5:19 a.m.
I forgot. It's also really confusing to me that now after using latest buildah on the
CI-Pipeline and on my local machine that using --format docker yields different results.
Using podman build on my local machine with --format docker yields an image with mediaType
application/vnd.docker.distribution.manifest.v2+json while in CI it's
application/vnd.docker.distribution.manifest.v1+prettyjws. Without --format docker on my
fedora workstation its the oci format and on the centos7 build host it's
application/vnd.docker.distribution.manifest.v1+prettyjws. I suppose this is a topic
better suited in the buildah mailing list / repo, but wanted to share that bit of
experience from the last two days with you.
Together with the fact that quay.io seems to only support docker format, not oci it really
get's unintuitive here. Especially if you take into consideration that the first push
of the "unsupported" manifest to quay.io works, but subsequent don't. A
topic I already raised at quay.io. Waiting for response there.
Best regards,
Alex
Alexander Wellbrock <a.wellbrock(a)mailbox.org> hat am 17.11.2020
12:09 geschrieben:
Finally, I eventually got it to work. Still there are some points I want to raise /
remark.
So first things first thanks a lot to Nalin and Laurent. Your inputs were just the
missing bits I needed. Thanks Nalin for that really good summary validating my approach in
general. I especially missed the API change at first of the podman manifest create/add
command.
Laurent, I don't require --variant 7 to push my images / manifests to quay.io or
docker.io. However I added the "--format v2s2" flag to the push command as well
as "--all" as suggested by Nalin.
I also opened a bug report at quay.io and got the response that my manifest was
unsupported by quay.io. One of the two images had an implicit "--format oci"
which is apparently not officially supported by quay.io. Only "--format docker"
is. Changing this alone however did not work. I don't know why. I couldn't get it
to work yesterday on my notebook. There the two images had different mediaTypes. One had
application/vnd.docker.distribution.manifest.v1+prettyjws the other
application/vnd.docker.distribution.manifest.v1+json. Today after updating the CI
pipelines both images have "mediaType:
application/vnd.docker.distribution.manifest.v1+prettyjws" and it works.
The confusing part here is why the buildah command without any --format tag resulted in
different mediatypes and especially why one of them as +prettyjws and the other as +json
although both build processes ran in the same container (also multi-arch). They run on
different CentOS host systems. So maybe because of this. I also updated my buildah image
in the process today (was around 3 months old) which might also have fixed this from
buildah. Unfortunately I can't tell.
In total I'm now doing this:
- build the images with "--format docker" on different archs
- push arch specific tags
- create a manifest containing both images (with "correct" mediaTypes) using
first manifest create and then manifest add
- push the manifest with "--all" and "--format v2s2"
This way I'm able to push and maintain the multiarch images on both docker.io and
quay.io.
> Laurent Meunier <laurent(a)deltalima.net> hat am 17.11.2020 06:56 geschrieben:
>
>
> On 16/11/2020 23:23, Nalin Dahyabhai wrote:
> > On Wed, Nov 11, 2020 at 10:27:49AM +0100, Alexander Wellbrock via Podman
wrote:
> >> Hey there, since buildx is not a thing yet to build multi-arch images on
one host I'd like to make use of the multi-arch feature of registries like docker.io
and quay.io.
> >>
> >> I'm using the podman manifest command for this purpose but struggle to
get it to work properly. I hope someone can point me in the right direction.
> >>
> >> I've get it to work (kind-of) by building two images on two different
hosts architecture wise and then used podman manifest create to create a multi-arch
manifest of both images. I then used podman manifest push to get it onto quay.io. This
works and I'm able to use it, but unfortunately there is a catch right now.
> >>
> >> If I'm doing this multiple times, it complains that since a manifest
for example-image:latest is already present. So it only work if the manifest does not
already exist. I can't update it with newer images. Only if I remove the manifest
:latest manually beforehand it obviously works again, but I'd like to avoid that.
Apart from that it makes sense I suppose, because I'd rather like to update the
manifest with new images then to override the old manifest, right?
> >>
> >> I then tried to use podman manifest add, remove etc. Podman then complains
about manifest version not supported. E.g. I tried to update the actual images per
architecture and then add the new ones to the manifest which I couldn't get to work.
I'm highly confused about the podman manifest command man page.
