c8d: Use the roundtripper during build by rumpl · Pull Request #49178 · moby/moby

rumpl · 2024-12-30T22:40:16Z

- What I did
Added the roundtripper to the containerd worker source manager.

The roundtripper is responsible for giving back the build context when it comes from a tar directly. So we add it to the source manager of the containerd worker.

fixes #47717

- How I did it

- How to verify it

With the sample reproducer from #47717

You can also try this terraform:

terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "~> 3.0.2"
    }
  }
}

provider "docker" {
  host = "unix:///tmp/docker.sock"
}

resource "docker_image" "my-image" {
  name = "my-image:latest"

  build {
    context = "${path.cwd}"
  }
}

Output of the apply:

➜ terraform apply
docker_image.my-image: Refreshing state... [id=sha256:09fe4d17ab2ba82f9e3edb4355216f312a36d58ecf2510271bb225faee0b6329my-image:latest]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # docker_image.my-image will be created
  + resource "docker_image" "my-image" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "my-image:latest"
      + repo_digest = (known after apply)

      + build {
          + cache_from     = []
          + context        = "/home/rumpl/tftest"
          + dockerfile     = "Dockerfile"
          + extra_hosts    = []
          + remove         = true
          + security_opt   = []
          + tag            = []
            # (11 unchanged attributes hidden)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

docker_image.my-image: Creating...
docker_image.my-image: Creation complete after 3s [id=sha256:76c0301c79d56873b8aebf2442bd93e78f53fb9b95700448497ef68b20136fdcmy-image:latest]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
➜ docker -c local images
REPOSITORY   TAG       IMAGE ID       CREATED          SIZE
my-image     latest    76c0301c79d5   11 seconds ago   6.57MB

- Description for the changelog

containerd image store: Fix passing a build context via tarball to the `/build` endpoint.

- A picture of a cute animal (not mandatory but encouraged)

The roundtripper is responsible for giving back the build context when it comes from a tar directly. So we add it to the source manager of the containerd worker. Signed-off-by: Djordje Lukic <[email protected]>

rumpl · 2024-12-31T09:46:38Z

builder/builder-next/worker/containerdworker.go

+		CacheAccessor: bw.CacheManager(),
+		Transport:     rt,
+	})
+	if err == nil {


Note: I'm not returning an error here the same way the graph driver worker doesn't return an error

moby/builder/builder-next/worker/worker.go

Lines 121 to 129 in f5af46d

hs, err := http.NewSource(http.Opt{

CacheAccessor: cm,

Transport: opt.Transport,

})

if err == nil {

sm.Register(hs)

} else {

log.G(context.TODO()).Warnf("Could not register builder http source: %s", err)

}

Perhaps that's worth a comment in the code for future reference?

Looks like that "don't fail / don't return error" was added in ca3e3fc

Don't fail to start daemon if builder source is not available #37280

to fix Dockerd no longer starts if git is not installed after buildkit merge #37278

I guess it somewhat makes sense to not prevent the daemon from starting, but haven't tried what it looks like when trying to build something that needs git and/or if BuildKit has some entitlement to indicate whether a builder can support git (or not).

So, it looks like that fix was intended for git, but now wondering if it was much too broad in scope as it also did the same for other type of sources which (I THINK) don't depend on any external dependency to be installed? 🤔

Thanks for digging in! Ok yeah that fix added the warning for the http source for some reason too... I can change c8d and GD cases and return an error for the http source

I'd be fine with keeping them the same for now, then (in a follow-up) fix it for both. Or at least; I haven't looked yet if there's possible reasons for this to fail (and if we're considering including this in 27.x, perhaps it's safer to "fail soft" for now, and to look more in depth if we can safely fail loud 😅

Curious though; should those other sources also be registered? (git.NewSource, local.NewSource) ?

The "funny" part is that http.NewSource never returns an error :D

Curious though; should those other sources also be registered? (git.NewSource, local.NewSource) ?

All of these are already added by the call to base.NewWorker a couple lines above. We only need to change the http one for the roundtripper to do its thing

The "funny" part is that http.NewSource never returns an error :D

LOL, yeah, in that case; hard failure would be good for sure! And possibly we should change that signature to not even pretend there may be an error.

All of these are already added by the call to base.NewWorker a couple lines above. We only need to change the http one for the roundtripper to do its thing

Ah, thanks!

thaJeztah · 2024-12-31T10:53:48Z

Trying this with the reproducer script from #47717

Against docker 27.5.0-rc.1:

docker run -it --rm -v ./testbuilder/:/testbuilder -w /testbuilder -v /var/run/docker.sock:/var/run/docker.sock ubuntu

ls -l
total 9412
-rw-r--r-- 1 root root     431 Dec 31 10:19 context.tar
-rwxr-xr-x 1 root root 9629289 Dec 31 10:22 testbuilder
-rw-r--r-- 1 root root     686 Dec 31 10:21 testbuilder.go

