Build multiarch

[Zoey2936]

Signed-off-by: Zoey zoey@z0ey.de

Based on: nextcloud/all-in-one#490 (reply in thread)
Should work, but not tested

I don't know, but maybe AIO needs support for the latest-amd64, beta-amd64 etc tags? (Internally)

It first created the ":develop" tag, after the "develop-arm64" tag was built, but the "develop-amd64" tag is available earlier

[szaimen]

Thanks Zoey! However I'd like to keep the current build workflow and only change the promote to beta and prommote to latest workflows. Would that be possible? :)

[szaimen]

Also lets not change latest to latest-amd64, etc.

Additionally, we will need to keep the latest-arm64 and beta-arm64 as otherwise currenty instances will not be able to update anymore...

[Zoey2936]

Additionally, we will need to keep the latest-arm64 and beta-arm64 as otherwise currenty instances will not be able to update anymore...
It creates:

• "channel" - multiarch
• "channel-arm64" - arm64
• "channel-amd64" - amd64

all for the channels develop, beta and latest

[szaimen]

• "channel-amd64" - amd64

I would not introduce this as we dont need it anymore with multiarch...

[Zoey2936]

Thanks Zoey! However I'd like to keep the current build workflow and only change the promote to beta and prommote to latest workflows. Would that be possible? :)

no multiarch tag for the develop channel?

[szaimen]

no multiarch tag for the develop channel?

yes, this is the most stable way that I see of doing this.

[szaimen]

• "channel-arm64" - arm64

yeah, we need to keep this for updat reasons

[Zoey2936]

should be done

[szaimen]

Thanks a lot! However in order to support this correctly, we would additionall need to adjust the logic in https://github.com/nextcloud/all-in-one/blob/main/php/src/Docker/DockerHubManager.php to use the in nextcloud/all-in-one#490 (comment) mentioned link and get the digest based on the architecture...

[Zoey2936]

Won't work, we can only bundle develop and develop-arm64 to beta, but not copy beta to latest this way

[szaimen]

Won't work, we can only bundle develop and develop-arm64 to beta, but not copy beta to latest this way

I see, is this why you wanted to introduce amd64?

[Zoey2936]

Got it fixed through this: https://stackoverflow.com/a/73885289

[Zoey2936]

Won't work, we can only bundle develop and develop-arm64 to beta, but not copy beta to latest this way

I see, is this why you wanted to introduce amd64?

The reason was to have a multiarch image inside the develop channel

[Zoey2936]

But a question:
Should the "channel-arm64" image be only arm64 or also multiarch?

[szaimen]

Should the "channel-arm64" image be only arm64

Only arm64 imo

[Zoey2936]

Got it fixed through this: https://stackoverflow.com/a/73885289

This option seems to be very new, since in the past I used regctl to copy multiarch images (since docker pull/docker tag/docker push does not work for multiarch)

[Zoey2936]

Should the "channel-arm64" image be only arm64

Only arm64 imo

That's good, it would now make (if it works):

• develop (amd64)
• develop-arm64 (arm64)
• beta (multiarch)
• beta-arm64 (arm64)
• latest (multiarch)
• latest-arm64 (multiarch)
• *-latest (multiarch)
• *-latest-arm64 (arm64)

[Zoey2936]

If you need a multiarch image inside the develop channel (for testing), you could try this:

docker manifest create nextcloud/$AIO_NAME\:develop -a nextcloud/$AIO_NAME\:develop -a nextcloud/$AIO_NAME\:develop-arm64
docker manifest push nextcloud/$AIO_NAME\:develop

should I create an additional workflow for this?

[szaimen]

If you need a multiarch image inside the develop channel (for testing), you could try this:

docker manifest create nextcloud/$AIO_NAME\:develop -a nextcloud/$AIO_NAME\:develop -a nextcloud/$AIO_NAME\:develop-arm64
docker manifest push nextcloud/$AIO_NAME\:develop

should I create an additional workflow for this?

