[ECR] [request]: support cache manifest #876
Comments
|
BuildKit 0.8 will default to using an OCI media type for its caches (see moby/buildkit#1746) which I assume should make this work, but I haven't tested it myself. |
|
It still doesn't work with recently released buildkit 0.8.0 |
|
I am seeing the same error on buildkit 0.8.0 even when setting oci-mediatypes explicitly to true: Deamon logs: |
|
Also seeing this for private repos, although it doesn't seem to be an issue with public ECR repos.. |
|
Is there a timeframe for this feature request available? This could help to tremendously speed up CI builds. |
|
We have been experimenting with this buildkit feature for some time now and it works wonders. |
|
Any indication as to if/when this will ever be available? Using buildkit would really improve our CI build times |
|
One year passed and still nothing 😔 |
|
We'd really like to see support of this with ECR private repos 🙏 As of today, it still does not work: |
|
Yes please! |
|
Can we get any kind of communications on this? |
|
Is there any workaround available? |
|
For the teams using Github but wishing to keep images in ECR, it is possible to leverage the cache manifest support from Github Container Registry (GHCR) and push the image to ECR at the same time. When pushing to ECR, only new layers get pushed. Github Actions workflow example: jobs:
docker_build:
strategy:
matrix:
name:
- my-image
include:
- name: my-image
registry_ecr: my-aws-account-id.dkr.ecr.us-east-1.amazonaws.com
registry_ghcr: ghcr.io/my-github-org-name
dockerfile: ./path/to/Dockerfile
context: .
extra_args: ''
steps:
- uses: actions/checkout@v2
- name: Install Buildkit
uses: docker/setup-buildx-action@v1
id: buildx
with:
install: true
- name: Login to GitHub Container Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
role-skip-session-tagging: true
role-duration-seconds: 1800
role-session-name: GithubActionsBuildDockerImages
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v1
- name: Build & Push (ECR)
# - https://docs.docker.com/engine/reference/commandline/buildx_build/
# - https://github.com/moby/buildkit#export-cache
run: |
docker buildx build \
--cache-from=type=registry,ref=${{ matrix.registry_ghcr }}/${{ matrix.name }}:cache \
--cache-to=type=registry,ref=${{ matrix.registry_ghcr }}/${{ matrix.name }}:cache,mode=max \
--push \
${{ matrix.extra_args }} \
-f ${{ matrix.dockerfile }} \
-t ${{ matrix.registry_ecr }}/${{ matrix.name }}:${{ github.sha }} \
${{ matrix.context }} |
|
@ynouri Just be careful of your storage costs in GHCR. It's oddly expensive. I found https://github.com/snok/container-retention-policy to help solve that use case for me. |
|
ECR still not supporting this is unbelievably amateurish, it doesn't suit AWS... |
Use another Docker registry. Dockerhub, or perhaps your own tiny EC2 with some fat storage. |
|
This seems to have started working unannounced, at least when using docker 20.10.11 to build |
I'm still seeing |
is this confirmed? |
I'm wondering the same thing. Could you share some more info @poldridge ? |
|
I've just faced the same issue with Docker version 20.10.12, build e91ed57. Would appreciate any hints or workarounds. |
Did not work for me using |
|
Can we get any kind of communication on this? Being able to use remote cache is a major benefit to all our build pipelines. |
If your subsequent build is 2minutes to export the cache, unscientifically that could suggest that half of your cache is invalid/has new data build-over-build: I would double-check if your dockerfile is ordering instructions in a well-optimized way: https://docs.docker.com/build/cache/#how-can-i-use-the-cache-efficiently . Failing that, earthly's docs has a great passage on the types of image where remote caches (or caches in general) may not help you:
|
|
hey @robg-eb : sorry for the delayed response, I was looking into a colleague experiencing the same issue; their problem was related to the type of image they were pushing, which was an image without intermediate layers in their dockerfile. I would double check that the image you're pushing has more than two lines in its dockerfile (beyond a FROM and an ENTRYPOINT line). If that's not the problem, we probably need to surface up the actual error message ECR gives back to docker when the push fails. To be more exact, docker, when using buildkit, depends on containerd to push images/layers/cache/cache blobs out to remote registries. I believe I have identified a problem with containerd swallowing ours and other OCI-compliant registries error messages, which I've raised here: containerd/containerd#8969 |
