Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issue pushing image: BLOB_UNKNOWN: Manifest references unknown blob(s) #385

Open
bpmct opened this issue Oct 14, 2024 · 9 comments · May be fixed by #410
Open

issue pushing image: BLOB_UNKNOWN: Manifest references unknown blob(s) #385

bpmct opened this issue Oct 14, 2024 · 9 comments · May be fixed by #410
Assignees
@mafredri

Comments

@bpmct
Copy link
Member

bpmct commented Oct 14, 2024
edited
Loading

envbuilder image: v1.0.3

I'm using Envbuilder and just saw this error when attempting to push an image with this template. This is the first time I tried it. Any ideas?

#2: ENTRYPOINT ["/.envbuilder/bin/envbuilder"]
#2: Taking snapshot of files...
#2: Pushing layer us-central1-docker.pkg.dev/coder-dogfood-v2/envbuilder-cache/coder-dogfood:54caa3ffffdf4ccf8167b88fb35d86690df3c33b209f38144d0c1a568e129d69 to cache now
#2: Pushing image to us-central1-docker.pkg.dev/coder-dogfood-v2/envbuilder-cache/coder-dogfood:54caa3ffffdf4ccf8167b88fb35d86690df3c33b209f38144d0c1a568e129d69
#2: Pushed us-central1-docker.pkg.dev/coder-dogfood-v2/envbuilder-cache/coder-dogfood@sha256:38521b4520703bca0f790759b278cf7897e4b855d910c5fc537a5831fbcaac4b
#2: Pushed us-central1-docker.pkg.dev/coder-dogfood-v2/envbuilder-cache/coder-dogfood@sha256:21095fa572a3c6de7369ceeb83c9a4ee8481a95652af28c5e008e83608510204
#2: 🏗️ Built image! [1m57.651985166s]
#3: 🏗️ Pushing image...
#3: Pushing image to us-central1-docker.pkg.dev/coder-dogfood-v2/envbuilder-cache/coder-dogfood
restore mount /usr/src/linux-headers-5.15.0-97-generic
restore mount /usr/src/linux-hwe-5.15-headers-5.15.0-97
restore mount /lib/modules/5.15.0-97-generic
Restored DOCKER_CONFIG to 
error: do push: failed to push to destination us-central1-docker.pkg.dev/coder-dogfood-v2/envbuilder-cache/coder-dogfood: PUT https://us-central1-docker.pkg.dev/v2/coder-dogfood-v2/envbuilder-cache/coder-dogfood/manifests/latest: BLOB_UNKNOWN: Manifest references unknown blob(s): sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
@coder-labeler coder-labeler bot added the bug label Oct 14, 2024
@bpmct bpmct mentioned this issue Oct 14, 2024
Open
@johnstcn
Copy link
Member

cc @mafredri

@johnstcn
Copy link
Member

I wonder if one of the blobs we previously pushed has been deleted due to age? Need to figure out how to reliably reproduce.

@johnstcn johnstcn changed the title issue pushing image issue pushing image: BLOB_UNKNOWN: Manifest references unknown blob(s) Oct 14, 2024
@bpmct
Copy link
Member Author

bpmct commented Oct 15, 2024

related: i'm not sure if a failed push should prevent the user from entering their workspace. can this fail gracefully while also alerting devs/admins of the problem?

@johnstcn
Copy link
Member

johnstcn commented Oct 15, 2024
edited
Loading

related: i'm not sure if a failed push should prevent the user from entering their workspace

It definitely shouldn't!

EDIT: Actually, there may situations where it's warranted. If you plan to run envbuilder in a CI/CD workflow, then you would want to know that pushing the image failed. We would need to be able to differentiate if pushing the image is a requirement or if pushing the image is a nice side-effect.

@matifali matifali removed the bug label Oct 15, 2024
@johnstcn johnstcn mentioned this issue Oct 15, 2024
Merged
@MartinLoeper
Copy link

I am also experiencing a similar issue: error: do push: failed to push to destination harbor.harbor.svc.cluster.local/envbuilder-cache/test-repo2: PUT https://harbor.harbor.svc.cluster.local/v2/envbuilder-cache/test-repo2/manifests/latest: MANIFEST_BLOB_UNKNOWN: blob unknown to registry; sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1

I wonder why this is happening with harbor. There is definitely no GC going on in my default harbor setup. Has any of you an idea what might be going on here?

@johnstcn
Copy link
Member

johnstcn commented Oct 18, 2024
edited
Loading

I can reproduce this locally as well with registry:2 as the registry with the same Docker image as Ben above (mcr.microsoft.com/vscode/devcontainers/universal:focal).

