11.6.1   } {openssl-3  3.2.3-150700.5.21.1   }] 
DEBU[0023] Resulting updates: [curl	8.14.1-150700.7.2.1	x86_64 krb5	1.20.1-150600.11.14.1	x86_64 libbrotlicommon1	1.0.7-150200.3.5.1	x86_64 libbrotlidec1	1.0.7-150200.3.5.1	x86_64 libcurl4	8.14.1-150700.7.2.1	x86_64 libopenssl-3-fips-provider	3.2.3-150700.5.21.1	x86_64 libopenssl3	3.2.3-150700.5.21.1	x86_64 libssh-config	0.9.8-150600.11.6.1	x86_64 libssh4	0.9.8-150600.11.6.1	x86_64 openssl-3	3.2.3-150700.5.21.1	x86_64] 
INFO[0023] Validated package curl version 8.14.1-150700.7.2.1 meets requested version 8.14.1-150600.4.28.1 
INFO[0023] Validated package krb5 version 1.20.1-150600.11.14.1 meets requested version 1.20.1-150600.11.14.1 
INFO[0023] Validated package libbrotlicommon1 version 1.0.7-150200.3.5.1 meets requested version 1.0.7-150200.3.5.1 
INFO[0023] Validated package libbrotlidec1 version 1.0.7-150200.3.5.1 meets requested version 1.0.7-150200.3.5.1 
INFO[0023] Validated package libcurl4 version 8.14.1-150700.7.2.1 meets requested version 8.14.1-150600.4.28.1 
INFO[0023] Validated package libopenssl-3-fips-provider version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
INFO[0023] Validated package libopenssl3 version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
INFO[0023] Validated package libssh-config version 0.9.8-150600.11.6.1 meets requested version 0.9.8-150600.11.6.1 
INFO[0023] Validated package libssh4 version 0.9.8-150600.11.6.1 meets requested version 0.9.8-150600.11.6.1 
INFO[0023] Validated package openssl-3 version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
DEBU[0023] No language-specific updates found in the manifest. 

#6 rm /tmp/manifest
#6 DONE 0.1s

#7 diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest)
#7 DONE 0.1s

#8 diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest))
#8 DONE 0.0s

#9 merge (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29, diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest)))
#9 DONE 0.0s

#10 merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest)
#10 merging
#10 merging 0.5s done
#10 DONE 0.6s

#11 exporting to docker image format
#11 exporting layers
#11 exporting layers 1.6s done
#11 exporting manifest sha256:6e773737dce487c6f4f46f55894b8bef2958ce41a7dac8176f41d406b0b7aac7
#11 exporting manifest sha256:6e773737dce487c6f4f46f55894b8bef2958ce41a7dac8176f41d406b0b7aac7 0.0s done
#11 exporting config sha256:25e6ea952dab0ffc22c1c3919ec4e61e06d654a67b062d2f3bffb6aa53ff6f51 0.1s done
#11 sending tarball
#11 sending tarball 1.9s done
#11 DONE 3.5s
DEBU[0027] stopping session                             
------
 > docker-image://ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7:
------
DEBU[0027] ImageLoad response stream: {"stream":"Loaded image: registry.suse.com/bci/bci-base:15.7-5.8.29-patched\n"} 
INFO[0027] image loaded successfully via Docker API     
DEBU[0027] Attempting to get local image descriptor for registry.suse.com/bci/bci-base:15.7-5.8.29-patched using runtime docker 
INFO[0027] found local image descriptor for registry.suse.com/bci/bci-base:15.7-5.8.29-patched via docker 
DEBU[0029] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched 
WARN[0029] --debug specified, working folder at /tmp/copa-3417719153 needs to be manually cleaned up 
INFO[0029] Patched image (linux/amd64): registry.suse.com/bci/bci-base:15.7-5.8.29-patched

macedogm avatar Nov 03 '25 13:11 macedogm

@ashnamehrotra I generated one Trivy report for each of the supported archs:

vm:~# tree reports/
reports/
โ”œโ”€โ”€ scan-amd64.json
โ”œโ”€โ”€ scan-arm64.json
โ”œโ”€โ”€ scan-ppc64le.json
โ””โ”€โ”€ scan-s390x.json

