Develop Reference

Docker pull error: `failed to load cache key: 403`

Running docker-compose up works for my colleagues on this project but not for me.
techn#MacBook-Pro ~/c/o (2022prod) [1]> docker-compose up (base)
[+] Running 0/1
⠿ web Warning 8.1s
[+] Building 29.2s (11/19)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 32B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 35B 0.0s
=> resolve image config for docker.io/docker/dockerfile:1.1-experimental 27.6s
=> CACHED docker-image://docker.io/docker/dockerfile:1.1-experimental#sha256:de85b2f3a2f7 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 32B 0.0s
=> ERROR [internal] load metadata for ghcr.io/hac/ubuntu-22-od:latest 0.8s
=> [auth] hac/ubuntu-22-od:pull token for ghcr.io 0.0s
=> ERROR importing cache manifest from ghcr.io/hac/od-2022:latest 0.6s
=> ERROR [builder 1/4] FROM ghcr.io/hac/ubuntu-22-od:latest 0.3s
=> => resolve ghcr.io/hac/ubuntu-22-od:latest 0.3s
=> [internal] load build context 0.0s
=> [auth] hac/od-2022:pull token for ghcr.io 0.0s
------
> [internal] load metadata for ghcr.io/hac/ubuntu-22-od:latest:
------
------
> importing cache manifest from ghcr.io/hac/od-2022:latest:
------
------
> [builder 1/4] FROM ghcr.io/hac/ubuntu-22-od:latest:
------
failed to solve: failed to load cache key: unexpected status code [manifests latest]: 403 Forbidden
Doesn't seem to be a network thing:
[68]> ping ghcr.io (base)
PING ghcr.io (140.82.121.34): 56 data bytes
64 bytes from 140.82.121.34: icmp_seq=0 ttl=56 time=21.817 ms
Docker version 20.10.20, build 9fdeb9c
Any ideas?

Is there a way to create multiple tags using the buildx build command in docker?

I am trying to use the docker buildx build command and I would like to be able to create multiple tags in one line. An example of what I have tried
docker buildx build . \
--platform linux/arm64,linux/amd64 \
--no-cache --push \
-t test:latest -t test:${CI_COMMIT_SHORT_SHA}
I have seen this issue, but I haven't been able to get it to work
https://github.com/docker/buildx/issues/396

It works exactly as you've posted with multiple -t args, e.g. -t repo1:tag1 -t repo2:tag2:
$ regctl tag ls sudobmitch/demo
alpine
regcli-test
regctl
ubuntu
$ docker buildx build -f build/Dockerfile.regctl.buildkit -t sudobmitch/demo:regctl1 -t sudobmitch/demo:regctl2 --push .
[+] Building 13.4s (24/24) FINISHED
=> [internal] load build definition from Dockerfile.regctl.buildkit 0.0s
=> => transferring dockerfile: 4.40kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 172B 0.0s
=> resolve image config for docker.io/docker/dockerfile:1 0.3s
=> [auth] docker/dockerfile:pull token for registry-1.docker.io 0.0s
=> CACHED docker-image://docker.io/docker/dockerfile:1#sha256:443aab4ca21183e069e7d8b2dc68006594f40bd 0.0s
=> => resolve docker.io/docker/dockerfile:1#sha256:443aab4ca21183e069e7d8b2dc68006594f40bddf1b15bbd83 0.0s
=> [internal] load metadata for docker.io/library/golang:1.17-alpine 0.4s
=> [auth] library/golang:pull token for registry-1.docker.io 0.0s
=> [golang 1/4] FROM docker.io/library/golang:1.17-alpine#sha256:3bdce0a4828648811dc3ac155b8f5155ca6e 0.0s
=> => resolve docker.io/library/golang:1.17-alpine#sha256:3bdce0a4828648811dc3ac155b8f5155ca6e13c5a86 0.0s
=> [internal] load build context 0.2s
=> => transferring context: 8.95MB 0.2s
=> CACHED [golang 2/4] RUN apk add --no-cache ca-certificates git make 0.0s
=> CACHED [golang 3/4] RUN addgroup -g 1000 appuser && adduser -u 1000 -G appuser -D appuser && mkd 0.0s
=> CACHED [golang 4/4] WORKDIR /src 0.0s
=> [dev 1/1] COPY --link . /src/ 0.3s
=> [build 1/1] RUN --mount=type=cache,id=gomod,target=/go/pkg/mod/cache --mount=type=cache,id=gor 1.5s
=> CACHED [release-scratch 1/5] ADD --link build/root.tgz / 0.0s
=> CACHED [release-scratch 2/5] COPY --link --from=build /etc/passwd /etc/group /etc/ 0.0s
=> CACHED [release-scratch 3/5] COPY --link --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/ 0.0s
=> CACHED [release-scratch 4/5] COPY --link --from=build --chown=1000:1000 /home/appuser/ /home/appus 0.0s
=> [release-scratch 5/5] COPY --link --from=build /src/bin/regctl /regctl 0.0s
=> exporting to image 3.7s
=> => exporting layers 0.4s
=> => exporting manifest sha256:ebd28e5f9096008ce106880bea389dfaf164cd298429705ccb922fd72142f83c 0.0s
=> => exporting config sha256:5fc50e1c198eb9061de9f0c1a12cb660753c41b46d1eb73f6117e3e260ba641d 0.0s
=> => pushing layers 0.2s
=> => pushing manifest for docker.io/sudobmitch/demo:regctl1#sha256:ebd28e5f9096008ce106880bea389dfaf 0.2s
=> => pushing manifest for docker.io/sudobmitch/demo:regctl2#sha256:ebd28e5f9096008ce106880bea389dfaf 0.1s
=> [auth] sudobmitch/demo:pull,push token for registry-1.docker.io 0.0s
=> [auth] sudobmitch/demo:pull,push token for registry-1.docker.io 0.0s
=> [auth] sudobmitch/demo:pull,push token for registry-1.docker.io 0.0s
=> [auth] sudobmitch/demo:pull,push token for registry-1.docker.io 0.0s
$ regctl tag ls sudobmitch/demo
alpine
regcli-test
regctl
regctl1
regctl2
ubuntu
This is assuming test was an example in your question. If you actually tried to push to the test repo, that expands to Docker Hub's Library, along side other official images like alpine, busybox, debian, etc. You don't have access to push there, so make sure to point to a repository where you have access to push images and have logged in.