Thanks for the offer but I think it is not necessary :)

Edit: ah you mean before pushing to beta... I think it will still be fine...

[szaimen]

That's good, it would now make (if it works):

• develop (amd64)
• develop-arm64 (arm64)
• beta (multiarch)
• beta-arm64 (arm64)
• latest (multiarch)
• latest-arm64 (multiarch)
• *-latest (multiarch)
• *-latest-arm64 (arm64)

LGTM :)

[Zoey2936]

Edit: ah you mean before pushing to beta... I think it will still be fine...

So not needed or did I misunderstand this?

[szaimen]

Edit: ah you mean before pushing to beta... I think it will still be fine...

So not needed or did I misunderstand this?

It should not be needed :)

Now with the new endpoint where we get the digest we will likely need to get the correct arch anyway so if it works for single arch it should also work for multiarch

[Zoey2936]

@szaimen can you please check these suggestions?

[szaimen]

LGTM! I'll merge this shortly before the next beta release :)

[szaimen]

Sorry but I need to revert this as it breaks the update check.

[Zoey2936]

Sorry but I need to revert this as it breaks the update check.

No problem, but is the update check or the manifest creation the problem?

[szaimen]

root@aio-testing1:~# curl --head  -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/nextcloud/all-in-one/manifests/beta -H 'Accept: application/vnd.docker.distribution.manifest.v2+json'
HTTP/1.1 200 OK
content-length: 7147
content-type: application/vnd.docker.distribution.manifest.v2+json
docker-content-digest: sha256:a3ee61011e97d4b1acdf3c701a2dc876fd95a4768454f4c7ca843a63df983738
docker-distribution-api-version: registry/2.0
etag: "sha256:a3ee61011e97d4b1acdf3c701a2dc876fd95a4768454f4c7ca843a63df983738"
date: Thu, 02 Feb 2023 15:43:51 GMT
strict-transport-security: max-age=31536000
ratelimit-limit: 100;w=21600
ratelimit-remaining: 71;w=21600
docker-ratelimit-source: 65.108.215.1

root@aio-testing1:~# docker pull nextcloud/all-in-one:beta
beta: Pulling from nextcloud/all-in-one
Digest: sha256:bf59f87fedd524d235e5efbef5173f8bc3fe7a9404a563ac9a4e5ab810633712
Status: Image is up to date for nextcloud/all-in-one:beta

root@aio-testing1:~# curl -L https://registry.hub.docker.com/v2/repositories/nextcloud/aio-apache/tags?page_size=12 | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10343    0 10343    0     0  13162      0 --:--:-- --:--:-- --:--:-- 13159

    {
      "creator": 15421996,
      "id": 202800524,
      "images": [
        {
          "architecture": "amd64",
          "features": "",
          "variant": null,
          "digest": "sha256:063b1ea68110e862e88a4a20194c6666e6ad1a7e71435c07360178eb53cfefb9",
          "os": "linux",
          "os_features": "",
          "os_version": null,
          "size": 57077674,
          "status": "active",
          "last_pulled": "2023-02-02T14:35:11.670431Z",
          "last_pushed": "2023-02-02T14:35:11.367247Z"
        },
        {
          "architecture": "arm64",
          "features": "",
          "variant": null,
          "digest": "sha256:8298e1ffdfc945d7c5ec0c6b95e92f17c8b08304e4a764a96d1a2a8fce1e5180",
          "os": "linux",
          "os_features": "",
          "os_version": null,
          "size": 55782853,
          "status": "active",
          "last_pulled": "2023-02-02T14:35:17.882929Z",
          "last_pushed": "2023-02-02T14:35:17.658241Z"
        }
      ],
      "last_updated": "2023-02-02T15:24:50.896102Z",
      "last_updater": 15421996,
      "last_updater_username": "ncsimon",
      "name": "beta",
      "repository": 15915706,
      "full_size": 57077674,
      "v2": true,
      "tag_status": "active",
      "tag_last_pulled": "2023-02-02T14:35:17.882929Z",
      "tag_last_pushed": "2023-02-02T15:24:50.896102Z",
      "media_type": "application/vnd.docker.distribution.manifest.list.v2+json",
      "content_type": "image",
      "digest": "sha256:f83933bef4353a85a6cdcb1eac844097f8c9a6693ae1c23881af154ea9d05e4b"
    },

[szaimen]

So somehow the digests did not match at all...