DOCKER_API_VERSION=1.46 ./testbuilder
{"id":"moby.buildkit.trace","aux":"Cm8KR3NoYTI1NjpiNWE1NTg3ZDcxODg3ZDRlZjM3NGFhODIzMDNkYzEzODZlOTQzMDIwYmNmZWE1NWQ5OWNkYTRjMzI2MzViMTU3GiRbaW50ZXJuYWxdIGxvYWQgcmVtb3RlIGJ1aWxkIGNvbnRleHQ="}
{"id":"moby.buildkit.trace","aux":"Cn0KR3NoYTI1NjpiNWE1NTg3ZDcxODg3ZDRlZjM3NGFhODIzMDNkYzEzODZlOTQzMDIwYmNmZWE1NWQ5OWNkYTRjMzI2MzViMTU3GiRbaW50ZXJuYWxdIGxvYWQgcmVtb3RlIGJ1aWxkIGNvbnRleHQqDAiXlc+7BhCFnb+NAw=="}
{"id":"moby.buildkit.trace","aux":"CqcBCkdzaGEyNTY6YjVhNTU4N2Q3MTg4N2Q0ZWYzNzRhYTgyMzAzZGMxMzg2ZTk0MzAyMGJjZmVhNTVkOTljZGE0YzMyNjM1YjE1NxokW2ludGVybmFsXSBsb2FkIHJlbW90ZSBidWlsZCBjb250ZXh0KgwIl5XPuwYQhZ2/jQMyCwiYlc+7BhCumo4OOhtpbnZhbGlkIHJlc3BvbnNlIHN0YXR1cyA0MDM="}
{"errorDetail":{"message":"failed to read downloaded context: failed to load cache key: invalid response status 403"},"error":"failed to read downloaded context: failed to load cache key: invalid response status 403"}

Against a daemon built with this PR (running inside the dev-container), we're getting slightly further, but it's failing to pull the image, which may very well be the test-code here;

cd testbuilder
DOCKER_API_VERSION=1.46 ./testbuilder
{"id":"moby.buildkit.trace","aux":"Cm8KR3NoYTI1Njo0MjRmZmJmYTBiOTRhNjllYWYwYTdjNDA0MDBhYjZjMmQ2MjA0ODA3OTQ4NTcxYjBhY2UxMWI4NTIxYzE5YmNlGiRbaW50ZXJuYWxdIGxvYWQgcmVtb3RlIGJ1aWxkIGNvbnRleHQ="}
{"id":"moby.buildkit.trace","aux":"CnwKR3NoYTI1Njo0MjRmZmJmYTBiOTRhNjllYWYwYTdjNDA0MDBhYjZjMmQ2MjA0ODA3OTQ4NTcxYjBhY2UxMWI4NTIxYzE5YmNlGiRbaW50ZXJuYWxdIGxvYWQgcmVtb3RlIGJ1aWxkIGNvbnRleHQqCwiEl8+7BhDftMRa"}
{"id":"moby.buildkit.trace","aux":"CokBCkdzaGEyNTY6NDI0ZmZiZmEwYjk0YTY5ZWFmMGE3YzQwNDAwYWI2YzJkNjIwNDgwNzk0ODU3MWIwYWNlMTFiODUyMWMxOWJjZRokW2ludGVybmFsXSBsb2FkIHJlbW90ZSBidWlsZCBjb250ZXh0KgsIhJfPuwYQ37TEWjILCISXz7sGEKiH0mE="}
{"id":"moby.buildkit.trace","aux":"CokBCkdzaGEyNTY6NDI0ZmZiZmEwYjk0YTY5ZWFmMGE3YzQwNDAwYWI2YzJkNjIwNDgwNzk0ODU3MWIwYWNlMTFiODUyMWMxOWJjZRokW2ludGVybmFsXSBsb2FkIHJlbW90ZSBidWlsZCBjb250ZXh0KgsIhJfPuwYQ7dHgYTILCISXz7sGEOD242E="}
{"id":"moby.buildkit.trace","aux":"CqMBCkdzaGEyNTY6ZjI3MzVkOGFiZWIzMzg1NGY1NWE2ODc5NzZhMDZlOGM3N2ZhOWRjZTE3MjA5YzBjNDc5NGM0YzNmODdkZTg2YRJHc2hhMjU2OjQyNGZmYmZhMGI5NGE2OWVhZjBhN2M0MDQwMGFiNmMyZDYyMDQ4MDc5NDg1NzFiMGFjZTExYjg1MjFjMTliY2UaD2NvcHkgL2NvbnRleHQgLw=="}
{"id":"moby.buildkit.trace","aux":"CrABCkdzaGEyNTY6ZjI3MzVkOGFiZWIzMzg1NGY1NWE2ODc5NzZhMDZlOGM3N2ZhOWRjZTE3MjA5YzBjNDc5NGM0YzNmODdkZTg2YRJHc2hhMjU2OjQyNGZmYmZhMGI5NGE2OWVhZjBhN2M0MDQwMGFiNmMyZDYyMDQ4MDc5NDg1NzFiMGFjZTExYjg1MjFjMTliY2UaD2NvcHkgL2NvbnRleHQgLyoLCISXz7sGEO+mwGQ="}
{"id":"moby.buildkit.trace","aux":"Cr0BCkdzaGEyNTY6ZjI3MzVkOGFiZWIzMzg1NGY1NWE2ODc5NzZhMDZlOGM3N2ZhOWRjZTE3MjA5YzBjNDc5NGM0YzNmODdkZTg2YRJHc2hhMjU2OjQyNGZmYmZhMGI5NGE2OWVhZjBhN2M0MDQwMGFiNmMyZDYyMDQ4MDc5NDg1NzFiMGFjZTExYjg1MjFjMTliY2UaD2NvcHkgL2NvbnRleHQgLyoLCISXz7sGEO+mwGQyCwiEl8+7BhDZkNVo"}
{"id":"moby.buildkit.trace","aux":"CpQBCkdzaGEyNTY6NzBiNzQxNDZlMzE1ZWY2ODlmZjIxMzZlOWY4MjFiZmM1NTdiYzJiN2RkZmM3Njg1NTgwZjRhMGVlMWU3YTk3MBo8W2ludGVybmFsXSBsb2FkIG1ldGFkYXRhIGZvciBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0KgsIhJfPuwYQlpaPag=="}
{"id":"moby.buildkit.trace","aux":"CrYBCkdzaGEyNTY6NzBiNzQxNDZlMzE1ZWY2ODlmZjIxMzZlOWY4MjFiZmM1NTdiYzJiN2RkZmM3Njg1NTgwZjRhMGVlMWU3YTk3MBo8W2ludGVybmFsXSBsb2FkIG1ldGFkYXRhIGZvciBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0KgsIhJfPuwYQlpaPajIMCISXz7sGEOK4hocDOhJubyBhY3RpdmUgc2Vzc2lvbnM="}
{"errorDetail":{"message":"alpine: failed to resolve source metadata for docker.io/library/alpine:latest: no active sessions"},"error":"alpine: failed to resolve source metadata for docker.io/library/alpine:latest: no active sessions"}

