Not finding local images that do exist, trying to pull instead

[jeffparsons]

Description

When BuildKit is enabled, if you tag an image with --tag and then refer to it when building another image, Docker will not find it and instead tries to pull it from Docker Hub.

Disabling BuildKit makes the problem go away.

Steps to reproduce the issue:

Make these files:

Dockerfile.parent:

FROM rockylinux/rockylinux:8.4@sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846

RUN echo "Installing common stuff"

CMD echo "Everything is good"

Dockerfile.child:

FROM local/foo-parent

RUN echo "Installing special stuff"

The run these commands:

docker build -f Dockerfile.parent -t local/foo-parent .
docker build -f Dockerfile.child -t local/foo-child .

Describe the results you received:

On building the parent image, the last line says:

 => => naming to docker.io/local/foo-parent                                                     0.0s

On building the child image, it fails to find the local image and instead tries to pull from Docker Hub:

 => ERROR [internal] load metadata for docker.io/local/foo-parent:latest                        2.9s

Describe the results you expected:

The tag I specified already had a / in it, so Docker shouldn't have automatically prefixed it with docker.io/. I guess that's at least part of the problem?

However, docker inspect still finds the image just fine by either name, so I'm not sure why building the child image fails to find it.

jeff@tank docker-local-image-woes % docker inspect docker.io/local/foo-parent:latest
[
    {
        "Id": "sha256:358eed8be7a681d6b130631dab99dfe0b46635116be03d1691dfc8a04c0301a3",
        "RepoTags": [
            "local/foo-parent:latest"
        ],

jeff@tank docker-local-image-woes % docker inspect local/foo-parent                 
[
    {
        "Id": "sha256:358eed8be7a681d6b130631dab99dfe0b46635116be03d1691dfc8a04c0301a3",
        "RepoTags": [
            "local/foo-parent:latest"
        ],

Additional information you deem important (e.g. issue happens only occasionally):

I'm running Docker Desktop on an M1 MacBook.

Output of docker version:

Docker version 20.10.8, build 3967b7d

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.6.1-docker)
  compose: Docker Compose (Docker Inc., v2.0.0-rc.3)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 9
 Server Version: 20.10.8
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e25210fe30a0a703442421b0f60afac609f950a3
 runc version: v1.0.1-0-g4144b63
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.47-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 2.922GiB
 Name: docker-desktop
 ID: GJTR:EIL2:CYN3:JRV6:5JXM:VS3U:HRAU:2VA6:WUBG:MDN7:VXF6:24AO
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical MacBook with Apple Silicon (M1), default settings, relatively fresh install of everything including Docker. (This is my first time trying to get an existing project working on the new Macs.)

This is all pure ARM -- no x86_64 virtualisation or anything complicating it as far as I can tell:

jeff@tank docker-local-image-woes % docker inspect rockylinux/rockylinux:8.4@sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846 | grep Architecture
        "Architecture": "arm64",
jeff@tank docker-local-image-woes % docker inspect local/foo-parent | grep Architecture
        "Architecture": "arm64",

[thaJeztah]

@crazy-max @tonistiigi PTAL

The tag I specified already had a / in it, so Docker shouldn't have automatically prefixed it with docker.io/. I guess that's at least part of the problem?

I don't think that should be a problem; docker uses docker.io as default registry (if the tag doesn't contain a registry hostname), so tagging an image foobar makes it implicitly docker.io/library/foobar:latest, and myname/myimage makes it docker.io/myname/myimage:latest.

I'm trying to reproduce the issue, but so far haven't been able to (running on docker desktop for mac, but not on m1)

@jeffparsons do you know if you're using buildx (have you used docker buildx install to install buildx to be used as default builder) or the built-in BuildKit client (DOCKER_BUILDKIT=1 / DOCKER_BUILDKIT=0 to disable)? If you're using buildx, what does docker builder ls show?

[jeffparsons]

I don't think that should be a problem; docker uses docker.io as default registry (if the tag doesn't contain a registry hostname), so tagging an image foobar makes it implicitly docker.io/library/foobar:latest, and myname/myimage makes it docker.io/myname/myimage:latest.

Ah, neato. That's reassuring.

