Skip to content

imagetools: Allow annotations for OCI image index #1965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jedevc merged 2 commits into from
Aug 8, 2023
Merged

imagetools: Allow annotations for OCI image index #1965

jedevc merged 2 commits into from
Aug 8, 2023

Conversation

@mqasimsarfraz
Copy link
Contributor

@mqasimsarfraz mqasimsarfraz commented Jul 20, 2023
edited
Loading

Currently there isn't any way to add annotations to OCI image index for multi-arch. The use case is to have a description in "About this version" in GitHub. It will introduce an optional flag of --annotation to imagetools create to allow adding OCI annotations.

Related: #1171

Testing Done:

OCI Image Index (annotation added)

$ ./bin/build/buildx  imagetools create  -t ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1 ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1@sha256:c3780808973801b24c80f8b46835b882fe0d69c08a4460333f28143569665861 ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1@sha256:d6d5661b02002aa8035e035e9210e3476e0401a948a86fabf104f71c2cbe0efe  --dry-run --annotation index:org.opencontainers.image.description="I am a description"
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:c3780808973801b24c80f8b46835b882fe0d69c08a4460333f28143569665861",
      "size": 2963,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:d6d5661b02002aa8035e035e9210e3476e0401a948a86fabf104f71c2cbe0efe",
      "size": 2962,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    }
  ],
  "annotations": {
    "org.opencontainers.image.description": "I am a description"
  }
}

Manifest Descriptor

$ ./bin/build/buildx  imagetools create  -t ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1 ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1@sha256:c3780808973801b24c80f8b46835b882fe0d69c08a4460333f28143569665861 ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1@sha256:d6d5661b02002aa8035e035e9210e3476e0401a948a86fabf104f71c2cbe0efe  --dry-run --annotation manifest-descriptor:org.opencontainers.image.description="I am a description"
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:c3780808973801b24c80f8b46835b882fe0d69c08a4460333f28143569665861",
      "size": 2963,
      "annotations": {
        "org.opencontainers.image.description": "I am a description"
      },
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:d6d5661b02002aa8035e035e9210e3476e0401a948a86fabf104f71c2cbe0efe",
      "size": 2962,
      "annotations": {
        "org.opencontainers.image.description": "I am a description"
      },
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    }
  ]
}

Docker manifest list (noop)

$ /bin/build/buildx  imagetools create  -t hello-world hello-world hello-world  --dry-run --annotation org.opencontainers.image.description="I am a description"
...

@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from 6d283d0 to 42ee388 Compare July 20, 2023 22:06
eiffel-fl
eiffel-fl approved these changes Jul 21, 2023
View reviewed changes
Copy link

@eiffel-fl eiffel-fl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for it! I tested it and it works fine:

$ ./bin/build/buildx imagetools create -t ghcr.io/eiffel-fl/inspektor-gadget:vtest ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1@sha256:c3780808973801b24c80f8b46835b882fe0d69c08a4460333f28143569665861 ghcr.io/inspektor-gadget/inspektor-gadget:v0.18.1@sha256:d6d5661b02002aa8035e035e9210e3476e0401a948a86fabf104f71c2cbe0efe --annotations foo="bar"                                       
[+] Building 2.4s (1/1) FINISHED                                                                                                                                           
 => [internal] pushing ghcr.io/eiffel-fl/inspektor-gadget:vtest
$ ./bin/build/buildx imagetools inspect --raw ghcr.io/eiffel-fl/inspektor-gadget:vtest                    qasim/oci-annotations u=
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:c3780808973801b24c80f8b46835b882fe0d69c08a4460333f28143569665861",
      "size": 2963,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:d6d5661b02002aa8035e035e9210e3476e0401a948a86fabf104f71c2cbe0efe",
      "size": 2962,
      "platform": {
        "architecture": "arm64",
        "os": "linux"
      }
    }
  ],
  "annotations": {
    "foo": "bar"
  }
}

I think we are OK regarding the rules, as the reversed domain name is only an advise and due to using map we cannot have two times the same key.

@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from 42ee388 to b071d65 Compare July 21, 2023 14:57
@mqasimsarfraz
Copy link
Contributor Author

mqasimsarfraz commented Jul 24, 2023

@crazy-max @jedevc any thoughts on this? :)

@jedevc
Copy link
Collaborator

jedevc commented Jul 24, 2023

Hm, in general I think the idea for this is alright 🎉

However, I think we'd probably want to retain consistency with how buildkit sets annotations: https://github.com/moby/buildkit/blob/master/docs/annotations.md.

There's not really any strong consensus on how we'd expose this in buildx build, but imagetools should probably follow an identical setup to avoid confusion.