|
@kattmang - Sure enough, adding another line to my |
|
hey @robg-eb to put my customer hat on (I was one not too long ago), I wouldn't want to have to own a separate buildkit dependency myself in my CI/CD platform and rather have docker and docker engine own its own dependency tree in production. That's why we're waiting to release any guidance until docker 25.0 which packages buildkit 0.12 as a direct/indirect dependency. This appears to be launching soon here. I've talked to some project folks there, and they don't have a definite timeline. We do like folks trying out buildkit 0.12.x already though! |
|
@kattmang I've reached out on twitter. @rafavallina unfortunately I can't DM you bc I'm not verified. |
|
Hi @BwL1289 I followed you on Twitter. You can follow me back in case you need to also DM me :) |
|
@rafavallina done! DMed you |
i'm using a sidecar in k8s cluster that run builtkit rootless image, i'm using the same parameters that you provided but the push of the cache image is still failing the command: the output: |
|
@Slevy35 you are missing the |
|
Hello All, Im using docker compose with And i invoke the compose with the following command: How to resolve the first error? |
|
The Any possibly solution for this cornercase? |
|
It's worth checking what's actually being pushed in the no-layer case, as it's possible that BuildKit is generating a non-SHOULD-compliant image cache in this case, and could be fairly-simply fixed to not do so. Per the OCI Image spec guidelines for Artifacts.
Of course, BuildKit may already be following this guidance, I haven't checked.
Edit: I briefly checked, and it does not appear to ensure that the layers array is not empty, called from here, called from here. Someone in the situation to actually check that my analysis of the BuildKit code is correct (i.e. dump the OCI-spec cache config for the breaking case and check that Late passing thought: If you trivially create an image with no layers, does ECR reject that image too? In theory, it should have the same issue as the empty caches causing 405's here. (ECR might well be what motivated the "SHOULD" in the image-spec) FROM scratch
ARG CI_PIPELINE_ID=not_set
ENV BUILD_BY_CI_PIPELINE_ID=$CI_PIPELINE_ID
CMD echo $CI_PIPELINE_IDI went ahead and put up a draft PR to see what the BuildKit team thinks. moby/buildkit#4331 It'd be great to find a way to validate if that allows these almost-trivial Dockerfile images to push a cache to ECR. Late edit: Discussing on the BuildKit issue suggests that as a simple solution, simply not trying to push a cache that contains no layers would be clearer, i.e. the equivalent of not using |
|
Thanks @TBBle . I agree with your latest edit here, FWIW. We should go this route :) |
|
Okay, that change has merged, so when BuildKit 0.13 is shipped, and various downstreams like buildx and Docker pick it up, the "450 error for cache with no layers" should no longer occur, as the push will not be attempted. I don't have a specific timeline on that happening though. |
AWS ECR needs image-manifest=true for cache images to be pushed. See aws/containers-roadmap#876 for more info.
AWS ECR needs image-manifest=true for cache images to be pushed. See aws/containers-roadmap#876 for more info.
|
Ok, while we wait for Docker 25 to come out, we have published a blog post that explains how AWS supports cache manifest and the implementation: https://aws.amazon.com/blogs/containers/announcing-remote-cache-support-in-amazon-ecr-for-buildkit-clients/ I'm going to keep this issue open as the conversation is valuable and we can gather more feedback on it for the time being |
|
Docker 25 is out! We're closing this issue at this point. Thanks all for the input and feedback! |
and others
Would be great if ECR could support cache-manifest (see: https://medium.com/titansoft-engineering/docker-build-cache-sharing-on-multi-hosts-with-buildkit-and-buildx-eb8f7005918e)
NOTE FROM AWS: We shipped this on BuildKit 0.12, see here for details - https://aws.amazon.com/blogs/containers/announcing-remote-cache-support-in-amazon-ecr-for-buildkit-clients/. We are keeping this issue open for the time being to allow the community to discuss and gather further feedback
The text was updated successfully, but these errors were encountered: