profile
viewpoint

Ask questionsCannot build from local image with buildctl (OCI Worker)

Description

Cannot build from a local image with buildctl which always tries to resolve to docker.io. This applies to a multi-stage setup or simply from a local image in a CI setup. The base image should not be expected to be pushed to any repository (either docker.io or even private). It is only available locally (docker images).

This works with docker build and even DOCKER_BUILDKIT=1 using image names (but not SHA ID in the last case). See also https://github.com/moby/moby/issues/39769.

This looks similar to the problems with local cache described here: https://github.com/moby/moby/issues/39003.

Steps to reproduce the issue:

  1. Demo project available here: https://github.com/virgile-hogman/docker-buildkit
  2. Run ./buildctl-build.sh from bash
  3. See logs, fails to resolve FROM docker.io/library/bk1:latest

Describe the results you received:

+ buildctl build --frontend dockerfile.v0 --progress=plain --local context=src2 --local dockerfile=src2 --output type=docker,name=bk2
+ docker load
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 66B done
#2 DONE 0.1s

#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.1s

#3 [internal] load metadata for docker.io/library/bk1:latest
#3 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

#4 [1/2] FROM docker.io/library/bk1:latest
#4 resolve docker.io/library/bk1:latest
#4 resolve docker.io/library/bk1:latest 0.4s done
#4 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
------
 > [internal] load metadata for docker.io/library/bk1:latest:
------
------
 > [1/2] FROM docker.io/library/bk1:latest:
------
error: failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to build LLB: failed to load cache key: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
open /var/lib/docker/tmp/docker-import-259291410/repositories: no such file or directory

Describe the results you expected:

This should work as for docker build when using image names (with or without DOCKER_BUILDKIT=1. Note with SHA-ID it does not work either in the last case as described in https://github.com/moby/moby/issues/39769).

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           18.09.6
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        481bc77
 Built:             Sat May  4 02:35:57 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Output of docker info:

Native install with Ubuntu 18.04.
More info does not seem relevant for now, can provide if really needed.

Additional environment details (AWS, VirtualBox, physical, etc.):

Connected to a private repository on a different host but this should not have effect here since it works with standard docker build.

moby/buildkit

Answer questions gfrancesco

I'm experiencing the same issue. Looking into the moby/buildkit image (8ce8d3df040f) looks to me that there is no trace of containerd executables.

@tonistiigi since you suggested to start containerd before buildkitd --oci-worker=false --containerd-worker=true, can you please explain the necessary steps? I went through the docs of docker/buildx, moby/buildkit and containerd/containerd with no luck.

I'm also freshly started with docker, but from the official documentation buildx is described as an improved version of build, but I'm a bit puzzled on why it can fail the very simple (and common I think) use case of creating an image starting from a base image already available locally under docker images.

Related questions

php build fails when cache is enabled hot 15
RUN --mount=type=cache causes the whole build context to be loaded in hot 15
ssh agent only forwarded from keys on Windows hot 10
rootless image didn't work on OKD (OpenShift) 3.11 hot 7
`httpProxy` support hot 6
Attempt to mount an overlay layer that is already in-use hot 6
Image id shown as missing with docker history hot 6
Image id shown as missing with docker history hot 6
rootless image didn't work on OKD (OpenShift) 3.11 hot 6
Documentation claims that --mount works with 18.06 hot 6
Evaluate running BuildKit with UML
Documentation claims that --mount works with 18.06 hot 4
Support schema1 push for quay? hot 4
Documentation claims that --mount works with 18.06 hot 4
RUN --mount=type=cache should inherit ownership/permissions from mountpoint hot 4
Github User Rank List