Deploying to Fly via GitHub Action failing

kentcdodds · January 19, 2023, 8:59pm

I kicked off my deploy action again and got the same result: fix login issues when out of primary region · kentcdodds/kentcdodds.com@f49314a · GitHub

I was able to get a needed deploy out using --local-only as @nick-brevity suggested so that’s good Back to the slopes God speed!

Charlie_Blackstock · January 19, 2023, 9:27pm

Just tried again, and still getting the same issue. Not able to find the image from the fly registry.

madsbuch · January 19, 2023, 11:40pm

For me it really appears like the image is not published after being uploaded.

It appears like the image is correctly being pushed.

Screenshot 2023-01-19 at 23.39.30

But it can not be resolver thereafter.

I did my best to compare names, tags, and IDs, and everything looked to be correctly written out.

kurt · January 19, 2023, 11:46pm

We’re still working on this. One thing we’re investigating is whether the “current” Ubuntu runner generates images differently. We’ve managed to replicate some of the errors with different buildkit/oci flags, so it’s possible a default changed.

madsbuch · January 19, 2023, 11:57pm

We are using the GitHub runners to build and push the image. Ie. the image should to fully addressable from it’s URL regardless of fly runners.

michael · January 20, 2023, 12:53am

We may have found the issue and a workaround. It looks like sometime earlier today GitHub updated the ubuntu runner which bumped the version of BuildKit from 0.9.1 to 0.10.0. Images built with this version of BuildKit are returning a 404 when our backend attempts to fetch the image manifest from the target registry before a deployment. This is happening for both registry.fly.io and Docker Hub.

Now, I don’t see anything in the BuildKit 0.10.0 release notes that looks related, but something changed and we need to investigate further to figure out and fix our registry client. Until then, reverting to BuildKit 0.9.1 solves the problem.

Workaround

You can either disable BuildKit or specify a working version to get back on track.

Either comment this out:

    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

or change docker/setup-buildx-action@v2 to pass a version like this:

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.9.1

We’ll keep ya posted.

kentcdodds · January 20, 2023, 1:01am

~~I can confirm this workaround worked for me.~~

Thanks for the investigation! Will stay tuned for when we can remove the workaround

EDIT: Unfortunately I don’t think it did work. So I was able to start the deploy, but the logs of the actual deploy gave me:

2023-01-20T01:00:49Z runner[bb5a374b] den [info]Pull failed, retrying (attempt #1)
2023-01-20T01:00:50Z runner[bb5a374b] den [info]Pull failed, retrying (attempt #2)
2023-01-20T01:00:50Z runner[bb5a374b] den [info]Pulling image failed

This resulted in a rollback.

michael · January 20, 2023, 1:08am

Oh now that’s interesting. I was testing that our registry client could actually see the images. And I was able to confirm that dockerd could pull them down. We run containerd on workers which might be having a problem. Thanks for letting us know!

DAlperin · January 20, 2023, 1:40am

Could you give it another go? We aren’t 100% sure that error isn’t a one-off.

kentcdodds · January 20, 2023, 1:56am

I re-ran the last workflow and wasn’t watching the logs so I’m not sure exactly what happened, but it got a rollback: use workaround for github actions on fly · kentcdodds/kentcdodds.com@90b9d4c · GitHub

mikeglazer · January 20, 2023, 1:59am

That change to specifying the buildkit version worked great for me. Thanks @michael

The only change that might look suspicious in the buildkit changes was this one:

github.com/docker/buildx

Add git provenance labels

docker:master ← cdupuis:git-revision

opened 02:28PM - 29 Aug 22 UTC

cdupuis

+225 -0

As discussed in #1290, this PR adds opt-in labels for Git provenance. The fol…lowing labels will be added when `BUILDX_GIT_LABELS=full` is set: ```json "Labels": { "com.docker.image.source.entrypoint": "Dockerfile", "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b", "org.opencontainers.image.source": "git@github.com:atomisthq/kipz-docker-test.git" } ``` With only `BUILDX_GIT_LABELS =1` the repository label will not be included: ```json "Labels": { "com.docker.image.source.entrypoint": "Dockerfile", "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b" } ``` If the cloned source is not clean, the `revision` label value will get a `-dirty` suffix: ```json "Labels": { "com.docker.image.source.entrypoint": "Dockerfile", "org.opencontainers.image.revision": "5734329c6af43c2ae295010778cd308866b95d9b-dirty" } ``` fixes #1290