[Zoey2936]

I've tested on one of my images:

docker pull zoeyvid/nginx-proxy-manager:latest
latest: Pulling from zoeyvid/nginx-proxy-manager
Digest: sha256:faa8d61aaca78286d346a63e6879924d53f7c286037acc1312495e7c10d9c28f
Status: Image is up to date for zoeyvid/nginx-proxy-manager:latest
docker.io/zoeyvid/nginx-proxy-manager:latest

root@dns:~# curl https://registry-1.docker.io/v2/zoeyvid/nginx-proxy-manager/manifests/latest -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/nginx-proxy-manager:pull" | jq -r .token)" -H  "Accept: application/vnd.oci.image.index.v1+json" -I
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4431    0  4431    0     0   2692      0 --:--:--  0:00:01 --:--:--  2693
HTTP/1.1 200 OK
content-length: 1609
content-type: application/vnd.oci.image.index.v1+json
docker-content-digest: sha256:faa8d61aaca78286d346a63e6879924d53f7c286037acc1312495e7c10d9c28f
docker-distribution-api-version: registry/2.0
etag: "sha256:faa8d61aaca78286d346a63e6879924d53f7c286037acc1312495e7c10d9c28f"
date: Thu, 02 Feb 2023 16:15:04 GMT
strict-transport-security: max-age=31536000
ratelimit-limit: 100;w=21600
ratelimit-remaining: 95;w=21600
docker-ratelimit-source: <my-ip>

root@dns:~# curl https://registry-1.docker.io/v2/zoeyvid/nginx-proxy-manager/manifests/latest -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/nginx-proxy-manager:pull" | jq -r .token)" -H  "Accept: application/vnd.oci.image.index.v1+json"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4431    0  4431    0     0   3094      0 --:--:--  0:00:01 --:--:--  3096
{
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:65d7e73b14b7b8c668f8ea5dad7b225b8de6d4d241dbd26d7adc9e578248d238",
      "size": 2007,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:c64332f196416fec8c936e682fe7953749a8d6a8597004f131781df6187f746b",
      "size": 2007,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:45aaeebc37d96d6d6d45b5c9a63dd5f96fa735d1b087bd28801236e40853a89f",
      "size": 567,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:65d7e73b14b7b8c668f8ea5dad7b225b8de6d4d241dbd26d7adc9e578248d238",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:80fd370fcbc4c1fa2df4bb1ceaf4f8e2a00d7ed4039541992b212bade8dde91e",
      "size": 567,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:c64332f196416fec8c936e682fe7953749a8d6a8597004f131781df6187f746b",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
  ]
}

[szaimen]

yes, so as you can see does the docker registry not return the correct digest somehow...

[Zoey2936]

yes, so as you can see does the docker registry not return the correct digest somehow...

The digest reports: sha256:faa8d61aaca78286d346a63e6879924d53f7c286037acc1312495e7c10d9c28f from docker pull and request to registry-1.docker.io

[szaimen]

Yes but the correct digest is not in the list of https://registry.hub.docker.com/v2/repositories/nextcloud/aio-apache/tags?page_size=12

[szaimen]

or am I misunderstanding something?