Daemon logs (ignore the "handling POST request" appearing as last log, that's an issue still to fix in master)

INFO[2024-12-31T10:48:25.220117167Z] API listen on /var/run/docker.sock
DEBU[2024-12-31T10:48:39.270768382Z] resolve exporter moby with map[name:docker.io/library/myimage:latest]
DEBU[2024-12-31T10:48:39.275765840Z] prepare snapshot                              key=op7hiqfufswzqcj1f4n8gvdev parent= snapshotter=overlayfs
DEBU[2024-12-31T10:48:39.280346007Z] get snapshot mounts                           key=op7hiqfufswzqcj1f4n8gvdev snapshotter=overlayfs
DEBU[2024-12-31T10:48:39.284275590Z] load cache for [internal] load remote build context with p75gv258gxyzquedv4uhxiix7::adhrf4f0ko2xqodnjp0ad3x8r
DEBU[2024-12-31T10:48:39.284910298Z] get snapshot mounts                           key=pk67roo9vyiuyd8yxug9kulfk snapshotter=overlayfs
DEBU[2024-12-31T10:48:39.286001757Z] load cache for copy /context / with p75gv258gxyzquedv4uhxiix7::scq16otlqd70cokjj35j8a45c
DEBU[2024-12-31T10:48:39.286287215Z] get snapshot mounts                           key=ppjh54gdud8o89ll091wluqmg snapshotter=overlayfs
DEBU[2024-12-31T10:48:39.287407465Z] checked for cached auth handler namespace     cached=false key="docker.io/library/alpine::pull" name=docker.io/library/alpine scope=pull
DEBU[2024-12-31T10:48:39.288671673Z] resolving                                     span="resolving docker.io/library/alpine:latest"
DEBU[2024-12-31T10:48:39.288696048Z] do request                                    request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=buildkit/v0.18 request.method=HEAD span="resolving docker.io/library/alpine:latest"
DEBU[2024-12-31T10:48:39.795193090Z] fetch response received                       response.header.content-length=157 response.header.content-type=application/json response.header.date="Tue, 31 Dec 2024 10:48:39 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.docker-ratelimit-source=94.210.180.92 response.header.strict-transport-security="max-age=31536000" response.header.www-authenticate="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:library/alpine:pull\"" response.status="401 Unauthorized" span="resolving docker.io/library/alpine:latest"
DEBU[2024-12-31T10:48:39.795336590Z] Unauthorized                                  header="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:library/alpine:pull\"" span="resolving docker.io/library/alpine:latest"
INFO[2024-12-31T10:48:39.795443257Z] trying next host                              error="no active sessions" span="resolving docker.io/library/alpine:latest"
DEBU[2024-12-31T10:48:39.800409549Z] (*service).Write started                      ref=history-ref_797526965-sCR_
DEBU[2024-12-31T10:48:39.810167924Z] (*service).Write started                      ref=history-ref_809416007-sDJg
WARN[2024-12-31T10:48:39.820853174Z] no trace recorder found, skipping             span="create history record"
DEBU[2024-12-31T10:48:39.822420049Z] handling POST request                         method=POST module=api request-url="/v1.46/build?rm=0&t=myimage%3Alatest&version=2" status=200 vars="map[version:1.46]"