0 directories, 4 files

And copa was able to find the supported archs:

vm:~# /home/user/fork-copacetic/copacetic patch -i registry.suse.com/bci/bci-base:15.7-5.8.29 --debug -r reports/ --debug
DEBU[0000] Using report directory: reports/             
DEBU[0000] Handling platform specific errors with ignore-errors=false 
DEBU[0002] Discovered platforms from manifest            platforms="[linux/amd64 linux/arm64 linux/ppc64le linux/s390x]"
DEBU[0002] Discovered platforms from report              platforms="[linux/amd64 linux/arm64 linux/ppc64le linux/s390x]"
DEBU[0002] Host platform {Architecture:amd64 OS:linux OSVersion: OSFeatures:[] Variant:} does not match target platform linux/s390x 
DEBU[0002] Host platform {Architecture:amd64 OS:linux OSVersion: OSFeatures:[] Variant:} matches target platform linux/amd64 
INFO[0002] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64

The final build failed to me, because s390x emulation isn't working on my side, but this is another problem.

Can you please confirm if I correctly followed the steps that you took and that failed for you?

macedogm avatar Nov 03 '25 14:11 macedogm

@ashnamehrotra locally I cannot build for s390x and ppc64le, but in general the multiarch patch is working for me. I cannot reproduce the error that you mentioned.

Full logs 
vm:~# /home/user/fork-copacetic/copacetic patch -i registry.suse.com/bci/bci-base:15.7-5.8.29 --debug -r reports/  --debug
DEBU[0000] Using report directory: reports/             
DEBU[0000] Handling platform specific errors with ignore-errors=false 
DEBU[0002] Discovered platforms from manifest            platforms="[linux/amd64 linux/arm64 linux/ppc64le linux/s390x]"
DEBU[0002] Discovered platforms from report              platforms="[linux/amd64 linux/arm64]"
DEBU[0002] No report found for platform linux/ppc64le, preserving original 
DEBU[0002] No report found for platform linux/s390x, preserving original 
INFO[0002] Platform linux/s390x marked for preservation, preserving original in manifest 
DEBU[0003] Host platform {Architecture:amd64 OS:linux OSVersion: OSFeatures:[] Variant:} matches target platform linux/amd64 
INFO[0003] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64 
DEBU[0003] Filtering out library updates based on pkg-types: [os] 
DEBU[0003] Filtered updates to apply: OS=10, Lang=0     
DEBU[0003] updates to apply: &{{{sles 15.7} {amd64 }} [{curl 8.6.0-150600.4.21.1 8.14.1-150600.4.28.1 SUSE-SU-2025:03198-1 sles os-pkgs} {krb5 1.20.1-150600.11.11.2 1.20.1-150600.11.14.1 SUSE-SU-2025:3699-1 sles os-pkgs} {libbrotlicommon1 1.0.7-3.3.1 1.0.7-150200.3.5.1 SUSE-SU-2025:03268-1 sles os-pkgs} {libbrotlidec1 1.0.7-3.3.1 1.0.7-150200.3.5.1 SUSE-SU-2025:03268-1 sles os-pkgs} {libcurl4 8.6.0-150600.4.21.1 8.14.1-150600.4.28.1 SUSE-SU-2025:03198-1 sles os-pkgs} {libopenssl-3-fips-provider 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs} {libopenssl3 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs} {libssh-config 0.9.8-150600.11.3.1 0.9.8-150600.11.6.1 SUSE-SU-2025:03369-1 sles os-pkgs} {libssh4 0.9.8-150600.11.3.1 0.9.8-150600.11.6.1 SUSE-SU-2025:03369-1 sles os-pkgs} {openssl-3 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs}] []} 
DEBU[0003] Trying docker driver                         
DEBU[0003] serving grpc connection                      
DEBU[0003] stopping session                             
DEBU[0003] Image name has tag or digest, using registry.suse.com/bci/bci-base:15.7-5.8.29 as tag 
DEBU[0003] local media type found for registry.suse.com/bci/bci-base:15.7-5.8.29 using : application/vnd.docker.distribution.manifest.list.v2+json 
WARN[0003] resolved media type is Docker                
DEBU[0003] serving grpc connection                      
#1 resolve image config for docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
DEBU[0004] Loading image stream using Docker API client 
#1 DONE 1.7s
DEBU[0005] latest unique RPMs: [{curl  8.14.1-150600.4.28.1   } {krb5  1.20.1-150600.11.14.1   } {libbrotlicommon1  1.0.7-150200.3.5.1   } {libbrotlidec1  1.0.7-150200.3.5.1   } {libcurl4  8.14.1-150600.4.28.1   } {libopenssl-3-fips-provider  3.2.3-150700.5.21.1   } {libopenssl3  3.2.3-150700.5.21.1   } {libssh-config  0.9.8-150600.11.6.1   } {libssh4  0.9.8-150600.11.6.1   } {openssl-3  3.2.3-150700.5.21.1   }] 
DEBU[0005] Using bci/bci-base:15.7 as basis for tooling image 