[Zoey2936]

Found a solution:
Docker version 23.0.0 and buildx version v0.10.2
Dockerfile:

FROM alpine

Commands:

docker buildx build -t zoeyvid/alpine:amd64 --push --platform amd64 . --provenance false
docker buildx build -t zoeyvid/alpine:arm64 --push --platform arm64 . --provenance false
docker manifest create zoeyvid/alpine:latest -a zoeyvid/alpine:arm64 -a zoeyvid/alpine:amd64
docker manifest push zoeyvid/alpine:latest

root@dns:~# curl -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/alpine:pull" -s | jq -r .token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json"  https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/arm64 -Is | grep docker-content-digest
docker-content-digest: sha256:456f196cd6a39d0b3d06ff0026b0d91297ce0ac8e1ff945d8cf40583bb06d15f

root@dns:~# docker pull zoeyvid/alpine:arm64
arm64: Pulling from zoeyvid/alpine
Digest: sha256:456f196cd6a39d0b3d06ff0026b0d91297ce0ac8e1ff945d8cf40583bb06d15f
Status: Image is up to date for zoeyvid/alpine:arm64
docker.io/zoeyvid/alpine:arm64

root@dns:~# curl -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/alpine:pull" -s | jq -r .token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json"  https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/latest -Is | grep docker-content-digest
docker-content-digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f

root@dns:~# docker pull zoeyvid/alpine:latest
latest: Pulling from zoeyvid/alpine
Digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f
Status: Image is up to date for zoeyvid/alpine:latest
docker.io/zoeyvid/alpine:latest

[Zoey2936]

This would require the old api implementation

[szaimen]

root@dns:~# curl -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/alpine:pull" -s | jq -r .token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json" https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/latest -Is | grep docker-content-digest
docker-content-digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f

Okay, but how too get the amd64 digest in that case or is the docker api this somehow handling automatically even though we did not provide the arch at all?

[szaimen]

Additional Question: why is https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/arm64 returning the digest for the latest tag plus arm64, is there a way to provide the tag and the arch?

[Zoey2936]

root@dns:~# curl -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/alpine:pull" -s | jq -r .token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json" https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/latest -Is | grep docker-content-digest
docker-content-digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f

Okay, but how too get the amd64 digest in that case or is the docker api this somehow handling automatically even though we did not provide the arch at all?

The digest is the on arm64 and amd64:
arm64:

root@dns:~# docker pull zoeyvid/alpine
Using default tag: latest
latest: Pulling from zoeyvid/alpine
Digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f
Status: Image is up to date for zoeyvid/alpine:latest
docker.io/zoeyvid/alpine:latest

root@dns:~# curl -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/alpine:pull" -s | jq -r .token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json"  https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/latest -Is | grep docker-content-digest
docker-content-digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f

amd64:

root@mx:~# docker pull zoeyvid/alpine
Using default tag: latest
latest: Pulling from zoeyvid/alpine
Digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f
Status: Image is up to date for zoeyvid/alpine:latest
docker.io/zoeyvid/alpine:latest

root@mx:~# curl -H "Authorization: Bearer $(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:zoeyvid/alpine:pull" -s | jq -r .token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json"  https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/latest -Is | grep docker-content-digest
docker-content-digest: sha256:41a7beafbb7018eb23b88eecf40cbf9caf04d05591f24fc8e29c32b9ae8cfc9f

[Zoey2936]

Additional Question: why is https://registry-1.docker.io/v2/zoeyvid/alpine/manifests/arm64 returning the digest for the latest tag plus arm64, is there a way to provide the tag and the arch?

arm64 returns only the digest of arm64, I don't understand the question?

[szaimen]

Ah I see.

So the manifest digest is the same on arm64 and on amd64 for multiarch?

[Zoey2936]

Ah I see.

So the manifest digest is the same on arm64 and on amd64 for multiarch?

Yes

[szaimen]

Okay, wow wouldn't have thought so. That makes things much easier, indeed!

[Zoey2936]

Can I create a new PR? I think in the mastercontainer the old implementation should work, when the accept header is set to this: application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json

[Zoey2936]

Only one question, how does the mastercontainer check the digest of the current used image?

[szaimen]

Only one question, how does the mastercontainer check the digest of the current used image?

it checks it the same like the docker service.

It checks the repodigest of the image.