@jeffparsons do you know if you're using buildx (have you used docker buildx install to install buildx to be used as default builder) or the built-in BuildKit client (DOCKER_BUILDKIT=1 / DOCKER_BUILDKIT=0 to disable)? If you're using buildx, what does docker builder ls show?

I don't think I have buildx. When I run docker builder ls I just get the usage message, so I assume it's not present.

jeff@tank docker-local-image-woes % docker builder ls

Usage:  docker builder COMMAND

Manage builds

Commands:
  build       Build an image from a Dockerfile
  prune       Remove build cache

Run 'docker builder COMMAND --help' for more information on a command.

I do have DOCKER_BUILDKIT=1 set in my "ambient environment" because we've been using it for all builds for a long time now:

jeff@tank docker-local-image-woes % echo $DOCKER_BUILDKIT
1

I'll install buildx and see if the outcome changes.

[jeffparsons]

After installing buildx and unsetting DOCKER_BUILDKIT:

jeff@tank docker-local-image-woes % echo $DOCKER_BUILDKIT

jeff@tank docker-local-image-woes % docker build -f Dockerfile.parent -t local/foo-parent .
[+] Building 0.1s (6/6) FINISHED                                                                                                                                
 => [internal] load build definition from Dockerfile.parent                                                                                                0.0s
 => => transferring dockerfile: 216B                                                                                                                       0.0s
 => [internal] load .dockerignore                                                                                                                          0.0s
 => => transferring context: 2B                                                                                                                            0.0s
 => [internal] load metadata for docker.io/rockylinux/rockylinux:8.4@sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846               0.0s
 => [1/2] FROM docker.io/rockylinux/rockylinux:8.4@sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846                                 0.0s
 => CACHED [2/2] RUN echo "Installing common stuff"                                                                                                        0.0s
 => exporting to image                                                                                                                                     0.0s
 => => exporting layers                                                                                                                                    0.0s
 => => writing image sha256:358eed8be7a681d6b130631dab99dfe0b46635116be03d1691dfc8a04c0301a3                                                               0.0s
 => => naming to docker.io/local/foo-parent                                                                                                                0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
jeff@tank docker-local-image-woes % docker build -f Dockerfile.child -t local/foo-child .
[+] Building 3.1s (4/4) FINISHED                                                                                                                                
 => [internal] load build definition from Dockerfile.child                                                                                                 0.0s
 => => transferring dockerfile: 102B                                                                                                                       0.0s
 => [internal] load .dockerignore                                                                                                                          0.0s
 => => transferring context: 2B                                                                                                                            0.0s
 => ERROR [internal] load metadata for docker.io/local/foo-parent:latest                                                                                   3.0s
 => [auth] local/foo-parent:pull token for registry-1.docker.io                                                                                            0.0s
------
 > [internal] load metadata for docker.io/local/foo-parent:latest:
------
error: failed to solve: failed to solve with frontend dockerfile.v0: failed to create LLB definition: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
jeff@tank docker-local-image-woes % docker builder ls
NAME/NODE       DRIVER/ENDPOINT STATUS  PLATFORMS
desktop-linux   docker                  
  desktop-linux desktop-linux   running linux/arm64, linux/amd64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
default *       docker                  
  default       default         running linux/arm64, linux/amd64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6

[thaJeztah]

Thanks! My reason for asking if you were using buildx, is that buildx allows you to create multiple "builders". Those builders can use the "container" driver, in which case they're running isolated in a container (which doesn't share the local image cache of the docker daemon). If you would have been using that, it could (e.g.) have been a case where the first image was built in a builder container, but not loaded back into the docker daemon (and because of that not found during the second build).

The error is emitted in the Dockerfile "front-end"; https://github.com/moby/buildkit/blob/v0.8.3/frontend/dockerfile/dockerfile2llb/convert.go#L247-L251

dgst, dt, err := metaResolver.ResolveImageConfig(ctx, d.stage.BaseName, llb.ResolveImageConfigOpt{
    Platform:    platform,
    ResolveMode: opt.ImageResolveMode.String(),
    LogName:     fmt.Sprintf("%s load metadata for %s", prefix, d.stage.BaseName),
})

I'm wondering if the cause of this could be related to inconsistencies in how arm architectures are normalised. Arm architectures are "complicated" (various variants can be "compatible", but there's also multiple notations for the same architecture). e.g. see containerd/containerd#4932. It's possible that some code normalises the architecture, and other code tries to match the architecture (with different normalizing), therefore doesn't find a match, so tries to pull the "missing" architecture from the registry (docker hub) instead.