#2 docker-image://ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7
#2 resolve ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7
#2 resolve ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7 0.4s done
#2 ERROR: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Aproject-copacetic%2Fcopacetic%2Fbci%2Fbci-base%3Apull&service=ghcr.io: 403 Forbidden
DEBU[0006] Using bci/bci-base:15.7 as basis for tooling image 

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 resolve registry.suse.com/bci/bci-base:15.7
#3 resolve registry.suse.com/bci/bci-base:15.7 0.4s done
#3 DONE 0.4s

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 CACHED

#1 resolve image config for docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#1 DONE 2.2s
DEBU[0007] Required updates: [{curl  8.14.1-150600.4.28.1   } {krb5  1.20.1-150600.11.14.1   } {libbrotlicommon1  1.0.7-150200.3.5.1   } {libbrotlidec1  1.0.7-150200.3.5.1   } {libcurl4  8.14.1-150600.4.28.1   } {libopenssl-3-fips-provider  3.2.3-150700.5.21.1   } {libopenssl3  3.2.3-150700.5.21.1   } {libssh-config  0.9.8-150600.11.6.1   } {libssh4  0.9.8-150600.11.6.1   } {openssl-3  3.2.3-150700.5.21.1   }] 
DEBU[0007] Resulting updates: [curl	8.14.1-150700.7.2.1	x86_64 krb5	1.20.1-150600.11.14.1	x86_64 libbrotlicommon1	1.0.7-150200.3.5.1	x86_64 libbrotlidec1	1.0.7-150200.3.5.1	x86_64 libcurl4	8.14.1-150700.7.2.1	x86_64 libopenssl-3-fips-provider	3.2.3-150700.5.21.1	x86_64 libopenssl3	3.2.3-150700.5.21.1	x86_64 libssh-config	0.9.8-150600.11.6.1	x86_64 libssh4	0.9.8-150600.11.6.1	x86_64 openssl-3	3.2.3-150700.5.21.1	x86_64] 
INFO[0007] Validated package curl version 8.14.1-150700.7.2.1 meets requested version 8.14.1-150600.4.28.1 
INFO[0007] Validated package krb5 version 1.20.1-150600.11.14.1 meets requested version 1.20.1-150600.11.14.1 
INFO[0007] Validated package libbrotlicommon1 version 1.0.7-150200.3.5.1 meets requested version 1.0.7-150200.3.5.1 
INFO[0007] Validated package libbrotlidec1 version 1.0.7-150200.3.5.1 meets requested version 1.0.7-150200.3.5.1 
INFO[0007] Validated package libcurl4 version 8.14.1-150700.7.2.1 meets requested version 8.14.1-150600.4.28.1 
INFO[0007] Validated package libopenssl-3-fips-provider version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
INFO[0007] Validated package libopenssl3 version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
INFO[0007] Validated package libssh-config version 0.9.8-150600.11.6.1 meets requested version 0.9.8-150600.11.6.1 
INFO[0007] Validated package libssh4 version 0.9.8-150600.11.6.1 meets requested version 0.9.8-150600.11.6.1 
INFO[0007] Validated package openssl-3 version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
DEBU[0007] No language-specific updates found in the manifest. 

#4 docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#4 resolve registry.suse.com/bci/bci-base:15.7-5.8.29 0.0s done
#4 DONE 0.0s

#5 /bin/sh -c 
                if ! [[ -e "${COPA_RPM_DB_FILE}" ]]; then echo "RPM DB not found"; exit 1; fi
                zypper --non-interactive refresh
                zypper --non-interactive --installroot "${COPA_CHROOT_DIR}" up --no-recommends curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3
                zypper --installroot "${COPA_CHROOT_DIR}" clean --all
                rm -rf "${COPA_CHROOT_DIR}"/var/cache/zypp/* "${COPA_CHROOT_DIR}"/var/log/zypp/*
                rm -rf "${COPA_CHROOT_DIR}"/var/tmp/* "${COPA_CHROOT_DIR}"/usr/share/doc/packages/*
                rpm --dbpath "${COPA_CHROOT_DIR}"/var/lib/rpm -qa --qf="%{NAME}\t%{VERSION}-%{RELEASE}\t%{ARCH}\n" curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3 > "${COPA_MANIFEST_FILE}"
	