If I pull the image first, it works;

docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
cb8611c9fe51: Pull complete
Digest: sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest

DOCKER_API_VERSION=1.46 ./testbuilder
{"id":"moby.buildkit.trace","aux":"Cm8KR3NoYTI1Njo4ZDk4NzMwYjZkNzNmNDExNzVmNDMwYzA0NDNkNDY1ODcxMWFmMDdkMzNjODBjMzA5MTFlNTMzOTY3ZTZhYWQ3GiRbaW50ZXJuYWxdIGxvYWQgcmVtb3RlIGJ1aWxkIGNvbnRleHQ="}
{"id":"moby.buildkit.trace","aux":"CnwKR3NoYTI1Njo4ZDk4NzMwYjZkNzNmNDExNzVmNDMwYzA0NDNkNDY1ODcxMWFmMDdkMzNjODBjMzA5MTFlNTMzOTY3ZTZhYWQ3GiRbaW50ZXJuYWxdIGxvYWQgcmVtb3RlIGJ1aWxkIGNvbnRleHQqCwilmc+7BhD18PA+"}
{"id":"moby.buildkit.trace","aux":"CokBCkdzaGEyNTY6OGQ5ODczMGI2ZDczZjQxMTc1ZjQzMGMwNDQzZDQ2NTg3MTFhZjA3ZDMzYzgwYzMwOTExZTUzMzk2N2U2YWFkNxokW2ludGVybmFsXSBsb2FkIHJlbW90ZSBidWlsZCBjb250ZXh0KgsIpZnPuwYQ9fDwPjILCKWZz7sGEIGUi0M="}
{"id":"moby.buildkit.trace","aux":"CosBCkdzaGEyNTY6OGQ5ODczMGI2ZDczZjQxMTc1ZjQzMGMwNDQzZDQ2NTg3MTFhZjA3ZDMzYzgwYzMwOTExZTUzMzk2N2U2YWFkNxokW2ludGVybmFsXSBsb2FkIHJlbW90ZSBidWlsZCBjb250ZXh0IAEqCwilmc+7BhD2wJlDMgsIpZnPuwYQ+8abQw=="}
{"id":"moby.buildkit.trace","aux":"CqMBCkdzaGEyNTY6OWZhNWNlNjVjNTJlMTUwM2VlNDVhMWM5YzVlYzkxZWQyZjZkODMzYmFiMmQwYWQyMGIzZjc4YWU4ZThmOTZhZhJHc2hhMjU2OjhkOTg3MzBiNmQ3M2Y0MTE3NWY0MzBjMDQ0M2Q0NjU4NzExYWYwN2QzM2M4MGMzMDkxMWU1MzM5NjdlNmFhZDcaD2NvcHkgL2NvbnRleHQgLw=="}
{"id":"moby.buildkit.trace","aux":"Cr8BCkdzaGEyNTY6OWZhNWNlNjVjNTJlMTUwM2VlNDVhMWM5YzVlYzkxZWQyZjZkODMzYmFiMmQwYWQyMGIzZjc4YWU4ZThmOTZhZhJHc2hhMjU2OjhkOTg3MzBiNmQ3M2Y0MTE3NWY0MzBjMDQ0M2Q0NjU4NzExYWYwN2QzM2M4MGMzMDkxMWU1MzM5NjdlNmFhZDcaD2NvcHkgL2NvbnRleHQgLyABKgsIpZnPuwYQ//DSQzILCKWZz7sGELqE1EM="}
{"id":"moby.buildkit.trace","aux":"CpQBCkdzaGEyNTY6NzBiNzQxNDZlMzE1ZWY2ODlmZjIxMzZlOWY4MjFiZmM1NTdiYzJiN2RkZmM3Njg1NTgwZjRhMGVlMWU3YTk3MBo8W2ludGVybmFsXSBsb2FkIG1ldGFkYXRhIGZvciBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0KgsIpZnPuwYQkpqSRA=="}
{"id":"moby.buildkit.trace","aux":"CqIBCkdzaGEyNTY6NzBiNzQxNDZlMzE1ZWY2ODlmZjIxMzZlOWY4MjFiZmM1NTdiYzJiN2RkZmM3Njg1NTgwZjRhMGVlMWU3YTk3MBo8W2ludGVybmFsXSBsb2FkIG1ldGFkYXRhIGZvciBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0KgsIpZnPuwYQkpqSRDIMCKWZz7sGEJr0mKoC"}