Unfortunately the error message doesn't include what architecture it tried to match (and what it found), or what it is trying to pull.

I was looking here at the difference between linux/arm64 and inux/arm64/v8

docker buildx imagetools inspect rockylinux/rockylinux:8.4@sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846

Name:      docker.io/rockylinux/rockylinux:8.4@sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:8122f31fbdd5c1368c6b7d5b9ae99fec2eb5966a5c967339d71e95c4a3ab7846

Manifests:
  Name:      docker.io/rockylinux/rockylinux:8.4@sha256:e98dd481db7973d701f8695df7be1b2393261cf273aa68a89d873b7b134588df
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64/v8

  Name:      docker.io/rockylinux/rockylinux:8.4@sha256:f0d7460b97156f6c8ea2ae73152bc11fe410d272387d60ddff36dfcea22ef689
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/amd64

But looking at (e.g.) the ubuntu:20.04 image, that shows the same, so if that would be the discrepancy, I'd expected this issue to be a lot more widespread.

docker buildx imagetools inspect ubuntu:20.04
Name:      docker.io/library/ubuntu:20.04
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:9d6a8699fb5c9c39cf08a0871bd6219f0400981c570894cd8cbea30d3424a31f

Manifests:
  (...)
  Name:      docker.io/library/ubuntu:20.04@sha256:30fc21bbbbaab3e05531686ef0b725e1f9e7e08df5d6dd64240d094217f0c7cf
  MediaType: application/vnd.docker.distribution.manifest.v2+json
  Platform:  linux/arm64/v8
  (...)

I'd have to double-check if the architectures printed there are the raw ones, or if there's possibly some normalizing happening when presenting them though.

[thaJeztah]

A colleague of mine who has an m1 machine was able to confirm your issue (saw the same failure), so it looks to be specific to the platform (which could confirm my suspicion there's something wrong in platform normalisation / matching)

[jeffparsons]

That sounds promising. 😃

Please do let me know if there's anything else I can do from this side to help narrow it down. (I'm not familiar with the Docker codebase though so I probably wouldn't be much help at actually trying to fix the bug.)

[byronbowerman]

I just ran into this issue on my M1 MacBook Pro.

Even with --pull=false the build fails.

Is there any reason not to disable buildkit as a workaround?

[jeffparsons]

Is there any reason not to disable buildkit as a workaround?

@byronbowerman It depends on whether or not you're intentionally using its features. BuildKit brings some nice stuff for general use (like garbage collection of builder stages) but overall Docker works just fine without it.

In our case, though, we're increasingly relying on features that BuildKite brings to the table, and plan to do so more in future. E.g. Docker's legacy handling of build context is a bit painful in large repositories. E.g., if I have a "common" directory and a "backend" directory, and I want an image to have access to both, then I might want to make my build context the root of the repository. But legacy Docker will then tar up the entire repository for every build, which may range from slow to pretty much impracticable. Workarounds include dynamically generating a ".dockerignore" file before each build, copying parts of the tree around in a "pre-build" step (we do this one), or making the build context yourself with a script and then sending that to Docker explicitly (very tempting).

BuildKit, on the other hand, only tries to read the files you've actually chosen to ADD/COPY into your image, so if you have, e.g., a monorepo, then it's safe to use the root of your repo as the build context sometimes.

It puts us in a slightly awkward position when things like this pop up, because the answer to problems with the legacy builder appears to be "just use BuildKit, that's where all development effort is focused now", and the answer to problems with BuildKit is "BuildKit's not stable yet, just use the default builder". 😅

[thaJeztah]

Just to be sure (as the code I linked to is part of the Dockerfile front-end)l; could one of you try if the latest Dockerfile front-end (syntax) possibly resolves the issue?

If you add this to the top of your dockerfiles:

# syntax=docker/dockerfile:1

(which should pull the latest Dockerfile syntax/front-end from Docker Hub during build).