#5 CACHED

#6 rm /tmp/manifest
#6 CACHED

#7 merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest)
#7 CACHED

#8 diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest))
#8 CACHED

#9 diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest)
#9 CACHED

#10 merge (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29, diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest)))
#10 CACHED

#11 exporting to docker image format
#11 exporting layers done
#11 exporting manifest sha256:9e22a17b607ce573459722762ac9c1119940565876317abc45eac24d18c91f8b 0.0s done
#11 exporting config sha256:25e6ea952dab0ffc22c1c3919ec4e61e06d654a67b062d2f3bffb6aa53ff6f51 done
#11 sending tarball
#11 sending tarball 2.1s done
#11 DONE 2.2s
DEBU[0009] ImageLoad response stream: {"stream":"Loaded image: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64\n"} 
INFO[0009] image loaded successfully via Docker API     
DEBU[0009] stopping session                             
------
 > docker-image://ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7:
------
DEBU[0009] Attempting to get local image descriptor for registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64 using runtime docker 
INFO[0009] found local image descriptor for registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64 via docker 
DEBU[0010] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64 
WARN[0010] --debug specified, working folder at /tmp/copa-2553181733 needs to be manually cleaned up 
DEBU[0010] Host platform {Architecture:amd64 OS:linux OSVersion: OSFeatures:[] Variant:} does not match target platform linux/arm64 
DEBU[0010] Emulation is enabled for platform linux/arm64 
INFO[0010] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64 
DEBU[0010] Filtering out library updates based on pkg-types: [os] 
DEBU[0010] Filtered updates to apply: OS=10, Lang=0     
DEBU[0010] updates to apply: &{{{sles 15.7} {arm64 }} [{curl 8.6.0-150600.4.21.1 8.14.1-150600.4.28.1 SUSE-SU-2025:03198-1 sles os-pkgs} {krb5 1.20.1-150600.11.11.2 1.20.1-150600.11.14.1 SUSE-SU-2025:3699-1 sles os-pkgs} {libbrotlicommon1 1.0.7-3.3.1 1.0.7-150200.3.5.1 SUSE-SU-2025:03268-1 sles os-pkgs} {libbrotlidec1 1.0.7-3.3.1 1.0.7-150200.3.5.1 SUSE-SU-2025:03268-1 sles os-pkgs} {libcurl4 8.6.0-150600.4.21.1 8.14.1-150600.4.28.1 SUSE-SU-2025:03198-1 sles os-pkgs} {libopenssl-3-fips-provider 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs} {libopenssl3 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs} {libssh-config 0.9.8-150600.11.3.1 0.9.8-150600.11.6.1 SUSE-SU-2025:03369-1 sles os-pkgs} {libssh4 0.9.8-150600.11.3.1 0.9.8-150600.11.6.1 SUSE-SU-2025:03369-1 sles os-pkgs} {openssl-3 3.2.3-150700.5.18.1 3.2.3-150700.5.21.1 SUSE-SU-2025:03546-1 sles os-pkgs}] []} 
DEBU[0010] Trying docker driver                         
DEBU[0010] serving grpc connection                      
DEBU[0011] stopping session                             
DEBU[0011] Image name has tag or digest, using registry.suse.com/bci/bci-base:15.7-5.8.29 as tag 
DEBU[0011] local media type found for registry.suse.com/bci/bci-base:15.7-5.8.29 using : application/vnd.docker.distribution.manifest.list.v2+json 
WARN[0011] resolved media type is Docker                
DEBU[0011] serving grpc connection                      
#1 resolve image config for docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
DEBU[0011] Loading image stream using Docker API client 
#1 DONE 0.5s
DEBU[0011] latest unique RPMs: [{curl  8.14.1-150600.4.28.1   } {krb5  1.20.1-150600.11.14.1   } {libbrotlicommon1  1.0.7-150200.3.5.1   } {libbrotlidec1  1.0.7-150200.3.5.1   } {libcurl4  8.14.1-150600.4.28.1   } {libopenssl-3-fips-provider  3.2.3-150700.5.21.1   } {libopenssl3  3.2.3-150700.5.21.1   } {libssh-config  0.9.8-150600.11.6.1   } {libssh4  0.9.8-150600.11.6.1   } {openssl-3  3.2.3-150700.5.21.1   }] 
DEBU[0011] Using bci/bci-base:15.7 as basis for tooling image 