NerdCTL will not use local image when building

I am trying to build a common base image, that many of my other images will use. But Nerdctl/Containerd doesn't seem to check for the image locally first.
Reproduced with the simple example
# Dockerfile.base
FROM python:3
# Dockerfile.child
From mybase:local
OUTPUT:
PS C:\<REDACTED>\local_build_issue> nerdctl build -t mybase:local -f Dockerfile.base .
[+] Building 10.1s (5/5) FINISHED
=> [internal] load build definition from Dockerfile.base 0.1s
=> => transferring dockerfile: 55B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/python:3 0.9s
=> CACHED [1/1] FROM docker.io/library/python:3#sha256:555f5affd32250ca74758b297f262fa8f421eb0102877596b48c0b8b464606ea 0.0s
=> => resolve docker.io/library/python:3#sha256:555f5affd32250ca74758b297f262fa8f421eb0102877596b48c0b8b464606ea 0.0s
=> exporting to oci image format 9.0s
=> => exporting layers 0.0s
=> => exporting manifest sha256:6bfdb5e41f7a1f0faf28f922e48cdd33e95b75cff958709cb7945291d34dffda 0.0s
=> => exporting config sha256:d449529a9f8347e81301101d04645624c6a52d71b0c6b85abfd8da6c65b19e31 0.0s
=> => sending tarball 9.0s
unpacking docker.io/library/mybase:local (sha256:6bfdb5e41f7a1f0faf28f922e48cdd33e95b75cff958709cb7945291d34dffda)...done
PS C:\<REDACTED>\local_build_issue> nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
mybase local 6bfdb5e41f7a About a minute ago linux/amd64 945.8 MiB 334.7 MiB
PS C:\<REDACTED>\local_build_issue> nerdctl build -t mychild:local -f Dockerfile.child .
[+] Building 0.5s (3/3) FINISHED
=> [internal] load build definition from Dockerfile.child 0.1s
=> => transferring dockerfile: 62B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> ERROR [internal] load metadata for docker.io/library/mybase:local 0.4s
------
> [internal] load metadata for docker.io/library/mybase:local:
------
Dockerfile.child:1
--------------------
1 | >>> FROM mybase:local
2 |
--------------------
error: failed to solve: mybase:local: pull access denied, repository does not exist or may require authorization: authorization status: 401: authorization failed
FATA[0000] unrecognized image format
I can't figure out how to get it to NOT look for the image on docker.io. All the recommendations for the docker cli do not seem apply or work.

it actually can't pull image locally first .
the nerdctl build image use the buildkitd tools.it has two types of backends.
you can find the answer from https://github.com/containerd/nerdctl/blob/master/docs/build.md