[thaJeztah]

Also: @tonistiigi @crazy-max PTAL

[vemek]

@thaJeztah I added the syntax specification to both the parent and child dockerfiles and rebuilt as per previous example. The second build still can't find the parent image:

❯ docker build -t testimage .
[+] Building 2.2s (7/7) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                              0.0s
 => => transferring dockerfile: 124B                                                                                                                              0.0s
 => [internal] load .dockerignore                                                                                                                                 0.0s
 => => transferring context: 2B                                                                                                                                   0.0s
 => resolve image config for docker.io/docker/dockerfile:1                                                                                                        0.6s
 => CACHED docker-image://docker.io/docker/dockerfile:1@sha256:9e2c9eca7367393aecc68795c671f93466818395a2693498debe831fd67f5e89                                   0.0s
 => [internal] load build definition from Dockerfile                                                                                                              0.0s
 => [internal] load .dockerignore 
 => ERROR [internal] load metadata for docker.io/library/testbaseimage:latest                                                                                     1.4s
------
 > [internal] load metadata for docker.io/library/testbaseimage:latest:
------
failed to solve with frontend dockerfile.v0: failed to solve with frontend gateway.v0: rpc error: code = Unknown desc = pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

Let me know if there's anything else I can test to help resolve this :)

[thaJeztah]

Thanks! Was hoping that could be a workaround, but alas. I just got a message from @crazy-max that he received his m1 machine (which allows him to do some debugging)

[crazy-max]

Ok so I made some tests on some hosts to be sure of reproducibility:

WSL2 (Ubuntu 20.04.3 LTS x86_64)

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.6.3)
  compose: Docker Compose (Docker Inc., v2.0.0-rc.3)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 5
  Running: 2
  Paused: 0
  Stopped: 3
 Images: 16
 Server Version: 20.10.8
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e25210fe30a0a703442421b0f60afac609f950a3
 runc version: v1.0.1-0-g4144b63
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.60.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 11.69GiB
 Name: docker-desktop
 ID: XPCS:4HC3:WTES:EY2N:LAFK:O5T4:MCRD:C6DU:TFFD:553P:B644:D6PK
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: crazymax
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

Was not able to repro on x86:

#1 [internal] load build definition from Dockerfile.child
#1 sha256:85e795698e4acef44c25b5cc8a172fcda7018152210aa7d8aef64a6dc46ae0b9
#1 transferring dockerfile: 108B 0.0s done
#1 DONE 0.1s

#2 [internal] load .dockerignore
#2 sha256:2147874e5a2a2be0360c68939e95ec4f2655a6ab6b3f19d01c994da742943239
#2 transferring context: 2B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/local/foo-parent:latest
#3 sha256:4e97bdf03eee8b6808c530816826929b1dbb551ef762b5e3789bc5a69e426680
#3 DONE 0.0s

#4 [1/2] FROM docker.io/local/foo-parent
#4 sha256:19b6fa47446021805595529a6935bc7318074932b05d6bad1a734cdb39a7045c
#4 DONE 0.1s

#5 [2/2] RUN echo "Installing special stuff"
#5 sha256:6b3ba4c7107140cf8ae60e3d28c27b1a0208ddb08abc2c93db815f8d418ee097
#5 0.409 Installing special stuff
#5 DONE 0.4s

#6 exporting to image
#6 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
#6 exporting layers 0.0s done
#6 writing image sha256:4cc8a8dbbce7981fe1d3f8bc6d54509a9c55951cd263adb46a45afdd25f395fd
#6 writing image sha256:4cc8a8dbbce7981fe1d3f8bc6d54509a9c55951cd263adb46a45afdd25f395fd done
#6 naming to docker.io/local/foo-child done
#6 DONE 0.1s

Mac Mini M1

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.6.3)
  compose: Docker Compose (Docker Inc., v2.0.0)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 20.10.8
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e25210fe30a0a703442421b0f60afac609f950a3
 runc version: v1.0.1-0-g4144b63
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.47-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 6
 Total Memory: 11.68GiB
 Name: docker-desktop
 ID: BR3D:PMLU:EVNQ:LOKH:54SC:V5NE:WA3C:PUIJ:76NS:34ZD:TV2G:5KQT
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Was able to repro on M1 too like @jeffjohnston:

[+] Building 2.0s (7/7) FINISHED                                                                                                                                                                      
 => [internal] load build definition from Dockerfile.child                                                                                                                                       0.0s
 => => transferring dockerfile: 132B                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                                0.0s
 => => transferring context: 2B                                                                                                                                                                  0.0s
 => resolve image config for docker.io/docker/dockerfile:1.3                                                                                                                                     1.0s
 => CACHED docker-image://docker.io/docker/dockerfile:1.3@sha256:9e2c9eca7367393aecc68795c671f93466818395a2693498debe831fd67f5e89                                                                0.0s
 => [internal] load .dockerignore                                                                                                                                                                0.0s
 => [internal] load build definition from Dockerfile.child                                                                                                                                       0.0s
 => ERROR [internal] load metadata for docker.io/local/foo-parent:latest                                                                                                                         0.6s
------
 > [internal] load metadata for docker.io/local/foo-parent:latest:
------
failed to solve with frontend dockerfile.v0: failed to solve with frontend gateway.v0: rpc error: code = Unknown desc = pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

Raspberry 4 (Ubuntu 20.04.2 LTS aarch64)

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  compose: Docker Compose (Docker Inc., 2.0.0-beta.4)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 11
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d
 runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-1042-raspi
 Operating System: Ubuntu 20.04.2 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 908.2MiB
 Name: rasp3
 ID: IPZY:66X4:GDX6:ZY66:6PBK:CV7D:34DY:CBJK:VGXP:LN57:2YFJ:Z3SZ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support

Also repro on this platform:

[+] Building 1.9s (3/3) FINISHED                                                                                                                                                                      
 => [internal] load build definition from Dockerfile.child                                                                                                                                       0.1s
 => => transferring dockerfile: 102B                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                                0.1s
 => => transferring context: 2B                                                                                                                                                                  0.0s
 => ERROR [internal] load metadata for docker.io/local/foo-parent:latest                                                                                                                         1.3s
------
 > [internal] load metadata for docker.io/local/foo-parent:latest:
------
error: failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to create LLB definition: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

Raspberry 3 (Raspbian GNU/Linux 10 armv7l)

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)

Server:
 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 17
 Server Version: 20.10.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.17-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 3.738GiB
 Name: dns2
 ID: GSXF:RFUU:NYHU:WS2Q:XLEN:ZVOI:HEXD:UV2F:AGGU:7MHG:BWCW:IQI2
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support

No repro for this one:

[+] Building 1.6s (6/6) FINISHED                                                                                                                                                                      
 => [internal] load build definition from Dockerfile.child                                                                                                                                       0.1s
 => => transferring dockerfile: 102B                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                                0.0s
 => => transferring context: 2B                                                                                                                                                                  0.0s
 => [internal] load metadata for docker.io/local/foo-parent:latest                                                                                                                               0.0s
 => [1/2] FROM docker.io/local/foo-parent                                                                                                                                                        0.1s
 => [2/2] RUN echo "Installing special stuff"                                                                                                                                                    1.0s
 => exporting to image                                                                                                                                                                           0.1s
 => => exporting layers                                                                                                                                                                          0.1s
 => => writing image sha256:b29f05e825284bed7b62a828ec339fc2a25ea7ade622e8828e2891de9397a817                                                                                                     0.0s
 => => naming to docker.io/local/foo-child

SiFive HiFive Unmatched (Ubuntu 21.04 riscv64)

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 4
 Server Version: dev
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
 init version: de40ad0
 Security Options:
  apparmor
 Kernel Version: 5.11.0-1018-generic
 Operating System: Ubuntu 21.04
 OSType: linux
 Architecture: riscv64
 CPUs: 4
 Total Memory: 15.62GiB
 Name: sifive
 ID: GJYH:5G5K:GKGF:LXTR:NR7J:OQAM:B4BW:V5GM:5IYH:HX57:YWGN:GUXN
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 26
  Goroutines: 35
  System Time: 2021-10-14T16:31:03.931874328+02:00
  EventsListeners: 0
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.16.0.0/16, Size: 24

I use busybox as base image for Dockerfile.parent and can't repro:

[+] Building 1.6s (6/6) FINISHED                                                                                                                                                                      
 => [internal] load build definition from Dockerfile.child                                                                                                                                       0.0s
 => => transferring dockerfile: 101B                                                                                                                                                             0.0s
 => [internal] load .dockerignore                                                                                                                                                                0.0s
 => => transferring context: 2B                                                                                                                                                                  0.0s
 => [internal] load metadata for docker.io/local/foo-parent:latest                                                                                                                               0.0s
 => [1/2] FROM docker.io/local/foo-parent                                                                                                                                                        0.0s
 => [2/2] RUN echo "Installing special stuff"                                                                                                                                                    1.1s
 => exporting to image                                                                                                                                                                           0.1s
 => => exporting layers                                                                                                                                                                          0.1s
 => => writing image sha256:7ac6b944c3c9a1cb2f69f0fb5da7d5eec6c635c526245bc3ec54b8585a14ac8a                                                                                                     0.0s
 => => naming to docker.io/local/foo-child

Conclusion

So my guess is a misinterpretation of variants in the meta resolver with arm64 and arm64/v8 that is not picked up right. Is it familiar to you @tonistiigi?

[crazy-max]

Wonder if this is not linked to #40790 or at least something that needs to be changed in this method:

moby/builder/builder-next/adapters/containerimage/pull.go

Lines 855 to 863 in 1430d84

	func platformMatches(img *image.Image, p *ocispec.Platform) bool {
	if img.Architecture != p.Architecture {
	return false
	}
	if img.Variant != "" && img.Variant != p.Variant {
	return false
	}
	return img.OS == p.OS
	}

[crazy-max]

@jeffjohnston As a workaround it should work with:

docker build --platform linux/arm64 -f Dockerfile.parent -t local/foo-parent .
docker build -f Dockerfile.child -t local/foo-child .

Edit:

[jeffparsons]

@crazy-max That workaround works just fine for me. 👍 I could've sworn I'd tried that already, but I guess I must have only tried the other way around (i.e. specifying platform explicitly when building the child image)!

Thanks for that. I'll hopefully have a chance to integrate this into our build system in the coming days/weeks and report on whether I run into any other M1-specific issues.

[byronbowerman]

@crazy-max --platform local didn't work for me (I got a manifest error building the parent image) but --platform linux/arm64 seems to work.

Thanks :)

[crazy-max]

@byronbowerman

--platform local didn't work for me

Yes sorry I was not on the right host when I've done that test.

[anapsix]

Greetings @thaJeztah, et al.

Thanks! My reason for asking if you were using buildx, is that buildx allows you to create multiple "builders". Those builders can use the "container" driver, in which case they're running isolated in a container (which doesn't share the local image cache of the docker daemon). If you would have been using that, it could (e.g.) have been a case where the first image was built in a builder container, but not loaded back into the docker daemon (and because of that not found during the second build).

I'm seeing an issue similar to the one described in this issue on the latest and greatest Docker Desktop v4.12.0 (85629) on Apple silicon Macbook, but I'm building parent and child images with docker buildx build. The "isolated builder" explanation makes sense, I suppose. But I'd expect the buildx builders to have access to the images they built, and to the images loaded into Docker daemon context. Or am I misleading myself, and hitting an expected behavior?

The builder is created with the following command:

docker buildx create \
  --use \
  --platform linux/arm64,linux/amd64 \
  --name multiarch \
  --bootstrap \
  --buildkitd-flags '--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host'

These are example Dockerfiles I'm using:

# Dockerfile.parent
FROM alpine:3.16
RUN echo "this is a parent" | tee > /parent

# Dockerfile.child
FROM parent
RUN rm -f /parent; echo "this is a child" | tee > /child

And here is my build test

❯ docker buildx build --builder multiarch --platform linux/arm64 -t parent -f Dockerfile.parent --load --quiet .
sha256:2a1763b00999fbe328422a88ff34ce5b8c07afe3a3cf3b596068658f37b72d95

❯ docker images --filter reference=*parent*
REPOSITORY   TAG       IMAGE ID       CREATED          SIZE
parent       latest    e626a0dd5800   19 seconds ago   5.29MB

❯ docker buildx build --builder multiarch --platform linux/arm64 -t child -f Dockerfile.child --load --quiet .
Dockerfile.child:1
--------------------
   1 | >>> FROM parent
   2 |     RUN echo "this is a child" | tee > /child
   3 |
--------------------
ERROR: failed to solve: parent: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

❯ docker buildx imagetools inspect parent
ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

[thaJeztah]

Yes, that's the expected behavior. Contrary to the BuildKit builder embedded in the "Docker Engine" (which is more targeted at local development), BuildKit (containerized) builders are designed to be sandboxed builder nodes that don't depend on prior state. Those build nodes may contain some amount of caching data to speed up builds, but don't store images (or other persistent data). This design allows builders to be part of a distributed system, where builds can be distributed over the cluster.