#2 docker-image://ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7
#2 resolve ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7
#2 resolve ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7 0.2s done
#2 ERROR: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Aproject-copacetic%2Fcopacetic%2Fbci%2Fbci-base%3Apull&service=ghcr.io: 403 Forbidden
DEBU[0011] Using bci/bci-base:15.7 as basis for tooling image 

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 resolve registry.suse.com/bci/bci-base:15.7
#3 resolve registry.suse.com/bci/bci-base:15.7 0.5s done
#3 DONE 0.6s

#3 docker-image://registry.suse.com/bci/bci-base:15.7
#3 CACHED

#1 resolve image config for docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#1 DONE 1.0s
DEBU[0012] Required updates: [{curl  8.14.1-150600.4.28.1   } {krb5  1.20.1-150600.11.14.1   } {libbrotlicommon1  1.0.7-150200.3.5.1   } {libbrotlidec1  1.0.7-150200.3.5.1   } {libcurl4  8.14.1-150600.4.28.1   } {libopenssl-3-fips-provider  3.2.3-150700.5.21.1   } {libopenssl3  3.2.3-150700.5.21.1   } {libssh-config  0.9.8-150600.11.6.1   } {libssh4  0.9.8-150600.11.6.1   } {openssl-3  3.2.3-150700.5.21.1   }] 
DEBU[0012] Resulting updates: [curl	8.14.1-150700.7.2.1	aarch64 krb5	1.20.1-150600.11.14.1	aarch64 libbrotlicommon1	1.0.7-150200.3.5.1	aarch64 libbrotlidec1	1.0.7-150200.3.5.1	aarch64 libcurl4	8.14.1-150700.7.2.1	aarch64 libopenssl-3-fips-provider	3.2.3-150700.5.21.1	aarch64 libopenssl3	3.2.3-150700.5.21.1	aarch64 libssh-config	0.9.8-150600.11.6.1	aarch64 libssh4	0.9.8-150600.11.6.1	aarch64 openssl-3	3.2.3-150700.5.21.1	aarch64] 
INFO[0012] Validated package curl version 8.14.1-150700.7.2.1 meets requested version 8.14.1-150600.4.28.1 
INFO[0012] Validated package krb5 version 1.20.1-150600.11.14.1 meets requested version 1.20.1-150600.11.14.1 
INFO[0012] Validated package libbrotlicommon1 version 1.0.7-150200.3.5.1 meets requested version 1.0.7-150200.3.5.1 
INFO[0012] Validated package libbrotlidec1 version 1.0.7-150200.3.5.1 meets requested version 1.0.7-150200.3.5.1 
INFO[0012] Validated package libcurl4 version 8.14.1-150700.7.2.1 meets requested version 8.14.1-150600.4.28.1 
INFO[0012] Validated package libopenssl-3-fips-provider version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
INFO[0012] Validated package libopenssl3 version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
INFO[0012] Validated package libssh-config version 0.9.8-150600.11.6.1 meets requested version 0.9.8-150600.11.6.1 
INFO[0012] Validated package libssh4 version 0.9.8-150600.11.6.1 meets requested version 0.9.8-150600.11.6.1 
INFO[0012] Validated package openssl-3 version 3.2.3-150700.5.21.1 meets requested version 3.2.3-150700.5.21.1 
DEBU[0012] No language-specific updates found in the manifest. 

#4 docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29
#4 resolve registry.suse.com/bci/bci-base:15.7-5.8.29 0.0s done
#4 DONE 0.0s

#5 /bin/sh -c 
                if ! [[ -e "${COPA_RPM_DB_FILE}" ]]; then echo "RPM DB not found"; exit 1; fi
                zypper --non-interactive refresh
                zypper --non-interactive --installroot "${COPA_CHROOT_DIR}" up --no-recommends curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3
                zypper --installroot "${COPA_CHROOT_DIR}" clean --all
                rm -rf "${COPA_CHROOT_DIR}"/var/cache/zypp/* "${COPA_CHROOT_DIR}"/var/log/zypp/*
                rm -rf "${COPA_CHROOT_DIR}"/var/tmp/* "${COPA_CHROOT_DIR}"/usr/share/doc/packages/*
                rpm --dbpath "${COPA_CHROOT_DIR}"/var/lib/rpm -qa --qf="%{NAME}\t%{VERSION}-%{RELEASE}\t%{ARCH}\n" curl krb5 libbrotlicommon1 libbrotlidec1 libcurl4 libopenssl-3-fips-provider libopenssl3 libssh-config libssh4 openssl-3 > "${COPA_MANIFEST_FILE}"
	