Rebuilding Docker image taking time

Dockerfile has the following content,
FROM node:16.4.2-alpine3.14
WORKDIR /app
COPY package.json .
COPY . /app
And ran the following build command,
docker build -t app:0.1 .
It took 28.4 seconds and below is the terminal logs,
[+] Building 28.4s (10/10) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 124B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 53B 0.0s
=> [internal] load metadata for docker.io/library/node:16.4.2-alpine3.14 17.1s
=> [auth] library/node:pull token for registry-1.docker.io 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 2.01MB 0.0s
=> [1/4] FROM docker.io/library/node:16.4.2-alpine3.14#sha256:fabfca5e7dcb339097f998d6ef11c53dd80a3f99ed5cecc005e93d0ff6d4bda9 9.9s
=> => resolve docker.io/library/node:16.4.2-alpine3.14#sha256:fabfca5e7dcb339097f998d6ef11c53dd80a3f99ed5cecc005e93d0ff6d4bda9 0.0s
=> => sha256:fabfca5e7dcb339097f998d6ef11c53dd80a3f99ed5cecc005e93d0ff6d4bda9 1.00kB / 1.00kB 0.0s
=> => sha256:75dec02064547a8ec570f2953e8d68a1674ad3f37730160f1570cce077be9ed0 1.16kB / 1.16kB 0.0s
=> => sha256:40cb916373b08a087466d2e72402d0b3a4587fd3e9135169498cf0db4ff42a88 6.53kB / 6.53kB 0.0s
=> => sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b 2.81MB / 2.81MB 0.8s
=> => sha256:c118dce16b0057d713fc98e31606a84e4348fa2c967eaf1bb5fd21ba42825956 35.55MB / 35.55MB 7.1s
=> => sha256:aef8e8137ac43c8199343c96874993063af6584260f22b15e99f735cce5de653 2.35MB / 2.35MB 2.6s
=> => extracting sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b 0.2s
=> => sha256:ad336e0e52b8dfc38c23599663deb060b1ac169d548dec8072ead94712f708be 281B / 281B 2.0s
=> => extracting sha256:c118dce16b0057d713fc98e31606a84e4348fa2c967eaf1bb5fd21ba42825956 2.0s
=> => extracting sha256:aef8e8137ac43c8199343c96874993063af6584260f22b15e99f735cce5de653 0.2s
=> => extracting sha256:ad336e0e52b8dfc38c23599663deb060b1ac169d548dec8072ead94712f708be 0.0s
=> [2/4] WORKDIR /app 0.6s
=> [3/4] COPY package.json . 0.1s
=> [4/4] COPY . /app 0.1s
=> exporting to image 0.2s
=> => exporting layers 0.2s
=> => writing image sha256:91d93eddff55cba6bd8b72144b7320e025de93e9865177ff584c75b94d1bafc1 0.0s
=> => naming to docker.io/library/app:0.1
When I run the same build command again, it is taking 14.6 seconds.
However if I pull the node:16.4.2-alpine3.14 using,
docker pull node:16.4.2-alpine3.14
and then run the build command, then build takes only 0.3 seconds
I think, when we build an image, dependencies also get downloaded and that is why the time taken reduces from 28.4 to 14.6 seconds. But why even 14.6 seconds? It should be as less as 0.3 seconds.
Why is this so? What am I missing?

The following could be the reasons it takes 18.4 seconds:
Docker client takes the entire build context to the docker daemon.The build context is the entire directory the Dockerfile.some files or folders can take up a lot of space e.g node_modules. A remedy to this is to add the file that is not required eg .git, node_module, log files to the .dockerignore file to get Docker to ignore some files.
DNS resolution. Check how long it takes to resolve the docker registry using the dig command.
Enabling the buildkit for your build will help with improving the build time. Setting the DOCKER_BUILDKIT=1 environment variable when invoking the docker build command such as:
DOCKER_BUILDKIT=1 docker build .
please look at this link for more information

Docker fails to build image with exit code 139

I'm trying to build an image from CentOS 6.9. Using this Dockerfile:
FROM centos:6.9
RUN ls
But it keeps failing with exit code 139 with the following output:
$ docker build -t centos-6.9 .
[+] Building 1.1s (7/7) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 72B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/centos:6.9 0.6s
=> [internal] load build context 0.1s
=> => transferring context: 72B 0.0s
=> CACHED [1/3] FROM docker.io/library/centos:6.9#sha256:6fff0a9edc920968351eb357c5b84016000fec6956e6d745f695e5a34f18ecd2 0.0s
=> [2/3] COPY . . 0.0s
=> ERROR [3/3] RUN ls 0.3s
------
> [3/3] RUN ls:
------
executor failed running [/bin/sh -c ls]: exit code: 139
I'm running:
Windows 10 Enterprise Version 2004
Docker Desktop 3.0.0

This appears to be an issue with WSL 2 with older base images, not docker or the image itself.
Create %userprofile%\.wslconfig file.
Add the following:
[wsl2]
kernelCommandLine = vsyscall=emulate
Restart WSL. wsl --shutdown
Restart Docker Desktop.
References:
https://github.com/microsoft/WSL/issues/4694#issuecomment-556095344
https://github.com/docker/for-win/issues/7284#issuecomment-646910923
https://github.com/microsoft/WSL/issues/4694#issuecomment-558335829