build: add --provenance=false to fix OCI manifest format#678
Open
shravyavorugallu wants to merge 1 commit into
Open
build: add --provenance=false to fix OCI manifest format#678shravyavorugallu wants to merge 1 commit into
shravyavorugallu wants to merge 1 commit into
Conversation
Closes NVIDIA#676 docker buildx build attaches provenance attestations by default when BuildKit >= 0.11 is in use. This causes the published image manifest to be an OCI image index (application/vnd.oci.image.index.v1+json) instead of a Docker manifest list (application/vnd.docker.distribution.manifest.list.v2+json). Consumers that rely on the Docker v2 manifest API — such as Renovate, Harbor, and many internal registry scanners used in air-gapped HPC environments — fail to pull or inspect the image when presented with an OCI index. Fix: pass --provenance=false to docker buildx build in the base DOCKERCMD variable. This suppresses provenance attestation attachment and keeps the published manifest as a standard Docker manifest list. The local build target overrides DOCKERCMD entirely (to plain 'docker build') and is therefore unaffected by this change. Precedent: NVIDIA/gpu-operator#2540 applied the same fix. Signed-off-by: Shravya Vorugallu <shravyavorugallu@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #676
Problem
docker buildx buildwith BuildKit >=0.11 attaches provenance attestations by default. This causes the published image to be an OCI image index (application/vnd.oci.image.index.v1+json) instead of a Docker manifest list (application/vnd.docker.distribution.manifest.list.v2+json).Consumers that rely on the Docker registry v2 manifest API break:
docker pullon older Docker Engine versions may failFix
Add
--provenance=falsetoDOCKERCMD. This suppresses provenance attestation attachment and keeps the published manifest as a standard Docker v2 manifest list.The
localbuild target overridesDOCKERCMDentirely (to plaindocker build) and is unaffected.Precedent
NVIDIA/gpu-operator#2540 applied the identical fix.
Testing