#5 CACHED

#6 rm /tmp/manifest
#6 CACHED

#7 diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest)
#7 CACHED

#8 merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest)
#8 CACHED

#9 diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest))
#9 CACHED

#10 merge (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29, diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (merge (diff (docker-image://registry.suse.com/bci/bci-base:15.7-5.8.29) -> (rm /tmp/manifest), rm /tmp/manifest)))
#10 CACHED

#11 exporting to docker image format
#11 exporting layers done
#11 exporting manifest sha256:806c23a6785e4c68479239f4790afce172f6344fe65c5be57440d7ed1bf835b5 0.0s done
#11 exporting config sha256:47361a7d198c6b5b1087a899018f886c929b2953706577064921e6e1fceac84d done
#11 sending tarball
#11 WARN: Requested platform "linux/amd64" does not match result platform "linux/arm64"
#11 sending tarball 2.1s done
#11 DONE 2.1s
DEBU[0015] ImageLoad response stream: {"stream":"Loaded image: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64\n"} 
INFO[0015] image loaded successfully via Docker API     
DEBU[0015] stopping session                             
------
 > docker-image://ghcr.io/project-copacetic/copacetic/bci/bci-base:15.7:
------
DEBU[0015] Attempting to get local image descriptor for registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64 using runtime docker 
INFO[0015] found local image descriptor for registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64 via docker 
DEBU[0016] Patched image name: registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64 
WARN[0016] --debug specified, working folder at /tmp/copa-2571228213 needs to be manually cleaned up 
INFO[0016] Platform linux/ppc64le marked for preservation, preserving original in manifest 
INFO[0017] To push the individual architecture images, run: 
INFO[0017]   docker push registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64 
INFO[0017]   docker push registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64 
INFO[0017] To create and push the multi-platform manifest, run: 
INFO[0017]   docker buildx imagetools create --tag registry.suse.com/bci/bci-base:15.7-5.8.29-patched registry.suse.com/bci/bci-base:15.7-5.8.29@sha256:e36d93d166dc1c3eb55779d54a4a8457aa47c6e9f588a0445589a36187624d99 registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64 registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64 registry.suse.com/bci/bci-base:15.7-5.8.29@sha256:7d35efa185de7f4c4d0c8aca27d0ae8938b296b87bfac3c9a625106f9d64263a 
INFO[0017] 
Multi-arch patch summary:
PLATFORM       STATUS       REFERENCE                                                        MESSAGE
linux/amd64    Patched      registry.suse.com/bci/bci-base:15.7-5.8.29-patched-amd64         Successfully patched image (linux/amd64)
linux/arm64    Patched      registry.suse.com/bci/bci-base:15.7-5.8.29-patched-arm64         Successfully patched image (linux/arm64)
linux/ppc64le  Not Patched  registry.suse.com/bci/bci-base:15.7-5.8.29 (original reference)  Preserved original image (No Scan Report provided for platform)
linux/s390x    Not Patched  registry.suse.com/bci/bci-base:15.7-5.8.29 (original reference)  Preserved original image (No Scan Report provided for platform)

macedogm avatar Nov 03 '25 19:11 macedogm

@macedogm that command looks correct to me, but I am still seeing the same error when patching with the 2 platforms. Could it be because I am on a arm64 arch? How are you generating the trivy reports?

ashnamehrotra avatar Nov 12 '25 23:11 ashnamehrotra

@ashnamehrotra I generated the Trivy reports for each arch by specifying the proper image digest:

> trivy i -f json -o scan-arm64.json registry.suse.com/bci/bci-base:15.7-5.8.29@sha256:0f8be128a31f25612dc4c03e7856383ec178426ebe87432f35ea3f24717701f9
> trivy i -f json -o scan-amd64.json registry.suse.com/bci/bci-base:15.7-5.8.29@sha256:6d58784f25ab2a6683cd03e5c220cdb204e4d82db4b49ea1b4635dbd52b60a5b
> trivy i -f json -o scan-ppc64le.json registry.suse.com/bci/bci-base:15.7-5.8.29@sha256:7d35efa185de7f4c4d0c8aca27d0ae8938b296b87bfac3c9a625106f9d64263a
> trivy i -f json -o scan-s390x.json registry.suse.com/bci/bci-base:15.7-5.8.29@sha256:e36d93d166dc1c3eb55779d54a4a8457aa47c6e9f588a0445589a36187624d99

How did you generate yours?

I'll test this on an arm64 VM.

macedogm avatar Nov 17 '25 14:11 macedogm