#1171 (comment) gets pretty close to an ideal syntax imo. With, that to annotate your multi-arch image, you'd instead have:

$ buildx imagetools create -t hello-world hello-world hello-world --dry-run --annotation index:org.opencontainers.image.description="I am a description"

Would this kind of syntax work for you? I think we need consistency through buildx, so maybe good to continue the discussion there.

@crazy-max
Copy link
Member

crazy-max commented Jul 24, 2023
edited
Loading

For the sake of parity we should consider supporting labels as well in follow-up.

@mqasimsarfraz
Copy link
Contributor Author

mqasimsarfraz commented Jul 24, 2023

in general I think the idea for this is alright tada

Great

Would this kind of syntax work for you? I think we need consistency through buildx.

Agreed, we should have consistency through buildx. Also, I was already thinking how can we give user a hint that these annotations are for index and not manifest/descriptor so using index: prefix works well for that. I will proceed the PR in this direction then!

@mqasimsarfraz mqasimsarfraz mentioned this pull request Jul 24, 2023
Closed
@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from b071d65 to e5e178f Compare July 27, 2023 14:58
@mqasimsarfraz
Copy link
Contributor Author

mqasimsarfraz commented Jul 27, 2023

@jedevc I have updated the PR to use the new syntax with index:. I still kept the scope to index only. Please feel free to let me know if you think we should handle descriptors as well.

@tonistiigi
Copy link
Member

tonistiigi commented Jul 31, 2023

I've opened #1978 that you can use as a base for adding integration tests for checking the --annotation flag behavior.

@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from e5e178f to f8d9676 Compare August 1, 2023 12:26
@mqasimsarfraz
Copy link
Contributor Author

mqasimsarfraz commented Aug 1, 2023
edited
Loading

I've opened #1978 that you can use as a base for adding integration tests for checking the --annotation flag behavior.

@tonistiigi great thanks. I updated the PR to include testImagetoolsAnnotation. Had to use oci-mediatypes=true to ensure we push an index and not a manifest list in the test.

eiffel-fl
eiffel-fl reviewed Aug 2, 2023
View reviewed changes
eiffel-fl
eiffel-fl reviewed Aug 2, 2023
View reviewed changes
@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from f8d9676 to 95b6a2f Compare August 2, 2023 08:38
jedevc
jedevc requested changes Aug 2, 2023
View reviewed changes
tonistiigi
tonistiigi reviewed Aug 2, 2023
View reviewed changes
@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from 95b6a2f to 11c0502 Compare August 3, 2023 07:55
jedevc
jedevc reviewed Aug 3, 2023
View reviewed changes
util/imagetools/create.go
indexAnnotations := make(map[string]string)
manifestDescriptorAnnotations := make(map[string]string)
for k, v := range ann {
groups := annotationRegexp.FindStringSubmatch(k)
Copy link
Collaborator

@jedevc jedevc Aug 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using a regexp here, wdyt about using https://github.com/moby/buildkit/blob/dd0053cdce470b1355fdb0bd5a8f2b0fc506d842/exporter/containerimage/exptypes/annotations.go#L85 instead?

Obviously, it's not perfect, since we'd need to add the annotation- prefix here, which might make the error message a bit odd, but we could always upstream a buildkit fix later that would rework the function to have the caller remove the prefix there (so we wouldn't have to do that).

Copy link
Contributor Author

@mqasimsarfraz mqasimsarfraz Aug 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using a regexp here, wdyt about using https://github.com/moby/buildkit/blob/dd0053cdce470b1355fdb0bd5a8f2b0fc506d842/exporter/containerimage/exptypes/annotations.go#L85 instead?

Initially I had the same idea but we are using : as a separator for type and annotation key compared to . expected here. So it needs more work than just appending annotation- prefix.

but we could always upstream a buildkit fix later that would rework the function

Does it make sense to make buildkit parser to also handle : separator. It sounded specific to buildx so I feel we should keep it here. wdyt?

Copy link
Collaborator

@jedevc jedevc Aug 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I'd prefer the conversion to buildkit's form for now, so that we only have one source of truth for parsing these keys - I'm happy to follow up in buildkit to rework the logic to be a bit more reusable for this case.

I also just noticed (sorry), that we aren't handling platforms? manifest-descriptor supports a platform, and should only be attached to the descriptor for those platforms.

Copy link
Contributor Author

@mqasimsarfraz mqasimsarfraz Aug 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to follow up in buildkit to rework the logic to be a bit more reusable for this case.

Agreed. That should be the way moving forward. I added a comment regrading using buildkit once it supports our use-case here.

I also just noticed (sorry), that we aren't handling platforms?

