index annotations not supported for single platform export

[meriouma]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

We just updated to buildx 0.16 and we are now getting the error index annotations not supported for single platform export when using the GitHub action docker/build-push-action with a single platform.

Expected behaviour

Annotations on a single platform works as before. The OCI Image Index specification specifies that annotations are supported on the image index, and :

The image index is a higher-level manifest which points to specific image manifests, ideal for one or more platforms

Actual behaviour

The build fails with

#37 exporting to image
#37 exporting layers
#37 exporting layers 7.2s done
#37 ERROR: index annotations not supported for single platform export

Buildx version

github.com/docker/buildx v0.16.0 10c9ff9

Docker info

No response

Builders list

Output from inspect step

        "buildkitd-flags": "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host",
        "buildkit": "v0.14.1",
        "platforms": "linux/amd64,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4,linux/386",

### Configuration

Any

### Build logs

_No response_

### Additional info

_No response_

[tonistiigi]

@treuherz

[tonistiigi]

Can you post an example build and what export options do you use. Was your (single-platform) build result image index before?

[treuherz]

This error is returned by buildkit here. #2546 should only have affected the inputs to imagetools.Combine. That could mean this was instead caused by #2522, and buildx just wasn't sending index annotations at all before. Given where that error comes from, it seems like buildkit would not have produced an index for this call anyway which is a different issue.

[meriouma]

This is the command line ran by the GitHub action :

/usr/local/bin/docker buildx build --annotation index-descriptor,manifest-descriptor,index,manifest:org.opencontainers.image.version=1.6.0 \
	--annotation index-descriptor,manifest-descriptor,index,manifest:org.opencontainers.image.created=2024-06-10T22:31:11.110Z \
	--build-arg APPLICATION_VERSION=1.6.0 \
	--file ./exporter/build/docker/native-main/DockerfileNative \
	--iidfile /home/runner/work/_temp/docker-actions-toolkit-KLYlwZ/build-iidfile-aa87b6a9fa.txt \
	--label org.opencontainers.image.version=1.6.0 \
	--label org.opencontainers.image.created=2024-06-10T22:31:11.110Z \
	--platform linux/amd64 \
	--attest type=provenance,disabled=true \
	--metadata-file /home/runner/work/_temp/docker-actions-toolkit-KLYlwZ/build-metadata-7d42865065.json \
	--push ./exporter/build/docker/native-main

Not sure if that's what you're asking, but running docker buildx imagetools inspect --raw on an older image returns this

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "digest": "sha256:6488ec27eff3b8bd1d467466083560aabb258a4ecbed5545a6ee5938a110ff0c",
    "size": 3519
  },
  "annotations": {
    "index-descriptor,manifest-descriptor,index,manifest:org.opencontainers.image.created": "2024-06-10T22:31:11.110Z",
    "index-descriptor,manifest-descriptor,index,manifest:org.opencontainers.image.version": "1.6.0"
  }
}

[treuherz]

Thank you for providing that. This looks like my hunch is right. You're using the --annotation index-descriptor,manifest-descriptor,... trick, but two things have been going wrong.

1. Until Make multi-type annotation settings match docs #2522 (released in v0.16.0), this didn't work properly. As you can see in your pasted output, your annotation keys are e.g. index-descriptor,manifest-descriptor,index,manifest:org.opencontainers.image.created rather than applying the org.opencontainers.image.created annotation to all four of those resource types
2. This output you've been getting is not an index, it's a manifest as you can see from the mediaType. Docker seems to only export an index for single-platform images. Now that the index annotation you specified is passed to buildkit, you're getting an error message where before it was just silently giving you a manifest.

In the short term, the easiest fix would be for you to remove all but the manifest type from your annotation keys. This should get your builds succeeding, and they'll have the annotations you asked for. The exported artifact will still be a manifest not an index, but it seems like that's worked for you up till now even if it wasn't what you expected.

For whether this should produce an index I need to defer to @tonistiigi

[tonistiigi]

For whether this should produce an index I need to defer to

Looks correct that there is no index for that build. Normally, we now have index now for adding attestations but in this build default provenance is explicitly disabled. Another way to opt-in to index in this case should be --build-arg BUILDKIT_MULTI_PLATFORM=1.

[meriouma]

Thanks! BUILDKIT_MULTI_PLATFORM=1 seems to do the trick.

[thompson-shaun]

OK to close this once docker/docs#20419 is merged in? @dvdksn @meriouma