Which adds labels to the published docker image, would that affect Fly in any way?

michael · January 20, 2023, 2:05am

The deploy eventually went through, but it looks like it took longer than expected in one region (maa) which is why the deploy was marked as failed. The maa VM did start eventually though. That’s a separate issue, but at least the image pull worked. Thanks for checking for us!

michael · January 20, 2023, 2:06am

Great to hear. And thanks for the pointer, we’re looking into it.

gyowanny · January 20, 2023, 3:03pm

Hi I can confirm it worked for me by specifying the version! Thanks a lot for your investigation.

dragid10 · January 21, 2023, 12:04pm

michael:

or change docker/setup-buildx-action@v2 to pass a version like this:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          version: v0.9.1

Also confirming that this worked for me!

austinatchley · January 23, 2023, 3:43am

The fix also worked for me. Should this be added to the Remix Stacks now to prevent others from running into the same issue @michael @kentcdodds ?

closedloop · January 23, 2023, 6:36pm

Also works for me - just deployed 5 minutes ago

jeyj0 · January 27, 2023, 10:24am

My own investigation led me to the same change that @mikeglazer identified. For me, adding provenance: false under with: did the trick and allowed me to continue using the newest version of the action.

fubhy · January 27, 2023, 11:55pm

This fix stopped working for us (it worked before) today with:

Download and install buildx
  Error: Cannot find buildx v0.9.1 release

Which is weird because it definitely wasn’t unpublished.

ixn-id · January 28, 2023, 12:15am

Had the same problem today, I was following @jeyj0’s hint and stumbled on this thread

github.com/docker/setup-buildx-action

buildx 0.10.0 seems to have changed something which leads to a different kind of manifests (at least for GCP)

opened 08:16AM - 20 Jan 23 UTC

closed 10:36AM - 20 Jan 23 UTC

Lawouach

### Behaviour #### Steps to reproduce this issue 1. Create a build with bu…ildx v0.9.1 and push it to GCP container registry (or even their new artefact registry) 2. Use said image from Cloud Run => it works 3. Do the same with v0.10.0 and it now fails to be deployed by Cloud Run #### Expected behaviour Either version should work. #### Actual behaviour What I could notice is that, with v0.9.1 we get a single image with a single manifest. With the newer version, it looks like we have three images and a different manifest,. Two of the images are actually empty. with v0.9.1 ```json { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "schemaVersion": 2, "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "digest": "sha256:02dc4c100ef625d2dc5b40499b076a86648d58b05968214a228868966c04cd47", "size": 4445 }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:3f701d9643d37eca8cb445ba978c767bc1e07bf958e94504db0298999bfe58c1", "size": 27478988 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:5359441c5fbe3749694e1aa16b863c2f51af7b2860919abfc226754102cdabfd", "size": 15815598 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:75c4a9d4d7ef0593255452f2ec0a848a59c17d60b2fe862e0d57e748e8cec377", "size": 1677 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:b67de70bba634431f53729f10b75ac2385b21c9d970c0a48734ff9a2798ee171", "size": 26863764 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1", "size": 32 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:aa1b41bbbf18f17dd7bc8b55ba7048e96d3c855d70c3d928f2d62f5ea4959171", "size": 229 } ] } ``` with v0.10.0 ```json { "mediaType": "application/vnd.oci.image.index.v1+json", "schemaVersion": 2, "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": "sha256:640eb44cbf9bc53054086d68131f4345138085b0b37d061a812c07c922dbf76c", "size": 1432, "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": "sha256:752970a0a4550a28f85a0a49530c38e787394f2f10884712816814e3932fc71e", "size": 566, "annotations": { "vnd.docker.reference.digest": "sha256:640eb44cbf9bc53054086d68131f4345138085b0b37d061a812c07c922dbf76c", "vnd.docker.reference.type": "attestation-manifest" }, "platform": { "architecture": "unknown", "os": "unknown" } } ] } ``` My guess is that there is no actual bug with buildx or your action, but GCP cannot handle the different kind of manifest. But I wondered if your action should/could expose a flag that allows using the newer version but keep the old manifest?

What I changed is build-push-action’s config by adding provenance: false

- name: 🐳 Docker build
  uses: docker/build-push-action@v3
  with:
    ...
    provenance: false

I don’t really understand the details, but at least I’m unblocked now.