{"id":"moby.buildkit.trace","aux":"CvEBCkdzaGEyNTY6ZGI1YjBhOWFlZTU3M2Q4NWM4NWM0ZDQ5Y2UyN2M5ZjkxNjNjZTJiM2I1N2U2YjJhMzU0NzY0YmEyMzE5ZTUzORJHc2hhMjU2OmYzYzQ1NmU2NzQ2M2ExNmNkYjBlNjE1MjcwZTc3YTM4OTU0NzdkYjE3ZmZkZDFjMTQxNDlmOWJiODRhN2U2ODISR3NoYTI1Njo5ZmE1Y2U2NWM1MmUxNTAzZWU0NWExYzljNWVjOTFlZDJmNmQ4MzNiYWIyZDBhZDIwYjNmNzhhZThlOGY5NmFmGhRbMi8yXSBBREQgZmxhZyAvZmxhZwq9AQpHc2hhMjU2OmYzYzQ1NmU2NzQ2M2ExNmNkYjBlNjE1MjcwZTc3YTM4OTU0NzdkYjE3ZmZkZDFjMTQxNDlmOWJiODRhN2U2ODIaclsxLzJdIEZST00gZG9ja2VyLmlvL2xpYnJhcnkvYWxwaW5lOmxhdGVzdEBzaGEyNTY6MjFkYzYwNjNmZDY3OGI0NzhmNTdjMGUxM2Y0NzU2MGQwZWE0ZWViYTI2ZGZjOTQ3YjJhNGY4MWY2ODZiOWY0NQ=="}
{"id":"moby.buildkit.trace","aux":"CssBCkdzaGEyNTY6ZjNjNDU2ZTY3NDYzYTE2Y2RiMGU2MTUyNzBlNzdhMzg5NTQ3N2RiMTdmZmRkMWMxNDE0OWY5YmI4NGE3ZTY4MhpyWzEvMl0gRlJPTSBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0QHNoYTI1NjoyMWRjNjA2M2ZkNjc4YjQ3OGY1N2MwZTEzZjQ3NTYwZDBlYTRlZWJhMjZkZmM5NDdiMmE0ZjgxZjY4NmI5ZjQ1KgwIpZnPuwYQmuPxqgI="}
{"id":"moby.buildkit.trace","aux":"EtYBCm9yZXNvbHZlIGRvY2tlci5pby9saWJyYXJ5L2FscGluZTpsYXRlc3RAc2hhMjU2OjIxZGM2MDYzZmQ2NzhiNDc4ZjU3YzBlMTNmNDc1NjBkMGVhNGVlYmEyNmRmYzk0N2IyYTRmODFmNjg2YjlmNDUSR3NoYTI1NjpmM2M0NTZlNjc0NjNhMTZjZGIwZTYxNTI3MGU3N2EzODk1NDc3ZGIxN2ZmZGQxYzE0MTQ5ZjliYjg0YTdlNjgyMgwIpZnPuwYQ243jqwI6DAilmc+7BhCah+OrAg=="}
{"id":"moby.buildkit.trace","aux":"CtkBCkdzaGEyNTY6ZjNjNDU2ZTY3NDYzYTE2Y2RiMGU2MTUyNzBlNzdhMzg5NTQ3N2RiMTdmZmRkMWMxNDE0OWY5YmI4NGE3ZTY4MhpyWzEvMl0gRlJPTSBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0QHNoYTI1NjoyMWRjNjA2M2ZkNjc4YjQ3OGY1N2MwZTEzZjQ3NTYwZDBlYTRlZWJhMjZkZmM5NDdiMmE0ZjgxZjY4NmI5ZjQ1KgwIpZnPuwYQmuPxqgIyDAilmc+7BhCh8c+eAxLkAQpvcmVzb2x2ZSBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0QHNoYTI1NjoyMWRjNjA2M2ZkNjc4YjQ3OGY1N2MwZTEzZjQ3NTYwZDBlYTRlZWJhMjZkZmM5NDdiMmE0ZjgxZjY4NmI5ZjQ1EkdzaGEyNTY6ZjNjNDU2ZTY3NDYzYTE2Y2RiMGU2MTUyNzBlNzdhMzg5NTQ3N2RiMTdmZmRkMWMxNDE0OWY5YmI4NGE3ZTY4MjIMCKWZz7sGENitzZ4DOgwIpZnPuwYQmofjqwJCDAilmc+7BhCOqs2eAw=="}