I can also reproduce this issue with codercom/code-server:latest.

Strangely enough, I can see the blob on the registry filesystem before pushing, and it's just an empty file:

sudo zcat .registry-cache/docker/registry/v2/blobs/sha256/4f/4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1/data | hexdump -C
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

@johnstcn
Copy link
Member

Querying the registry v2 HTTP API locally, I can see that it is indeed missing despite the layers being on disk:

curl -I http://localhost:5000/v2/cache/blobs/sha256%3A4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1

would return a HTTP 404 Not Found response.

After manually uploading the blob via cURL:

curl -v -XPOST http://localhost:5000/v2/cache/blobs/uploads/ 2>&1 | grep Location:
curl -v -XPUT 'http://localhost:5000/v2/cache/blobs/uploads/<uuid from above>?_state=<state from above>&digest=sha256%3A4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1' --upload-file .registry-cache/docker/registry/v2/blobs/sha256/4f/4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1/data

the previous HEAD request returned a 200 OK response.

Based on the above, it looks like we're just failing to upload that particular blob. Looking further.

@johnstcn johnstcn self-assigned this Oct 18, 2024
@johnstcn johnstcn assigned mafredri and unassigned johnstcn Nov 1, 2024
johnstcn added a commit that referenced this issue Nov 5, 2024
@johnstcn
fix: do not error if failed to push image (#390)
b18cd0e 
Relates to #385

This commit adds an option ENVBUILDER_EXIT_ON_PUSH_FAILURE that controls the previous behaviour of exiting with an error if ENVBUILDER_PUSH_IMAGE was set to a truthy value and we failed to push the image.

- Before, Envbuilder would always exit with an error on a failed push.
- Now, Envbuilder will only exit with an error if ENVBUILDER_EXIT_ON_PUSH_FAILURE is set to a truthy value.
- Otherwise, Envbuilder will continue building the image and executing ENVBUILDER_INIT_SCRIPT even if push fails.
@johnstcn johnstcn pinned this issue Nov 5, 2024
@johnstcn johnstcn unpinned this issue Nov 5, 2024
mafredri added a commit to coder/kaniko that referenced this issue Nov 7, 2024
@mafredri
fix: allow empty run layers to be pushed without force build meta
8aeb946 
Images of type application/vnd.docker.image.rootfs.diff.tar.gzip seem to
break when you try to push metadata-only layers and the layers all share
the same hash. This doesn't seem to be a problem with OCI images.

Ref: coder/envbuilder#385
@mafredri mafredri mentioned this issue Nov 7, 2024
Draft
mafredri added a commit that referenced this issue Nov 7, 2024
@mafredri
fix: avoid BLOB_UNKNOWN by not enabling ForceBuildMetadata
ac450a6 
Ref: #385
Ref: coder/kaniko#34
@mafredri mafredri linked a pull request Nov 7, 2024 that will close this issue
Draft
@MartinLoeper
Copy link

Hey guys, I am waiting for this PR because I could not make caching work in envbuilder test setup for coder. What is the current state of this issue? Is it a known bug with a solution in the making or are there only workarounds like the force flag?

@mafredri
Copy link
Member

mafredri commented Nov 15, 2024
edited
Loading

Hey @MartinLoeper, sorry you're running into this issue. Are you looking to cache the built image (can be used via docker run ...) or are you only looking to produce and use build cache?

If it's the latter, you can simply use ENVBUILDER_PUSH_IMAGE=0. If it's the former, we are still investigating the root cause and are aiming to resolve it next week. The issue seems to be related to us enabling force push metadata in order to do cache probing, however, Kaniko skips over certain layers not necessary for the build so they're never downloaded and can't be pushed. But even when we force Kaniko to download all layers, you'll still run into this issue -- that's the part we're still figuring out.

In the meantime, I think I have a jank workaround for you. It'd be nice if you could try it out and confirm whether or not it works.

Given the following:

  • Registry: ENVBUILDER_CACHE_REPO=localhost:5000/cache
  • Dockerfile: 
    FROM codercom/code-server:latest

USER root
RUN echo hello > /world

The workaround is the following:

docker pull codercom/code-server:latest
docker tag codercom/code-server:latest localhost:5000/cache:latest
docker push localhost:5000/cache:latest

This will populate the missing blobs in the registry and allow the envbuilder build to succeed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mafredri mafredri

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: avoid BLOB_UNKNOWN by not enabling ForceBuildMetadata coder/envbuilder
5 participants
@mafredri @johnstcn @MartinLoeper @matifali @bpmct