bazel-contrib / rules_oci Goto Github PK

View Code? Open in Web Editor NEW

228.0 228.0 113.0 665 KB

Bazel rules for building OCI containers

License: Apache License 2.0

Starlark 83.81% jq 0.26% Shell 13.76% Smarty 1.15% Go 0.88% Rust 0.02% Dockerfile 0.12%

rules_oci's People

Contributors

Stargazers

Watchers

Forkers

alexeagle kormide sijin-dm tetsuok psalaberria002 mmogylenko bcmyers gregmagolan mgred smocherla-brex kriswuollett lavatoaster thesayyn vucong2409 josephglanville attilathefun aryeh-looker steeve rahul-theorem eikemeier bobcallaway wyverald jhchabran tstromberg realtimetodie cackalacky-cafe aignas echochamber uhlajs louislu9911 sfc-gh-ptabor brenosantanabruno anguslees sovietaced jamiees2 smndtrl rbielak archen snowflake-labs deevolution ewhauser prestonvanloon connyay mboulton-fathom tokongs timonwong nikron illicitonion simontoens hdya aiuto kotlaja sobotklp ajaypbrt aaliddell avdv hunshcn reillybrogan reltuk tx-chen sfc-gh-dszot gergelyfabian traveltime-dev johnamican bookingcom liningpan gzm0 leriel mattyclarkson siddharthab malt3 prounckk liamd-canva brianduff cameronraysmith jchorl apoxy-dev riking rchincha katre ar3s3ru jmhodges consumingchaos sitaktif spencerc aw185176 cristifalcas ticketmaster bu3 ankit-agarwal1999 iorlandoni jacktigerzhang boleynsu mrmeku jamesreprise nobu-k ptxmac rygx gasblaster jtszalay

rules_oci's Issues

Reproducibility and assertion via CI

One of the important goals of rules_container is to be reproducible. the final image should be canonical as long as the compilation target is the same. we should assert this with our CI pipeline.

A few examples of this would be

host darwin/arm64 cross-compiling to linux/arm64
host darwin/amd64 cross-compiling to linux/arm64
host linux/armel cross-compiling to linux/arm64
host linux/arm64 compiling to linux/arm64
host windows/amd64 cross-compiling to linux/arm64

with all of the cases above, the resulting image should be canonical and have the same digest. this is a realistic goal as long as the upstream *_binary rules are deterministic and spit the same runfiles regardless of the host platform.

there are a few things to be careful about in order to ensure reproducibility.

stamping
history property in image config
--mtime embedded in tar layers.
--sort=name file ordering in tar layers.
--owner=0 --group=0 --numeric-owner in tar layers.
strip PAX headers from tar layers.

FR: implement oci_image rule

Features

supports base attribute to have base images
supports empty base image
supports env entrypoint cmd

An example build file looks like;

oci_image(
    name = "node_14",
    base = ":debian11",
    entrypoint = ["/nodejs/bin/node"],
    layers = [
        "@nodejs14_amd64//:tar"
    ]
)

remove undeclared dependency on shasum

Currently, oci_image_index depends on wc and shasum installed on host machine. These dependencies are undeclared and may lead oci_image_index to fail if any of these tools are absent on the host.

Alternatives considered;

https://github.com/jonelo/jacksum - requires dependency on java_binary.
https://github.com/bazelbuild/bazel/blob/master/tools/build_defs/hash/hash.bzl - requires dependency on py_binary

Support stamping

I should be able to push a specific tag with something like bazel run --stamp --embed_label=1.2.3 //path/to:my_oci_push

Will use https://github.com/aspect-build/bazel-lib/blob/main/docs/stamping.md

oci_pull: handle OCI-format images

We should be able to pull an image that's published in OCI format, for example crane manifest quay.io/buildah/stable

Also it means we should handle more Media Types:

application/vnd.oci.image.index.v1+json
application/vnd.oci.image.manifest.v1+json

Document how to migrate from rules_docker language-specific rules

We don't want to write our own rules/macros for these in our public API, but we do need to show users what to do.
Answer might be:

"statically compiled single file didn't need a language rule to begin with" - e.g. go_binary
"paste this small macro into your repo"
"a rule/macro is available in rules_X" (we'd do this for rules_js for example, maybe rules_python)
"we don't support this language" (e.g. d_image, rules_d seems like it should archive)

Here is the list from https://github.com/bazelbuild/rules_docker#language-rules

FR: Build Dockerfiles with incremental cache support

Feature request:
Allow Bazel to build Dockerfile images in a way that takes advantage of incremental build caching. The dockerfile_image rule in rules_docker contrib allows building such images, but it's incredibly slow because of the lack of build cache.

oci_image should support adding labels

oci_push --repository and --repotags flags should accept file paths

Useful for stamping, for example

ENV order not preserved in manifest file

Order of ENV variables are not preserved, and looks like random between builds.

Example of the build from the same source:
{"architecture":"amd64","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:8a3362647f3af2336d5643ebd5f185e33578636e60848c9f20bdb951cb7c2026","sha256:6b4258ba2cef84355e5d89d3a4873286edee1bee7df4ae126c72e35ef8d7e127","sha256:fb227ea45821540bd6c3e0bb2314c46fedf4baa3943a3eb9d899d750be3b2a6f","sha256:556ed1bd80e38109ce7017c0270e2cffcda68e6f707eb2977ba33e25f2de8f17","sha256:035a874c9ef9c89003c65b79569337e8c1edc1b44801776d57cd60f65e6b68cb","sha256:168960c54027796006fcf594a7ddba1904d51be842b10f051d64ddb880e6bedc"]},"config":{"Entrypoint":["/app/node/node","--unhandled-rejections=strict","/app/index.js","-c","/app/configs-runtime/current.json"],"Env":["NODE_PATH=/node_modules","LD_LIBRARY_PATH=/app/lib"]}}

{"architecture":"amd64","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:8a3362647f3af2336d5643ebd5f185e33578636e60848c9f20bdb951cb7c2026","sha256:6b4258ba2cef84355e5d89d3a4873286edee1bee7df4ae126c72e35ef8d7e127","sha256:fb227ea45821540bd6c3e0bb2314c46fedf4baa3943a3eb9d899d750be3b2a6f","sha256:556ed1bd80e38109ce7017c0270e2cffcda68e6f707eb2977ba33e25f2de8f17","sha256:035a874c9ef9c89003c65b79569337e8c1edc1b44801776d57cd60f65e6b68cb","sha256:168960c54027796006fcf594a7ddba1904d51be842b10f051d64ddb880e6bedc"]},"config":{"Entrypoint":["/app/node/node","--unhandled-rejections=strict","/app/index.js","-c","/app/configs-runtime/current.json"],"Env":["LD_LIBRARY_PATH=/app/lib","NODE_PATH=/node_modules"]}}

All files and layers the same, but the final image digest is different, this makes build non-hermetic from the digest point of view.

Rules version 0.2.0
Bazel version 5.4.0

Design doc

e.g. Document tradeoffs between crane/umoji vs skopeo

Figure out where to place our bets based on:

how hard for users to setup WORKSPACE
how much work for us to ship someone else's binary and deal with dynamic linking, glibc versions etc
who is investing in fixing their bugs and is a reliable dependency to take
make sure we cover the use cases we think we need (eg. translating docker <-> OCI format)

Fill in to https://docs.google.com/document/d/1xhOOENrjmHacitifcUsZu8vhHc3akXeV6M-bEAgFTYg/edit?usp=sharing

Issues pulling from docker.io

When using the WORKSPACE file documented below I get an unexpected error when running bazel query @node_image//...

oci_demo % bazel query @node_image//...
DEBUG: /private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl:71:14:
WARNING: fetching from https://docker.io/v2/library/node/manifests/18 without an integrity hash. The result will not be cached.
INFO: Repository node_image instantiated at:
  /Users/oci_demo/WORKSPACE.bazel:19:9: in <toplevel>
  /private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl:398:22: in oci_pull
Repository rule oci_pull_rule defined at:
  /private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl:220:32: in <toplevel>
ERROR: An error occurred during the fetch of repository 'node_image':
   Traceback (most recent call last):
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 149, column 27, in _oci_pull_impl
		mf, mf_len = _download(rctx, rctx.attr.identifier, mf_file, resource = "manifests")
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 80, column 27, in _download
		return json.decode(bytes), len(bytes)
Error in decode: at offset 0, unexpected character "<"
ERROR: /Users/oci_demo/WORKSPACE.bazel:19:9: fetching oci_pull_rule rule //external:node_image: Traceback (most recent call last):
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 149, column 27, in _oci_pull_impl
		mf, mf_len = _download(rctx, rctx.attr.identifier, mf_file, resource = "manifests")
	File "/private/var/tmp/_bazel_user/ba478bafcfc1207449b383e8560b89d0/external/contrib_rules_oci/oci/pull.bzl", line 80, column 27, in _download
		return json.decode(bytes), len(bytes)
Error in decode: at offset 0, unexpected character "<"
ERROR: Target parsing failed due to unexpected exception: at offset 0, unexpected character "<"
Loading: 0 packages loaded

`WORKSPACE.bazel`

workspace(name = "oci_demo")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "contrib_rules_oci",
    sha256 = "929da1362e27dc38206a116783d2b3efb95bcb165bdbc62a8190013e612a9b51",
    strip_prefix = "rules_oci-0.3.1",
    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v0.3.1/rules_oci-v0.3.1.tar.gz",
)

load("@contrib_rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")

rules_oci_dependencies()

load("@contrib_rules_oci//oci:pull.bzl", "oci_pull")

# A single-arch base image
oci_pull(
    name = "node_image",
    image = "docker.io/library/node",
    # Unpinning is undesired but is used to figure out how to initially pin.
    reproducible = False,
    tag = "18",
)

Document what users should do instead of containerized build actions

We intend to never support using a container runtime as an input to a Bazel action, because

it's so difficult to be hermetic (e.g. remote execution with a container runtime)
also difficult to be deterministic (avoiding timestamps in the output, etc).
hard to get the container runtime for the exec platform (we'd need to bulid a Bazel toolchain to supply the container runtime for the right platform) and also ensure the container is built for that architecture.

Possibilities for users migrating from run_and_commit_layer and related rules:

When the run_and_commit_layer is just to build a base image with 3p tools, recommend hosting their own base image, or use rules from distroless-tools
User could wire up their own thing to use emulation
User can still write their own rule to spawn an action that does work in a container (e.g. run_binary rule) - we just don't want to commit to supporting that use case.

Remove umoci from toolchains

rename: container -> oci_image

Fix BCR presubmit on windows

See https://github.com/bazelbuild/bazel-central-registry/pull/513/files#diff-f32762d4a16f5f26043de312cfaa0b017b1f36ed0b02b52727a810e5daffd76dR4-R8

introduce manifest-tool as a toolchain

In order to build multi-platform images, https://github.com/estesp/manifest-tool needs to be introduced as a toolchain.

[Help] Problem with running an image created by `rules_oci`

Hey,

I try to create a simple image that includes althttpd web server and some static files to be served. So far everything works as expected, but when I load and run the tarball (created with oci_tarball) with e.g. docker, it tells me

exec /bin/althttpd: no such file or directory

To inspect, what's inside each layer I use dive and that tool clearly shows, that all files are includes correctly:

To understand my problem I put together a reproducible example. There is a small script run.sh that builds the image, loads and runs it.

I know that this is not a problem with rules_oci but can somebody help me understand what I'm missing here?

Thanks for any help or feedback

Investigate supporting Windows Containers

Should be possible as long as we don't hard-code dependency on bash.

https://learn.microsoft.com/en-us/virtualization/windowscontainers/about/

Broken at head: use crane from github releases

Support hash algos other than sha256

In the oci_pull PR #67 I'm leaving some TODOs for this.

nonhermeticity in oci_pull rule

I don't know why this is happening but two of the tests are failing due to changes in the upstream images

Question: is it possible to run a container as an executable in an sh_binary or sh_test?

I was wondering if it possible to run a container_image (using the Bazel configured toolchain) inside of an sh_binary or sh_test? This would be a powerful feature, for example to test code that only works inside of a particular container.

If it is possible, is there an example of this?

Introduce the toolchains for umoci and skopeo

We need to introduce toolchains that provide umoci and skopeo. Right now users have to vendor these tools.

For more context see: containers/skopeo#1545 and opencontainers/umoci#332

Required platforms

darwin arm64 amd64
linux arm64 amd64, optionally other archs

Optional platforms that can be supported.

not sure about this, it might take a while but there is nothing that stops us from landing the support for it.

windows amd64
freebsd amd64 arm64

FR: bring in a container runtime to run commandTests

Candidate runtimes

runc https://github.com/opencontainers/runc
runsc https://github.com/google/gvisor
podman https://podman.io/

refactor registry toolchain to have generic over registry binary and it's arguments

Currently, we register multiple registry toolchains with a common boilerplate.

this can be optimized in terms of

be generic over registry binary. take different bits of configuration for the binary
eliminate the need for select statements
add support for more than one registry toolchain to coexist and be used interchangeably with transitions.

Bazel warns the genrule `//example:base` which outputs a directory

When I build //example:base and other targets that depend on it, Bazel warns the output of //example:base is a directory as follows:

$ bazel build //example:base
...
WARNING: /Volumes/work/github/rules_oci/example/BUILD.bazel:25:8: output 'example/layout' of //example:base is a directory; dependency checking of directories is unsound

Build itself succeeds, but it would be nice to fix the warning or work around the underlying issue.

I see the similar warning when I ran bazel build //src:image in e2e/js_image_oci of rules_js (Probably, the root cause of the warning is same):

WARNING: /private/var/tmp/_bazel_t/ce0e746d0a64bfce50fc270eb1254184/external/debian_amd64/BUILD.bazel:2:8: output 'external/debian_amd64/layout' of @debian_amd64//:image is a directory; dependency checking of directories is unsound

bzlmod - how to use oci_pull?

I don't see any examples for how to use oci_pull with bzlmod. Is this not supported?

Typically it's an extension function (e.g. with rules_jvm_external there's a "maven" function with a maven.install method), but I couldn't see that being supported in rules_oci.

Make examples have their WORKSPACE files

Also, update js example to use latest version of rules_js and js_image_layer

FR: implement oci_index to support multi arch images

An example build file looks like below

# this image will have 4 layers in total
oci_image(
    name = "debian10",
    layers = [
        ":debian10_fs",
        ":debian10_passwd",
        ":libs"
    ]
)

platforms = {
    # 1:2+ transitions
    "@platforms//linux": [
        "@platforms//cpu:x86_64",    
        "@platforms//cpu:arm64",
        "@platforms//cpu:armel",
        "@platforms//cpu:ppc",
    ]
}

# will yield multi-platform image
oci_index(
    name = "debian_multi",
    image = ":debian10",
    platforms = platforms
)

Publish to Bazel Central Registry (bzlmod)

Extract container image hash for use during later build steps

I would like to be able to create container image locally and then use the container image hash during a later build step (to embed the container image hash in a binary).
Is this already supported or do you have a pointer to how I could contribute this functionality?
Kind regards

FR: implement oci_push

Features

Can be run bazel run //image:push -- --registry index.docker.io --tag latest --tag 1.x.x.
Supports push of the image with multiple tags

[FR]: oci_pull rule

Right now, users can implement one, like in https://github.com/aspect-build/rules_js/blob/main/e2e/js_image_oci/pull.bzl
But it would be better to have something upstream.

introduce Zot as the local OCI registry

Our initial intent was to add serve command to crane but we've got an even better option here.

Introducing https://github.com/project-zot/zot as the registry. also uses go-containerregistry under the hood. https://github.com/project-zot/zot/blob/0c70ae8a4ef77e3cc45a80b82f8c135abe6989cb/go.mod#L24

FR: implement oci_sign

In order to do this cosign needs to be introduced as a toolchain/

Features

signs images recursively with -r option (for multi-platform images)
Support attaching files to signed images via attachments attribute (mostly needed for sbom)

rules_oci depends on newer rules_pkg than protobuf, causing issues

Hello,

I've wanted to set up rules_oci for my companys repo, and I see that it's just launched on BCR now, which is great!

So I tried to add it, and it seems to cause a conflict with the protobuf package:

Error computing the main repository mapping: [email protected] depends on [email protected] with compatibility level 1, but [email protected] depends on [email protected] with compatibility level 0 which is different

Wasn't this one of the things bzlmod was gonna solve for Bazel? Incompatibilities between dependencies for different rule projects.

I use bzlmod for almost all of my rules, I don't have rules_kotlin in bzlmod yet, nor rules_jvm_contrib , those are the two that are missing.

My MODULE.bazel contains:

bazel_dep(name = "rules_java", version = "5.4.1")
bazel_dep(name = "rules_jvm_external", version = "5.1")
bazel_dep(name = "rules_python", version = "0.19.0")
bazel_dep(name = "rules_go", version = "0.38.1", repo_name="io_bazel_rules_go")
bazel_dep(name = "gazelle", version = "0.29.0", repo_name="bazel_gazelle")
bazel_dep(name = "aspect_bazel_lib", version = "1.28.0")
bazel_dep(name = "rules_oci", version = "0.3.5")

I've for now just added rules_oci as a local_path_override and changed the rules_pkg version down to 0.7.0 and that has enabled me to continue. Don't know yet what possible issues I'll encounter though.

FR: implement flatten_tars macro

Needed to flatten multiple layers into one;

Features

takes multiple tar files and spits out a single flattened layer

Unwind Sahin's fork of crane

FR: implement to_oci rule to enable consumption of Docker V2 images

Docker V2 images are slightly different than their OCI counterparts. Major differences are mediaType and properties that their Configs can have. Converting an Docker V2 image to OCI is fairly simple using newly added append --empty-base-oci command of crane. However, this causes image digests to change breaking the provenance.

Setup comprehensive CI

We need to make sure that images built with rules_oci work with common runtimes out there. This will give us confidence that our rules such as oci_tarball oci_image can built artifacts that are loadable and usable.

We should have a CI set up for

~~darwin/arm64 with multipass~~
darwin/arm64 with podman
linux/amd64 with docker
linux/amd64 with podman

Move structure_test to distroless-tools

FR: implement structure_test

It's a test runner asserting the layout of the image.
need to bring a container runtime #20
Features

takes oci_image and runs tests against it
supports fileExistenceTests commandTests fileContentTests

oci_tarball: handle OCI-format images

Similar in nature to #74, but when using rules_oci-v0.3.7, oci_tarball does not seem to work with oci_image_index even though that and the oci_image rules both say they produce an image. The tarball.sh.tpl script fails because there is no .config.digest member in the manifest generated from a oci_image_index rule. Just wasn't implemented yet? Or is my issue user error? See hello_world_linux_image_tar target vs the individual hello_world_{}_image_tar ones that work in the example below. I did not see an option to have oci_image_index use a Docker Manfiest List format.

generated JSON manifest

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "size": 1080,
      "digest": "sha256:b82d8a82f2b419203fd22883acd9cd64423596746381a662e40554063b1ac194",
      "platform": {
        "os": "linux",
        "architecture": "amd64"
      }
    },
    {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "size": 1080,
      "digest": "sha256:0355d5bbc1c6d6392d796ccc240811ad4656bf04b54021641a692069b5ee250a",
      "platform": {
        "os": "linux",
        "architecture": "amd64"
      }
    }
  ]
}

WORKSPACE

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")

http_archive(
    name = "rules_license",
    sha256 = "6157e1e68378532d0241ecd15d3c45f6e5cfd98fc10846045509fb2a7cc9e381",
    urls = [
        "https://github.com/bazelbuild/rules_license/releases/download/0.0.4/rules_license-0.0.4.tar.gz",
        "https://mirror.bazel.build/github.com/bazelbuild/rules_license/releases/download/0.0.4/rules_license-0.0.4.tar.gz",
    ],
)

http_archive(
    name = "platforms",
    sha256 = "5308fc1d8865406a49427ba24a9ab53087f17f5266a7aabbfc28823f3916e1ca",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/platforms/releases/download/0.0.6/platforms-0.0.6.tar.gz",
        "https://github.com/bazelbuild/platforms/releases/download/0.0.6/platforms-0.0.6.tar.gz",
    ],
)

http_archive(
    name = "bazel_skylib",
    sha256 = "b8a1527901774180afc798aeb28c4634bdccf19c4d98e7bdd1ce79d1fe9aaad7",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.4.1/bazel-skylib-1.4.1.tar.gz",
        "https://github.com/bazelbuild/bazel-skylib/releases/download/1.4.1/bazel-skylib-1.4.1.tar.gz",
    ],
)

load("@bazel_skylib//:workspace.bzl", "bazel_skylib_workspace")

bazel_skylib_workspace()

http_archive(
    name = "aspect_bazel_lib",
    sha256 = "ee95bbc80f9ca219b93a8cc49fa19a2d4aa8649ddc9024f46abcdd33935753ca",
    strip_prefix = "bazel-lib-1.29.2",
    url = "https://github.com/aspect-build/bazel-lib/releases/download/v1.29.2/bazel-lib-v1.29.2.tar.gz",
)

load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies", "register_jq_toolchains", "register_yq_toolchains")

aspect_bazel_lib_dependencies()

register_jq_toolchains()

register_yq_toolchains()

http_archive(
    name = "rules_cc",
    sha256 = "3d9e271e2876ba42e114c9b9bc51454e379cbf0ec9ef9d40e2ae4cec61a31b40",
    strip_prefix = "rules_cc-0.0.6",
    urls = ["https://github.com/bazelbuild/rules_cc/releases/download/0.0.6/rules_cc-0.0.6.tar.gz"],
)

http_archive(
    name = "rules_pkg",
    sha256 = "8c20f74bca25d2d442b327ae26768c02cf3c99e93fad0381f32be9aab1967675",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.8.1/rules_pkg-0.8.1.tar.gz",
        "https://github.com/bazelbuild/rules_pkg/releases/download/0.8.1/rules_pkg-0.8.1.tar.gz",
    ],
)

load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")

rules_pkg_dependencies()

git_repository(
    name = "aspect_gcc_toolchain",
    commit = "4bd1f94536ee92b7c49673931773038d923ee86e",
    remote = "https://github.com/aspect-build/gcc-toolchain",
)

load("@aspect_gcc_toolchain//toolchain:repositories.bzl", "gcc_toolchain_dependencies")

gcc_toolchain_dependencies()

load("@aspect_gcc_toolchain//toolchain:defs.bzl", "ARCHS", "gcc_register_toolchain")

gcc_register_toolchain(
    name = "gcc_toolchain_aarch64",
    target_arch = ARCHS.aarch64,
)

gcc_register_toolchain(
    name = "gcc_toolchain_armv7",
    target_arch = ARCHS.armv7,
)

gcc_register_toolchain(
    name = "gcc_toolchain_x86_64",
    sysroot_variant = "x86_64-X11",
    target_arch = ARCHS.x86_64,
)

http_archive(
    name = "rules_oci",
    sha256 = "48642588e91e992772b94de06234da6601854fda0ee32a91ce8ef303cf5e5837",
    strip_prefix = "rules_oci-0.3.7",
    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v0.3.7/rules_oci-v0.3.7.tar.gz",
)

load("@rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")

rules_oci_dependencies()

load("@rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "oci_register_toolchains")

oci_register_toolchains(
    name = "oci",
    crane_version = LATEST_CRANE_VERSION,
)

load("@rules_oci//oci:pull.bzl", "oci_pull")

oci_pull(
    name = "distroless_static",
    digest = "sha256:c3c3d0230d487c0ad3a0d87ad03ee02ea2ff0b3dcce91ca06a1019e07de05f12",
    image = "gcr.io/distroless/static",
    platforms = [
        "linux/amd64",
        "linux/arm64",
    ],
)

oci_pull(
    name = "distroless_cc",
    digest = "sha256:f252d3ca44b7f2c718c67c2020feee7b7fd4ee6bff8a192dfea6e599b7d820ad",
    # TODO(https://github.com/bazel-contrib/rules_oci/issues/74) Use latest images
    # digest = "sha256:fb402c45f3ef485ccd56ca2af2a58615fc47c4978bb3004e8663a83456791f48",
    image = "gcr.io/distroless/cc",
    platforms = [
        "linux/amd64",
        "linux/arm64",
    ],
)

BUILD.bazel

load("@aspect_bazel_lib//lib:transitions.bzl", "platform_transition_filegroup")
load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index", "oci_tarball")

cc_library(
    name = "greeting",
    srcs = ["greeting.cc"],
    hdrs = ["greeting.h"],
)

cc_binary(
    name = "hello_world",
    srcs = ["hello_world.cpp"],
    features = ["static_libstdcxx"],
    deps = [
        ":greeting",
    ],
)

ARCHS = [
    "linux_x86_64",
    "linux_aarch64",
]

[platform_transition_filegroup(
    name = "hello_world_{}".format(platform),
    srcs = [":hello_world"],
    target_platform = "//platforms:{}".format(platform),
) for platform in ARCHS]

[pkg_tar(
    name = "hello_world_{}_tar".format(platform),
    srcs = [":hello_world_{}".format(platform)],
    include_runfiles = True,
    strip_prefix = "/",
) for platform in ARCHS]

[oci_image(
    name = "hello_world_{}_image".format(platform),
    base = "@distroless_cc",
    entrypoint = ["/examples/cpp/hello_world/hello_world"],
    tars = [
        ":hello_world_{}_tar".format(platform),
    ],
) for platform in ARCHS]

[oci_tarball(
    name = "hello_world_{}_image_tar".format(platform),
    image = ":hello_world_{}_image".format(platform),
    repotags = ["examples/cpp/hello_world_{}:latest".format(platform)],
) for platform in ARCHS]

oci_image_index(
    name = "hello_world_linux_image",
    images = [
        ":hello_world_{}_image".format(platform)
        for platform in ARCHS
    ],
)

oci_tarball(
    name = "hello_world_linux_image_tar",
    image = ":hello_world_linux_image",
    repotags = ["examples/cpp/hello_world_linux:latest"],
)

Platform-specific (works)

vscode ➜ /workspaces/mycode (main ✗) $ bazel build //examples/cpp/hello_world:hello_world_linux_x86_64_image_tar
INFO: Analyzed target //examples/cpp/hello_world:hello_world_linux_x86_64_image_tar (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //examples/cpp/hello_world:hello_world_linux_x86_64_image_tar up-to-date:
  bazel-bin/examples/cpp/hello_world/hello_world_linux_x86_64_image_tar/tarball.tar
INFO: Elapsed time: 0.196s, Critical Path: 0.00s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
vscode ➜ /workspaces/mycode (main ✗) $ docker load <bazel-bin/examples/cpp/hello_world/hello_world_linux_x86_64_image_tar/tarball.tar
Loaded image: examples/cpp/hello_world_linux_x86_64:latest
vscode ➜ /workspaces/mycode (main ✗) $ docker run --rm examples/cpp/hello_world_linux_x86_64:latest
Hello, world!

Multi-arch (doesn't work)

vscode ➜ /workspaces/mycode (main ✗) $ bazel build //examples/cpp/hello_world:hello_world_linux_image_tar
INFO: Analyzed target //examples/cpp/hello_world:hello_world_linux_image_tar (3 packages loaded, 6183 targets configured).
INFO: Found 1 target...
ERROR: /workspaces/mycode/examples/cpp/hello_world/BUILD.bazel:61:12: OCI Tarball //examples/cpp/hello_world:hello_world_linux_image_tar failed: (Exit 1): tarball.sh failed: error executing command (from target //examples/cpp/hello_world:hello_world_linux_image_tar) bazel-out/k8-fastbuild/bin/examples/cpp/hello_world/hello_world_linux_image_tar/tarball.sh

Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
Error: cannot substitute with !!null, can only substitute strings. Hint: Most often you'll want to use '|=' over '=' for this operation
Target //examples/cpp/hello_world:hello_world_linux_image_tar failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 0.803s, Critical Path: 0.08s
INFO: 3 processes: 3 internal.
FAILED: Build did NOT complete successfully

Error pulling

I'm testing rules_oci with rules_js (and specifically js_image).

The build currently fails with:

[4,897 / 4,899] [Prepa] JsImageLayer //:layers
[4,897 / 4,899] JsImageLayer //:layers; 11s linux-sandbox, remote-cache
ERROR: /home/runner/work/noderosso/noderosso/BUILD.bazel:38:10: OCI Image //:server failed: (Exit 1): image_server.sh failed: error executing command bazel-out/k8-fastbuild/bin/image_server.sh mutate oci:layout/bazel-out/k8-fastbuild/bin/external/nodejs_base_image/layout --tag oci:registry/server '--append=bazel-out/k8-fastbuild/bin/layers_app.tar.gz' ... (remaining 6 arguments skipped)

Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
HTTP port 0
{"level":"info","params":{"distSpecVersion":"1.0.1-dev","GoVersion":"go1.19.1","Commit":"v1.4.3-rc3-0-gfd87a22","ReleaseTag":"v1.4.3-rc3","BinaryType":"-sync-search-scrub-metrics-lint","AccessControl":null,"Storage":{"Dedupe":true,"GC":true,"Commit":false,"GCDelay":3600000000000,"GCInterval":0,"RootDirectory":"bazel-out/k8-fastbuild/bin//storage_server","StorageDriver":null,"SubPaths":null},"HTTP":{"Address":"127.0.0.1","Port":"0","AllowOrigin":"","TLS":null,"Auth":{"FailDelay":0,"HTPasswd":{"Path":""},"LDAP":null,"Bearer":null},"RawAccessControl":null,"Realm":"","Ratelimit":null},"Log":{"Level":"info","Output":"","Audit":""},"Extensions":null},"goroutine":1,"caller":"zotregistry.io/zot/pkg/api/controller.go:116","time":"2023-03-02T11:53:30.758333746Z","message":"configuration settings"}
{"level":"info","cpus":2,"max. open files":65536,"listen backlog":"4096","max. inotify watches":"2147483647","goroutine":1,"caller":"zotregistry.io/zot/pkg/api/controller.go:107","time":"2023-03-02T11:53:30.758474147Z","message":"runtime params"}
{"level":"warn","goroutine":1,"caller":"zotregistry.io/zot/pkg/debug/swagger/swagger_disabled.go:21","time":"2023-03-02T11:53:30.789056104Z","message":"skipping enabling swagger because given zot binarydoesn't include this feature, please build a binary that does so"}
{"level":"info","port":36345,"address":"127.0.0.1","goroutine":1,"caller":"zotregistry.io/zot/pkg/api/controller.go:193","time":"2023-03-02T11:53:30.789251407Z","message":"port is unspecified, listening on kernel chosen port"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57384","method":"GET","path":"/v2/","statusCode":200,"latency":"13.1µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.799068421Z","message":"HTTP API"}
{"level":"error","error":"stat bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/aa2b1da47449b03ef99af1db40df44102754f419d4f72581df468ffcd360bc70: no such file or directory","blob":"bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/aa2b1da47449b03ef99af1db40df44102754f419d4f72581df468ffcd360bc70","goroutine":37,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","time":"2023-03-02T11:53:30.799758829Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","message":"failed to stat blob"}
{"level":"error","error":"cache: miss","digest":"sha256:aa2b1da47449b03ef99af1db40df44102754f419d4f72581df468ffcd360bc70","goroutine":37,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","time":"2023-03-02T11:53:30.79981543Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","message":"cache: not found"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57384","method":"HEAD","path":"/v2/oci/layout/blobs/sha256:aa2b1da47449b03ef99af1db40df44102754f419d4f72581df468ffcd360bc70","statusCode":404,"latency":"367.005µs","bodySize":407,"headers":{"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.800063033Z","message":"HTTP API"}
{"level":"error","error":"stat bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/7dcffaf987694bb0a0863ae2c3b582125b1c20d3148f0412f901b918b9a8e22d: no such file or directory","blob":"bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/7dcffaf987694bb0a0863ae2c3b582125b1c20d3148f0412f901b918b9a8e22d","goroutine":42,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","time":"2023-03-02T11:53:30.800282636Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","message":"failed to stat blob"}
{"level":"error","error":"cache: miss","digest":"sha256:7dcffaf987694bb0a0863ae2c3b582125b1c20d3148f0412f901b918b9a8e22d","goroutine":42,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","time":"2023-03-02T11:53:30.800323536Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","message":"cache: not found"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57420","method":"HEAD","path":"/v2/oci/layout/blobs/sha256:7dcffaf987694bb0a0863ae2c3b582125b1c20d3148f0412f901b918b9a8e22d","statusCode":404,"latency":"122.401µs","bodySize":407,"headers":{"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":42,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.800383337Z","message":"HTTP API"}
{"level":"error","error":"stat bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/8fa73d8e9b247843c662dbf1f1e26a211ca0f8121d4fd858868ed10adc921b1e: no such file or directory","blob":"bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/8fa73d8e9b247843c662dbf1f1e26a211ca0f8121d4fd858868ed10adc921b1e","goroutine":39,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","time":"2023-03-02T11:53:30.800542039Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","message":"failed to stat blob"}
{"level":"error","error":"cache: miss","digest":"sha256:8fa73d8e9b247843c662dbf1f1e26a211ca0f8121d4fd858868ed10adc921b1e","goroutine":39,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","time":"2023-03-02T11:53:30.800581239Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","message":"cache: not found"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57400","method":"HEAD","path":"/v2/oci/layout/blobs/sha256:8fa73d8e9b247843c662dbf1f1e26a211ca0f8121d4fd858868ed10adc921b1e","statusCode":404,"latency":"106.201µs","bodySize":407,"headers":{"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":39,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.80062624Z","message":"HTTP API"}
{"level":"error","error":"stat bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/383e1c5dd0c1830143b1230e90292ebd4219911e0512b70d250c8907c4899110: no such file or directory","blob":"bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/383e1c5dd0c1830143b1230e90292ebd4219911e0512b70d250c8907c4899110","goroutine":40,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","time":"2023-03-02T11:53:30.800749741Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","message":"failed to stat blob"}
{"level":"error","error":"cache: miss","digest":"sha256:383e1c5dd0c1830143b1230e90292ebd4219911e0512b70d250c8907c4899110","goroutine":40,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","time":"2023-03-02T11:53:30.800786141Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","message":"cache: not found"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57404","method":"HEAD","path":"/v2/oci/layout/blobs/sha256:383e1c5dd0c1830143b1230e90292ebd4219911e0512b70d250c8907c4899110","statusCode":404,"latency":"93.701µs","bodySize":407,"headers":{"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.800827142Z","message":"HTTP API"}
{"level":"error","error":"stat bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/c59673e9fae3f9d588110a25acdf7240f3a5d97c40fb86ccc71c23bf7abbea53: no such file or directory","blob":"bazel-out/k8-fastbuild/bin/storage_server/oci/layout/blobs/sha256/c59673e9fae3f9d588110a25acdf7240f3a5d97c40fb86ccc71c23bf7abbea53","goroutine":41,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","time":"2023-03-02T11:53:30.800945043Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1070","message":"failed to stat blob"}
{"level":"error","error":"cache: miss","digest":"sha256:c59673e9fae3f9d588110a25acdf7240f3a5d97c40fb86ccc71c23bf7abbea53","goroutine":41,"caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","time":"2023-03-02T11:53:30.800981544Z","caller":"zotregistry.io/zot/pkg/storage/local/local.go:1075","message":"cache: not found"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57410","method":"HEAD","path":"/v2/oci/layout/blobs/sha256:c59673e9fae3f9d588110a25acdf7240f3a5d97c40fb86ccc71c23bf7abbea53","statusCode":404,"latency":"103.801µs","bodySize":407,"headers":{"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":41,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.801030444Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57384","method":"POST","path":"/v2/oci/layout/blobs/uploads/","statusCode":202,"latency":"281.804µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/json"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.801444749Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57410","method":"POST","path":"/v2/oci/layout/blobs/uploads/","statusCode":202,"latency":"57.7µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/json"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":41,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.801859054Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57420","method":"POST","path":"/v2/oci/layout/blobs/uploads/","statusCode":202,"latency":"38.501µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/json"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":42,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.802028756Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57400","method":"POST","path":"/v2/oci/layout/blobs/uploads/","statusCode":202,"latency":"34.5µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/json"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":39,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.802168258Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57384","method":"PATCH","path":"/v2/oci/layout/blobs/uploads/d433157d-3c5f-404f-9db7-b7095e44ecbf","statusCode":202,"latency":"75.601µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.802423961Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57420","method":"PATCH","path":"/v2/oci/layout/blobs/uploads/a5dc1a29-3a2c-4e69-827b-542b0f0ee9be","statusCode":202,"latency":"928.31µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":42,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.807849924Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57404","method":"POST","path":"/v2/oci/layout/blobs/uploads/","statusCode":202,"latency":"101.401µs","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/json"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.808785335Z","message":"HTTP API"}
{"level":"info","r.ContentLength":0,"goroutine":42,"caller":"zotregistry.io/zot/pkg/api/routes.go:1143","time":"2023-03-02T11:53:30.80923554Z","message":"DEBUG"}
{"level":"info","r.ContentLength":0,"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/routes.go:1143","time":"2023-03-02T11:53:30.813884094Z","message":"DEBUG"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57420","method":"PUT","path":"/v2/oci/layout/blobs/uploads/a5dc1a29-3a2c-4e69-827b-542b0f0ee9be?digest=sha256%3A7dcffaf987694bb0a0863ae2c3b582125b1c20d3148f0412f901b918b9a8e22d","statusCode":201,"latency":"12.83735ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":42,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.822146191Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57384","method":"PUT","path":"/v2/oci/layout/blobs/uploads/d433157d-3c5f-404f-9db7-b7095e44ecbf?digest=sha256%3Aaa2b1da47449b03ef99af1db40df44102754f419d4f72581df468ffcd360bc70","statusCode":201,"latency":"12.80045ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.822192792Z","message":"HTTP API"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57404","method":"PATCH","path":"/v2/oci/layout/blobs/uploads/5921f2e1-1125-4e06-93ad-a76f851a97b2","statusCode":202,"latency":"9.034806ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.82381451Z","message":"HTTP API"}
2023/03/02 11:53:30 pushed blob: sha256:7dcffaf987694bb0a0863ae2c3b582125b1c20d3148f0412f901b918b9a8e22d
{"level":"info","r.ContentLength":0,"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/routes.go:1143","time":"2023-03-02T11:53:30.826243939Z","message":"DEBUG"}
2023/03/02 11:53:30 pushed blob: sha256:aa2b1da47449b03ef99af1db40df44102754f419d4f72581df468ffcd360bc70
{"level":"info","module":"http","clientIP":"127.0.0.1:57410","method":"PATCH","path":"/v2/oci/layout/blobs/uploads/68e7678d-79e2-4715-92d3-eb55a47b2c66","statusCode":202,"latency":"27.284918ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":41,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.829949082Z","message":"HTTP API"}
{"level":"info","r.ContentLength":0,"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/routes.go:1143","time":"2023-03-02T11:53:30.831828904Z","message":"DEBUG"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57404","method":"PUT","path":"/v2/oci/layout/blobs/uploads/5921f2e1-1125-4e06-93ad-a76f851a97b2?digest=sha256%3A383e1c5dd0c1830143b1230e90292ebd4219911e0512b70d250c8907c4899110","statusCode":201,"latency":"12.252043ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.838499082Z","message":"HTTP API"}
2023/03/02 11:53:30 pushed blob: sha256:383e1c5dd0c1830143b1230e90292ebd4219911e0512b70d250c8907c4899110
{"level":"info","module":"http","clientIP":"127.0.0.1:57384","method":"PUT","path":"/v2/oci/layout/blobs/uploads/68e7678d-79e2-4715-92d3-eb55a47b2c66?digest=sha256%3Ac59673e9fae3f9d588110a25acdf7240f3a5d97c40fb86ccc71c23bf7abbea53","statusCode":201,"latency":"31.128664ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":37,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.862984668Z","message":"HTTP API"}
2023/03/02 11:53:30 pushed blob: sha256:c59673e9fae3f9d588110a25acdf7240f3a5d97c40fb86ccc71c23bf7abbea53
{"level":"info","module":"http","clientIP":"127.0.0.1:57400","method":"PATCH","path":"/v2/oci/layout/blobs/uploads/e12a21c6-9b9e-43ca-8171-8d39846e6d3a","statusCode":202,"latency":"84.450287ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":39,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:30.892583614Z","message":"HTTP API"}
{"level":"info","r.ContentLength":0,"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/routes.go:1143","time":"2023-03-02T11:53:30.893216921Z","message":"DEBUG"}
{"level":"info","module":"http","clientIP":"127.0.0.1:57404","method":"PUT","path":"/v2/oci/layout/blobs/uploads/e12a21c6-9b9e-43ca-8171-8d39846e6d3a?digest=sha256%3A8fa73d8e9b247843c662dbf1f1e26a211ca0f8121d4fd858868ed10adc921b1e","statusCode":201,"latency":"135.351381ms","bodySize":0,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/octet-stream"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:31.028598802Z","message":"HTTP API"}
2023/03/02 11:53:31 pushed blob: sha256:8fa73d8e9b247843c662dbf1f1e26a211ca0f8121d4fd858868ed10adc921b1e
{"level":"info","module":"http","clientIP":"127.0.0.1:57404","method":"PUT","path":"/v2/oci/layout/manifests/latest","statusCode":415,"latency":"39.201µs","bodySize":404,"headers":{"Accept-Encoding":["gzip"],"Content-Length":["918"],"Content-Type":["application/vnd.docker.distribution.manifest.v2+json"],"User-Agent":["crane/0.12.0 go-containerregistry/0.12.0"]},"goroutine":40,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2023-03-02T11:53:31.029201909Z","message":"HTTP API"}
Error: PUT http://127.0.0.1:36345/v2/oci/layout/manifests/latest: MANIFEST_INVALID: manifest invalid; [map[mediaType:application/vnd.docker.distribution.manifest.v2+json]]
Error: pulling : parsing reference "": could not parse reference: 
Target //:upload failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 103.871s, Critical Path: 50.65s