> >
> > Someone asked a similar question on IRC a few days ago, and I didn't
> > have a good answer then, so had to poke at it a bit.
> >
> > Anyway, the sequence of steps for creating a list using images that have
> > previously been pushed to a registry looks something like this:
> >
> > on a box of each $arch: podman build -t docker://registry/repo:$arch-tag
> > on one box: podman manifest create $listname
> > repeat for each $arch on that one box: podman manifest add $listname
docker://registry/repo:$arch-tag
> > finally, on that one box: podman manifest push [--all] $listname
docker://registry/repo:$single-tag
> >
> > Now, if you build a new image and want to replace it in the list, you
> > should be able to start with the list you already have, or you can do
> > this to start to build a new, updated version of the list:
> >
> > podman manifest create updated-list
> > podman manifest add --all updated-list docker://registry/repo:$single-tag
> >
> > Note: "podman manifest add" (and "buildah manifest add")
looks like it
> > just looks at a locally-stored image if it finds one with the same name
> > as the reference being passed on the command line. That locally-stored
> > image isn't going to include all of the other entries in the copy of the
> > list that the registry has, and that can cause some problems. I think
> > we'll need to fix that.
> >
> > If it works as intended (or you started with the list you already had),
> > you should have a copy of the list that's up at the registry, and
> > "podman manifest inspect" should show you several entries in that
list.
> >
> > The spec doesn't say anything about what to do when there are multiple
> > entries in a list for the same platform, so we'll want to remove the
> > entry that the list has for the current machine before we try to add our
> > newly-built image to the list as its replacement.
> >
> > arch=$(go env GOARCH)
> > instance=$(podman manifest inspect updated-list | jq -r \
> >
'.manifests|map(select(.platform.architecture=="'$arch'"))[].digest')
> > podman manifest remove updated-list $instance
> >
> > Now you can go ahead and add your new image to the list and push the
> > updated list to the registry.
> >
> > If the new image has already been pushed to the registry:
> >
> > podman manifest add updated-list docker://registry/repo:$arch-tag
> > podman manifest push updated-list docker://registry/repo:$single-tag
> >
> > If not:
> >
> > podman manifest add updated-list local-$arch-image
> > podman manifest push --all updated-list docker://registry/repo:$single-tag
> >
> > The main difference between these two cases is that the --all flag tells
> > podman to push the images that the list references, in addition to the
> > list itself. That can take a while, since for every image, even though
> > the pushing logic checks if a part of an image has already been uploaded
> > to the registry before trying to upload it, it's still a lot of parts,
> > and that can require a lot of round trips to the registry. But if the
> > image wasn't pushed first, the registry will probably reject the new
> > list because it references things that the registry doesn't have, so
> > it's required.
> >
> > I've got a couple of ideas of things we can do to help simplify this
> > process, so that it requires less typing at the CLI, but none of that's
> > implemented yet.
> >
> > If you run into trouble, please follow up with the specific errors
> > you're getting, and we'll see where they point us.
> >
> > Cheers,
> >
> > Nalin
>
> Hello,
>
> I'm also building multi-arch images with buildah and podman, and I just
> would like to add a few remarks.
>
> I use "buildah manifest" instead of "podman manifest". Is there
some
> behavior differences between these two commands?
>
> If you build your image on an ARM architecture, you may need to add the
> --variant option to the "podman manifest add" command:
>
> # example for ARMv7 (like the Raspberry Pi 3)
> buildah manifest add --variant 7 image_name:$single-tag
> docker.io/$USERNAME/image_name:$arch-tag
>
> When pushing the manifest to Docker Hub, I had to add the "--format
> v2s2" to my "buildah manifest push" command. It seems that Docker
Hub
> does not support the OCI format and I need to use the v2s2 format (not
> 100% sure of this):
>
> buildah manifest push --all --format v2s2 image_name:$single-tag
> docker://docker.io/$USERNAME/image_name:$single-tag
>
> I globally use the same steps as Alexander to push multi-arch images to
> a registry:
> - build the image on each architecture (amd64 and armv7 in my case)
> - push each image on docker hub with an architecture specific tag
> - create and push a manifest as described above
>
> Here is a link to the detailed steps I use to push multi-arch images to
> Docker Hub:
> https://github.com/lmeunier/oci-image-ejabberd#login-to-the-docker-hub-re...
>
> Best regards,
> Laurent
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io