{"id":"moby.buildkit.trace","aux":"CtkBCkdzaGEyNTY6ZjNjNDU2ZTY3NDYzYTE2Y2RiMGU2MTUyNzBlNzdhMzg5NTQ3N2RiMTdmZmRkMWMxNDE0OWY5YmI4NGE3ZTY4MhpyWzEvMl0gRlJPTSBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0QHNoYTI1NjoyMWRjNjA2M2ZkNjc4YjQ3OGY1N2MwZTEzZjQ3NTYwZDBlYTRlZWJhMjZkZmM5NDdiMmE0ZjgxZjY4NmI5ZjQ1KgwIpZnPuwYQvZDVngMyDAilmc+7BhD87NmeAwrLAQpHc2hhMjU2OmYzYzQ1NmU2NzQ2M2ExNmNkYjBlNjE1MjcwZTc3YTM4OTU0NzdkYjE3ZmZkZDFjMTQxNDlmOWJiODRhN2U2ODIaclsxLzJdIEZST00gZG9ja2VyLmlvL2xpYnJhcnkvYWxwaW5lOmxhdGVzdEBzaGEyNTY6MjFkYzYwNjNmZDY3OGI0NzhmNTdjMGUxM2Y0NzU2MGQwZWE0ZWViYTI2ZGZjOTQ3YjJhNGY4MWY2ODZiOWY0NSoMCKWZz7sGENbG3J4D"}
{"id":"moby.buildkit.trace","aux":"CtkBCkdzaGEyNTY6ZjNjNDU2ZTY3NDYzYTE2Y2RiMGU2MTUyNzBlNzdhMzg5NTQ3N2RiMTdmZmRkMWMxNDE0OWY5YmI4NGE3ZTY4MhpyWzEvMl0gRlJPTSBkb2NrZXIuaW8vbGlicmFyeS9hbHBpbmU6bGF0ZXN0QHNoYTI1NjoyMWRjNjA2M2ZkNjc4YjQ3OGY1N2MwZTEzZjQ3NTYwZDBlYTRlZWJhMjZkZmM5NDdiMmE0ZjgxZjY4NmI5ZjQ1KgwIpZnPuwYQ1sbcngMyDAilmc+7BhDsrNChAw=="}
{"id":"moby.buildkit.trace","aux":"Cv8BCkdzaGEyNTY6ZGI1YjBhOWFlZTU3M2Q4NWM4NWM0ZDQ5Y2UyN2M5ZjkxNjNjZTJiM2I1N2U2YjJhMzU0NzY0YmEyMzE5ZTUzORJHc2hhMjU2OmYzYzQ1NmU2NzQ2M2ExNmNkYjBlNjE1MjcwZTc3YTM4OTU0NzdkYjE3ZmZkZDFjMTQxNDlmOWJiODRhN2U2ODISR3NoYTI1Njo5ZmE1Y2U2NWM1MmUxNTAzZWU0NWExYzljNWVjOTFlZDJmNmQ4MzNiYWIyZDBhZDIwYjNmNzhhZThlOGY5NmFmGhRbMi8yXSBBREQgZmxhZyAvZmxhZyoMCKWZz7sGENKp6KID"}
{"id":"moby.buildkit.trace","aux":"Co0CCkdzaGEyNTY6ZGI1YjBhOWFlZTU3M2Q4NWM4NWM0ZDQ5Y2UyN2M5ZjkxNjNjZTJiM2I1N2U2YjJhMzU0NzY0YmEyMzE5ZTUzORJHc2hhMjU2OmYzYzQ1NmU2NzQ2M2ExNmNkYjBlNjE1MjcwZTc3YTM4OTU0NzdkYjE3ZmZkZDFjMTQxNDlmOWJiODRhN2U2ODISR3NoYTI1Njo5ZmE1Y2U2NWM1MmUxNTAzZWU0NWExYzljNWVjOTFlZDJmNmQ4MzNiYWIyZDBhZDIwYjNmNzhhZThlOGY5NmFmGhRbMi8yXSBBREQgZmxhZyAvZmxhZyoMCKWZz7sGENKp6KIDMgwIpZnPuwYQhOP0rQM="}
{"id":"moby.buildkit.trace","aux":"CmsKR3NoYTI1NjpmMWM5ZDIzNTNhOWRlZjgwOTI2OGRmMjhhMjU4YzExNTA2ODcxMWE0ZmFiYzM1MjNkOGJhZDIxOTgyMDc3MjFjGhJleHBvcnRpbmcgdG8gaW1hZ2UqDAilmc+7BhCb1c6uAxJ3ChBleHBvcnRpbmcgbGF5ZXJzEkdzaGEyNTY6ZjFjOWQyMzUzYTlkZWY4MDkyNjhkZjI4YTI1OGMxMTUwNjg3MTFhNGZhYmMzNTIzZDhiYWQyMTk4MjA3NzIxYzIMCKWZz7sGEMuw1a4DOgwIpZnPuwYQ0a7VrgM="}
{"id":"moby.buildkit.trace","aux":"EoUBChBleHBvcnRpbmcgbGF5ZXJzEkdzaGEyNTY6ZjFjOWQyMzUzYTlkZWY4MDkyNjhkZjI4YTI1OGMxMTUwNjg3MTFhNGZhYmMzNTIzZDhiYWQyMTk4MjA3NzIxYzIMCKWZz7sGEJvwm7wDOgwIpZnPuwYQ0a7VrgNCDAilmc+7BhCw6Zu8AxLBAQpaZXhwb3J0aW5nIG1hbmlmZXN0IHNoYTI1Njo5YjdlZGFhNGEzNGZlNjkzMDc4MzY2NGNmZDU2YzQ2NTA3MDhhYTE2OGFiYWU3ZWQ0ZTM4YmM3NGI5OTgzNmQwEkdzaGEyNTY6ZjFjOWQyMzUzYTlkZWY4MDkyNjhkZjI4YTI1OGMxMTUwNjg3MTFhNGZhYmMzNTIzZDhiYWQyMTk4MjA3NzIxYzIMCKWZz7sGENukpLwDOgwIpZnPuwYQ3qOkvAM="}
