Pants fails to parse Docker Image ID for BuildKit builds with attestations disabled #21729

davidparsson · 2024-12-06T10:30:04Z

Describe the bug
Pants fails to parse Docker Image ID for BuildKit builds with provenance attestations disabled, since exporting manifest list is not present in Docker's build log.

This is an example build log using BuildKit v0.18 with containerd-snapshotter output, but without provenance attestations:

#15 exporting to image
#15 exporting layers done
#15 preparing layers for inline cache 0.0s done
#15 exporting manifest sha256:0bc80e5cd7fde8722d6d3349bea82c4c4f2ac5a0ec1e02cd46e3557bf3ccf68a done
#15 exporting config sha256:1ce45471d2d286c01b80d7fd1d1d3b991e938495dda695a48027e3ed2fa0af32 done
#15 naming to my-image:latest done
#15 DONE 0.0s

The current parser looks for exporting manifest list, which is not present in my log.

Pants version
2.21.2, but the issue currently remains on the main branch.

OS
MacOS (ARM64)

Additional info
Docker BuildKit v0.11+ by default adds provenance attestations to built images, but AWS Lambda does not yet support them.

When using an ARM64 Mac to build Docker images that are to be used in AWS Lambdas, provenance attestations must be disabled. This can be achieved by setting the following environment variable: BUILDX_NO_DEFAULT_ATTESTATIONS=1. This alters Docker's build log which makes pants unable to detect the Docker Image ID.

Pants outputs Docker image ID: <unknown>

The text was updated successfully, but these errors were encountered:

Related reading as to why attestations can be disabled by users: aws/aws-cdk#30258, https://stackoverflow.com/questions/77207485/why-are-there-extra-untagged-images-in-amazon-ecr-after-doing-docker-push In short, upstream tooling is not really ready for buildx + docker desktop default outputs, and when disabling these we get a stdout which current pants parsing code was not ready for. Fixes #21729

…ry-pick of #21735) (#21738) Related reading as to why attestations can be disabled by users: aws/aws-cdk#30258, https://stackoverflow.com/questions/77207485/why-are-there-extra-untagged-images-in-amazon-ecr-after-doing-docker-push In short, upstream tooling is not really ready for buildx + docker desktop default outputs, and when disabling these we get a stdout which current pants parsing code was not ready for. Fixes #21729 Co-authored-by: Tobias Nilsson <[email protected]>

…ry-pick of #21735) (#21737) Related reading as to why attestations can be disabled by users: aws/aws-cdk#30258, https://stackoverflow.com/questions/77207485/why-are-there-extra-untagged-images-in-amazon-ecr-after-doing-docker-push In short, upstream tooling is not really ready for buildx + docker desktop default outputs, and when disabling these we get a stdout which current pants parsing code was not ready for. Fixes #21729 Co-authored-by: Tobias Nilsson <[email protected]>

davidparsson added the bug label Dec 6, 2024

tobni self-assigned this Dec 8, 2024

tobni mentioned this issue Dec 8, 2024

fix: Handle buildx output with BUILDX_NO_DEFAULT_ATTESTATIONS=1 #21735

Merged

tobni closed this as completed in #21735 Dec 9, 2024

This was referenced Dec 9, 2024

fix: Handle buildx output with BUILDX_NO_DEFAULT_ATTESTATIONS=1 (Cherry-pick of #21735) #21737

Merged

fix: Handle buildx output with BUILDX_NO_DEFAULT_ATTESTATIONS=1 (Cherry-pick of #21735) #21738

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pants fails to parse Docker Image ID for BuildKit builds with attestations disabled #21729

Pants fails to parse Docker Image ID for BuildKit builds with attestations disabled #21729

davidparsson commented Dec 6, 2024

Pants fails to parse Docker Image ID for BuildKit builds with attestations disabled #21729

Pants fails to parse Docker Image ID for BuildKit builds with attestations disabled #21729

Comments

davidparsson commented Dec 6, 2024