Workspace

oci_pull(
    name = "nodejs_base_image",
    digest = "sha256:07027462f9f8235d7ef89f79a5f36be8345a17cccf32903fb2bdcb88e879fce9", # sha for tag 'latest-amd64'
    image = "gcr.io/distroless/nodejs18-debian11",
)

BUILD.bazel

js_image_layer(
    name = "layers",
    binary = "//packages/main",
    root = "/app",
    visibility = ["//visibility:__pkg__"],
)

oci_image(
    name = "server",
    architecture = "amd64",
    base = "@nodejs_base_image",
    cmd = ["/app/packages/main/main"],
    entrypoint = ["bash"],
    tars = [
        ":layers",
    ],
)

oci_push(
    name = "upload",
    image = ":server",
    repository = "myregistry.azurecr.io/myimage",
)

I tried to run the action with:

bazel run //:upload -- -tag 1.
I tried to hardcode default_tags = "1" in the oci_push and run bazel run //:upload.

I get the same error. I'm not sure if this is my fault or the issue is the manifest (MANIFEST_INVALID: manifest invalid; [map[mediaType:application/vnd.docker.distribution.manifest.v2+json]])

I use:

Bazel 5.3.2
rules_oci 0.3.0
rules_js 1.20.1

use crane index in oci_index rule

Now that crane has index command, we could use that instead of using our hacky jq implementation. google/go-containerregistry#1561

oci_image should support os.version

See https://github.com/opencontainers/image-spec/blob/main/config.md#properties os.version

Bad error messaging: zot doesn't understand docker format

Trying to build an oci_image target fails with

ERROR: /home/alexeagle/Projects/a/engineering/projects/hello_world/BUILD.bazel:27:10: OCI Image //a/engineering/projects/hello_world:image failed: (Exit 1): image_image.sh failed: error executing command bazel-out/k8-fastbuild/bin/a/engineering/projects/hello_world/image_image.sh mutate oci:layout/bazel-out/k8-fastbuild/bin/external/distroless_static_debian11_amd64/layout --tag ... (remaining 5 arguments skipped)

Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
2023/02/14 08:43:07 pushed blob: sha256:e5e2a36b2d933eda4e380755c7ed535a46f1a42233234490c40d49c0c326b0fa
2023/02/14 08:43:07 pushed blob: sha256:fc251a6e798157dc3b46fd265da72f39cd848e3f9f4a0b28587d1713b878deb9
Error: PUT http://127.0.0.1:35905/v2/oci/layout/manifests/latest: MANIFEST_INVALID: manifest invalid; [map[mediaType:application/vnd.docker.distribution.manifest.v2+json]]
Error: pulling : parsing reference "": could not parse reference: 
HTTP":{"Address":"127.0.0.1","Port":"0","AllowOrigin":"","TLS":null,"Auth":{"FailDelay":0,"HTPasswd":{"Path":""},"LDAP":null,"Bearer":null},"RawAccessControl":null,"Realm":"","Ratelimit":null},"Log":{"Level":"info","Output":"","Audit":""},"Extensions":null},"goroutine":1,"caller":"zotregistry.io/zot/pkg/api/controller.go:116","time":"2023-02-14T08:43:07.739974539-08:00","message":"configuration settings"}

We should detect the invalid manifest and give the user some idea what this means and how to repair it.