{"id":"moby.buildkit.trace","aux":"Es8BClpleHBvcnRpbmcgbWFuaWZlc3Qgc2hhMjU2OjliN2VkYWE0YTM0ZmU2OTMwNzgzNjY0Y2ZkNTZjNDY1MDcwOGFhMTY4YWJhZTdlZDRlMzhiYzc0Yjk5ODM2ZDASR3NoYTI1NjpmMWM5ZDIzNTNhOWRlZjgwOTI2OGRmMjhhMjU4YzExNTA2ODcxMWE0ZmFiYzM1MjNkOGJhZDIxOTgyMDc3MjFjMgwIpZnPuwYQ7uX9vQM6DAilmc+7BhDeo6S8A0IMCKWZz7sGEPTj/b0DEr8BClhleHBvcnRpbmcgY29uZmlnIHNoYTI1Njo3NDc2ZTQ1Nzg0MTY4OTM2NGU5YzlkYjY4OWVlZDM4MjY4NjkwNDRkYTU4OThkM2Y0ZmI2MjEwYTk4NDE1YjNlEkdzaGEyNTY6ZjFjOWQyMzUzYTlkZWY4MDkyNjhkZjI4YTI1OGMxMTUwNjg3MTFhNGZhYmMzNTIzZDhiYWQyMTk4MjA3NzIxYzIMCKWZz7sGEMz+/b0DOgwIpZnPuwYQz/39vQM="}
{"id":"moby.buildkit.trace","aux":"Es0BClhleHBvcnRpbmcgY29uZmlnIHNoYTI1Njo3NDc2ZTQ1Nzg0MTY4OTM2NGU5YzlkYjY4OWVlZDM4MjY4NjkwNDRkYTU4OThkM2Y0ZmI2MjEwYTk4NDE1YjNlEkdzaGEyNTY6ZjFjOWQyMzUzYTlkZWY4MDkyNjhkZjI4YTI1OGMxMTUwNjg3MTFhNGZhYmMzNTIzZDhiYWQyMTk4MjA3NzIxYzIMCKWZz7sGEMrEhsADOgwIpZnPuwYQz/39vQNCDAilmc+7BhDQwobAAxKRAQoqbmFtaW5nIHRvIGRvY2tlci5pby9saWJyYXJ5L215aW1hZ2U6bGF0ZXN0EkdzaGEyNTY6ZjFjOWQyMzUzYTlkZWY4MDkyNjhkZjI4YTI1OGMxMTUwNjg3MTFhNGZhYmMzNTIzZDhiYWQyMTk4MjA3NzIxYzIMCKWZz7sGEK7phsADOgwIpZnPuwYQseiGwAM="}
{"id":"moby.buildkit.trace","aux":"Ep8BCipuYW1pbmcgdG8gZG9ja2VyLmlvL2xpYnJhcnkvbXlpbWFnZTpsYXRlc3QSR3NoYTI1NjpmMWM5ZDIzNTNhOWRlZjgwOTI2OGRmMjhhMjU4YzExNTA2ODcxMWE0ZmFiYzM1MjNkOGJhZDIxOTgyMDc3MjFjMgwIpZnPuwYQhvK/wAM6DAilmc+7BhCx6IbAA0IMCKWZz7sGEN/wv8ADEpQBCi11bnBhY2tpbmcgdG8gZG9ja2VyLmlvL2xpYnJhcnkvbXlpbWFnZTpsYXRlc3QSR3NoYTI1NjpmMWM5ZDIzNTNhOWRlZjgwOTI2OGRmMjhhMjU4YzExNTA2ODcxMWE0ZmFiYzM1MjNkOGJhZDIxOTgyMDc3MjFjMgwIpZnPuwYQ7oTBwAM6DAilmc+7BhDHg8HAAw=="}
{"id":"moby.buildkit.trace","aux":"EqIBCi11bnBhY2tpbmcgdG8gZG9ja2VyLmlvL2xpYnJhcnkvbXlpbWFnZTpsYXRlc3QSR3NoYTI1NjpmMWM5ZDIzNTNhOWRlZjgwOTI2OGRmMjhhMjU4YzExNTA2ODcxMWE0ZmFiYzM1MjNkOGJhZDIxOTgyMDc3MjFjMgwIpZnPuwYQoK/ZxAM6DAilmc+7BhDHg8HAA0IMCKWZz7sGEK+q2cQD"}
{"id":"moby.buildkit.trace","aux":"CnkKR3NoYTI1NjpmMWM5ZDIzNTNhOWRlZjgwOTI2OGRmMjhhMjU4YzExNTA2ODcxMWE0ZmFiYzM1MjNkOGJhZDIxOTgyMDc3MjFjGhJleHBvcnRpbmcgdG8gaW1hZ2UqDAilmc+7BhCb1c6uAzIMCKWZz7sGELGLk8YD"}
{"id":"moby.image.id","aux":{"ID":"sha256:9b7edaa4a34fe6930783664cfd56c4650708aa168abae7ed4e38bc74b99836d0"}}