To build an image that depends on another image, either;

• push the parent image to a registry after building, before building the child image (the builder will then pull the parent image when building the child image)
• or refactor your Dockerfile to be a multi-stage build; in that case both the parent image (stage) and child image are part of the same build;

# Dockerfile.parent
FROM alpine:3.16 AS parent
RUN echo "this is a parent" | tee > /parent

FROM parent AS child
RUN rm -f /parent; echo "this is a child" | tee > /child

More details can be found in this discussion in the BuildKit repository moby/buildkit#2343

[phs]

Is this behavior documented anywhere? I've spent the last hour or two in a similar scenario (trying to use a locally-built parent image in a docker-container builder.)

You might imagine that finding out this obtuse error is expected behavior is somewhat frustrating.

[tech-team-rural-mda]

docker build on OS X (M1) continues to fail to use any local images referenced during the build, but will fallback to the latest docker.io version/hash of that image tag, if available. This has made for some really confusing debugging when trying to re-use tags on local images in builds.

$ docker --version
Docker version 24.0.2, build cb74dfcd85
$ sw_vers -productName
macOS
$ sw_vers -productVersion
13.5.1
$ sw_vers  -buildVersion
22G90

$ docker buildx ls
NAME/NODE       DRIVER/ENDPOINT STATUS  BUILDKIT                              PLATFORMS
default         docker                                                        
  default       default         running v0.11.7-0.20230525183624-798ad6b0ce9f linux/arm64, linux/amd64, linux/amd64/v2, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6
desktop-linux * docker                                                        
  desktop-linux desktop-linux   running v0.11.7-0.20230525183624-798ad6b0ce9f linux/arm64, linux/amd64, linux/amd64/v2, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/arm/v7, linux/arm/v6

... setting { "features": { "buildkit": false }} and/or DOCKER_BUILDKIT=0 seems to be the only work around that will make docker build work as expected (i.e., as it does on any other platform/arch). --platform linux/arm64 does not appear to work any more.

Example:

$ docker images | grep amplify-bcat-save
coriverse/shinyapps                                                    amplify-bcat-save          b3a9df10ed19   3 hours ago      10.3GB
$ docker build -f src/Dockerfile --build-arg gh_token=$GITHUB_PAT --platform linux/arm64 --progress=plain --target app -t docker.io/coriverse/shinyapps:amplify-bcat-test src
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 7.32kB done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 transferring context: 218B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/coriverse/shinyapps:amplify-frontend
#3 ...

#4 [auth] aws:: l2v0f2h3/rocker/shiny-verse:pull token for public.ecr.aws
#4 DONE 0.0s

#5 [auth] coriverse/shinyapps:pull token for registry-1.docker.io
#5 DONE 0.0s

#6 [internal] load metadata for docker.io/coriverse/shinyapps:amplify-bcat-save
#6 ERROR: docker.io/coriverse/shinyapps:amplify-bcat-save: not found

#3 [internal] load metadata for docker.io/coriverse/shinyapps:amplify-frontend
#3 CANCELED

#7 [internal] load metadata for public.ecr.aws/l2v0f2h3/rocker/shiny-verse:4.2.1
#7 CANCELED
------
 > [internal] load metadata for docker.io/coriverse/shinyapps:amplify-bcat-save:
------
Dockerfile:94
--------------------
  92 |     
  93 |     
  94 | >>> FROM coriverse/shinyapps:amplify-bcat-save as base
  95 |     FROM docker.io/coriverse/shinyapps:amplify-frontend as previous
  96 |     
--------------------
ERROR: failed to solve: coriverse/shinyapps:amplify-bcat-save: docker.io/coriverse/shinyapps:amplify-bcat-save: not found

[thaJeztah]

@tech-team-rural-mda please open a new ticket instead with reproducible steps. As to that image; are you sure the image is available as arm64, because if it's a local copy of coriverse/shinyapps:amplify-bcat, that image looks to be amd64 (x86) only; https://hub.docker.com/layers/coriverse/shinyapps/amplify-bcat/images/sha256-bcb7e4d5162959163646099494a13dc657f8975250729bbf33e3e799c5e45e96?context=explore