Great Catch. Done.

@mqasimsarfraz mqasimsarfraz force-pushed the qasim/oci-annotations branch from 11c0502 to 3ef93e0 Compare August 3, 2023 10:20
jedevc
jedevc approved these changes Aug 3, 2023
View reviewed changes
Copy link
Collaborator

@jedevc jedevc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉 Thanks @mqasimsarfraz!

@mqasimsarfraz
Copy link
Contributor Author

mqasimsarfraz commented Aug 8, 2023

Can you please merge this ? or do we have any open items against it? :)

@jedevc jedevc merged commit e5cee89 into docker:master Aug 8, 2023
@mqasimsarfraz mqasimsarfraz mentioned this pull request Aug 8, 2023
Merged
@jedevc jedevc mentioned this pull request Aug 24, 2023
Merged
@jedevc jedevc mentioned this pull request Dec 10, 2023
Open
3 tasks
mqasimsarfraz added a commit to mqasimsarfraz/inspektor-gadget that referenced this pull request Feb 14, 2024
@mqasimsarfraz
ci: unpin docker buildx version
3019e5c 
We were using a specific version for docker buildx to have
support for adding annotaions ( docker/buildx#1965).
But it has been released into stable already so removing workaround.

Signed-off-by: Qasim Sarfraz <[email protected]>
mqasimsarfraz added a commit to inspektor-gadget/inspektor-gadget that referenced this pull request Feb 14, 2024
@mqasimsarfraz
ci: unpin docker buildx version
a7fb4f5 
We were using a specific version for docker buildx to have
support for adding annotaions ( docker/buildx#1965).
But it has been released into stable already so removing workaround.

Signed-off-by: Qasim Sarfraz <[email protected]>
@mqasimsarfraz mqasimsarfraz mentioned this pull request Feb 14, 2024
Merged
@crazy-max crazy-max mentioned this pull request Apr 5, 2024
Open
35 tasks
@wouterdebruijn wouterdebruijn mentioned this pull request Feb 3, 2025
Merged
art-shen added a commit to fluxo-kt/aza-pg that referenced this pull request Nov 14, 2025
@art-shen
fix(ci): add BuildKit latest to merge and release jobs for OCI annota…
5f2fd19 
…tion support

Root cause: OCI annotations were not persisted to multi-arch manifest index,
causing GitHub Container Registry to show "No description provided".

The --annotation flag for docker buildx imagetools create requires BuildKit
v0.12.0+ / Buildx v0.11.0+. The merge and release jobs were missing explicit
BuildKit configuration, defaulting to older versions that silently ignored
--annotation flags.

Changes:
- merge job: Add driver-opts with moby/buildkit:latest + network=host
- release job: Add driver-opts with moby/buildkit:latest + network=host
- Ensures consistency with build job which already had this configuration

This fixes the verification step failure:
  ❌ ERROR: No annotations found on manifest index

Related:
- Fixes https://github.com/fluxo-kt/aza-pg/actions/runs/19348853813/job/55357635596#step:6:109
- Docker docs: https://docs.docker.com/build/metadata/annotations/
- BuildKit PR: docker/buildx#1965

Testing: Validated with yamllint and bun run validate (all checks passed)
art-shen added a commit to fluxo-kt/aza-pg that referenced this pull request Nov 15, 2025
@art-shen
fix(ci): add BuildKit latest to merge and release jobs for OCI annota…
be9eb24 
…tion support

Root cause: OCI annotations were not persisted to multi-arch manifest index,
causing GitHub Container Registry to show "No description provided".

The --annotation flag for docker buildx imagetools create requires BuildKit
v0.12.0+ / Buildx v0.11.0+. The merge and release jobs were missing explicit
BuildKit configuration, defaulting to older versions that silently ignored
--annotation flags.

Changes:
- merge job: Add driver-opts with moby/buildkit:latest + network=host
- release job: Add driver-opts with moby/buildkit:latest + network=host
- Ensures consistency with build job which already had this configuration

This fixes the verification step failure:
  ❌ ERROR: No annotations found on manifest index

Related:
- Fixes https://github.com/fluxo-kt/aza-pg/actions/runs/19348853813/job/55357635596#step:6:109
- Docker docs: https://docs.docker.com/build/metadata/annotations/
- BuildKit PR: docker/buildx#1965

Testing: Validated with yamllint and bun run validate (all checks passed)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi left review comments

@jedevc jedevc jedevc approved these changes

+1 more reviewer

@eiffel-fl eiffel-fl eiffel-fl approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/imagetools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mqasimsarfraz @jedevc @crazy-max @tonistiigi @eiffel-fl