docker image  ls
REPOSITORY   TAG       IMAGE ID       CREATED          SIZE
myimage      latest    9b7edaa4a34f   6 seconds ago    12.8MB
alpine       latest    21dc6063fd67   3 weeks ago      12.8MB

thaJeztah · 2024-12-31T11:21:51Z

Also tried the terraform example, and with that, pulling looks to be working (so definitely issue with the reproduction go code);

Before:

docker run -it --rm -v ./testbuilder/:/testbuilder -w /testbuilder -v /var/run/docker.sock:/var/run/docker.sock --entrypoint /bin/sh hashicorp/terraform:latest

terraform init
# ....

terraform apply -auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # docker_image.my-image will be created
  + resource "docker_image" "my-image" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "my-image:latest"
      + repo_digest = (known after apply)

      + build {
          + cache_from     = []
          + context        = "/testbuilder"
          + dockerfile     = "Dockerfile"
          + extra_hosts    = []
          + remove         = true
          + security_opt   = []
          + tag            = []
            # (11 unchanged attributes hidden)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
docker_image.my-image: Creating...
╷
│ Error: failed to read downloaded context: failed to load cache key: invalid response status 403
│
│
│
│   with docker_image.my-image,
│   on main.tf line 14, in resource "docker_image" "my-image":
│   14: resource "docker_image" "my-image" {
│
╵

After:

docker run -it --rm -v ./testbuilder/:/testbuilder -w /testbuilder -v /var/run/docker.sock:/var/run/docker.sock --entrypoint /bin/sh hashicorp/terraform:latest

terraform init
# ....

terraform apply -auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # docker_image.my-image will be created
  + resource "docker_image" "my-image" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "my-image:latest"
      + repo_digest = (known after apply)

      + build {
          + cache_from     = []
          + context        = "/testbuilder"
          + dockerfile     = "Dockerfile"
          + extra_hosts    = []
          + remove         = true
          + security_opt   = []
          + tag            = []
            # (11 unchanged attributes hidden)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
docker_image.my-image: Creating...
docker_image.my-image: Creation complete after 1s [id=sha256:31c6e14aad4d37002e20cf3a94e1659f081471b7807f5dfa99a4f372914ce407my-image:latest]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

thaJeztah

LGTM

rumpl · 2024-12-31T13:50:28Z

In the terraform example I think it's not using buildkit but the classic builder...

rumpl · 2024-12-31T14:51:08Z

In the terraform example I think it's not using buildkit but the classic builder...

Scratch that, terraform is using buildkit

rumpl · 2024-12-31T14:54:53Z

Okay so yeah, the code provided by @vvoland was missing a piece, when you call /build with Buildkit enabled you have to create a session and pass it, see:

https://github.com/kreuzwerker/terraform-provider-docker/blob/7155ab079c4d95cf21e8cb9946670a2ddf844f73/internal/provider/resource_docker_image_funcs.go#L358-L375

thaJeztah · 2024-12-31T15:12:19Z

Ah, nice! Didn't actually realize that provider was written in Go (didn't go looking as well TBH 😅)

thaJeztah · 2025-01-03T18:16:38Z

Bringing this in; I got an "lgtm" from @tonistiigi on Slack

Use the roundtripper during build

8d5cf1d

The roundtripper is responsible for giving back the build context when it comes from a tar directly. So we add it to the source manager of the containerd worker. Signed-off-by: Djordje Lukic <[email protected]>

rumpl added area/builder Build kind/bugfix PR's that fix bugs containerd-integration Issues and PRs related to containerd integration labels Dec 30, 2024

rumpl requested review from thaJeztah and vvoland December 30, 2024 22:40

rumpl requested a review from tonistiigi as a code owner December 30, 2024 22:40

rumpl mentioned this pull request Dec 30, 2024

Support for Documentation On Disabling containerd To Fix 403 Error On Build kreuzwerker/terraform-provider-docker#660

Closed

rumpl commented Dec 31, 2024

View reviewed changes

thaJeztah added this to the 28.0.0 milestone Dec 31, 2024

thaJeztah added the process/cherry-pick/27.x label Dec 31, 2024

thaJeztah approved these changes Dec 31, 2024

View reviewed changes

thaJeztah mentioned this pull request Dec 31, 2024

failed to read downloaded context: failed to load cache key: invalid response status 403 moby/buildkit#5623

Closed

rumpl mentioned this pull request Jan 2, 2025

[27.x backport] Use the roundtripper during build #49194

Merged

thaJeztah added process/cherry-picked process/cherry-pick/25.0 process/cherry-pick/26.1 and removed process/cherry-pick/27.x labels Jan 2, 2025

thaJeztah merged commit b7ae700 into moby:master Jan 3, 2025
184 checks passed

thaJeztah removed the process/cherry-pick/26.1 label Sep 9, 2025

	hs, err := http.NewSource(http.Opt{
	CacheAccessor: cm,
	Transport: opt.Transport,
	})
	if err == nil {
	sm.Register(hs)
	} else {
	log.G(context.TODO()).Warnf("Could not register builder http source: %s", err)
	}

Comments

Conversation

rumpl commented Dec 30, 2024 • edited by vvoland Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Dec 31, 2024

Uh oh!

thaJeztah commented Dec 31, 2024

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

rumpl commented Dec 31, 2024

Uh oh!

rumpl commented Dec 31, 2024

Uh oh!

rumpl commented Dec 31, 2024

Uh oh!

thaJeztah commented Dec 31, 2024

Uh oh!

thaJeztah commented Jan 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

rumpl commented Dec 30, 2024 •

edited by vvoland

Loading