Why are there extra untagged 'images' in Amazon ECR after doing docker push?
I've pushed some Docker images to Amazon Elastic Container Registry (ECR), and I'm not sure why there are extra untagged images.
This happens for multiple of my images but one of my images is just redhat/ubi9 + Java, etc. and looks like this:
ARG CONTAINER_REGISTRY_URI
FROM ${CONTAINER_REGISTRY_URI}my-ubi9-base:latest
ENV BUILD_VERSION=unknown
RUN ...
WORKDIR /opt/my-org/api
ADD --chmod=740 <<EOF run
...
EOF
SHELL ["/usr/bin/bash", "-c"]
ENTRYPOINT /opt/my-org/api/run
EXPOSE 80
Result after docker pushing this image:
TLDR: The ECR console is showing provenance attestations, which can be disabled via passing --provenance=false to docker buildx build
This is a poor UX decision, and is related to the way ECR shows
- multi-architecture container images
- provenance attestations, enabled by default in Buildx versions v0.10.0 and higher
A proposal to improve it is still pending since Dec 2021.
One way this could happen, is when pushing multi-arch container images1. However, this doesn't seem to be the case here as you've got an entry with a file size of 0 MB.
Essentially, the console shows everything ungrouped - images, artifacts and indexes. As per the Docker docs, attestations (both SBOM and provenance) attach to images as a manifest in the image index.
Since it's a manifest, the console is also showing the build provenance attestations. It's correctly marked as '0 MB' since it is less than a MB albeit misleading. However, it is incorrectly labelled as an 'image'.
If you'd like to disable them, pass --provenance=false as an option to your docker buildx build to prevent them from being created and added.
The console has long needed improvements for showing OS/arch correctly like Docker Hub does, as well as these type of artifacts correctly.
1 You normally also see untagged images when you've pushed a container image which supports multi-arch via a component known as a manifest list (or image index). This results in an entry with artifact type of 'Image Index'. However, container images aren't typically smaller than a megabyte.
You can also confirm this using aws ecr --region xxx describe-images --repository-name xxx, which will show you the 2 images the (instruction set) architecture as a tag in imageTags.
For a multiplatform image with 2 supported architectures, it would show up as three things in the view:
- Image Index (manifest list)
- Image A supporting arch A (with file size of not 0)
- Image B supporting arch B (with file size of not 0)
- AWS Cloudwatch agent config file removed after startup
- AWS lambda SQS does not allow to process 1 message per 1 invocation
- How can I create a TLS/SSL connection to a mongodb instance on AWS with a certificate made by certificate manager? Health check failed
- Cloudfront redirect when signed cookies not present
- AWS Lambda and DynamoDB - updatetItem is not a function
- AWS ElasticBeanstalk EC2 Termination Protection
- Allowing AWS Cognito Users to authentication to JIRA via SAML/SSO (Domain Not found)
- Install pgAgent on AWS RDS for Postgres
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- List all parameters in AWS SSM Parameter Store
- AWS push_down_predicate not working with DynamoDb
- localstack AWS S3 javascript error : getaddrinfo ENOTFOUND bucketname.localhost
- AWS ECS agent won't start
- AWS VPC (Virtual Private Cloud), rapidly increasing expenses
- SemaphoreCI OIDC AWS connection
- Can't delete AWS internet Gateway
- How to provide multiple StringNotEquals conditions in AWS policy?
- Not able to get ECS fargate metrics on Datadog
- 502 "Internal Server Error" with API Gateway + Lambda when deploying
- Java Springboot application not able to connect to AWS Elasticache Valkey Cache (Serverless)
- Splitting PDF with PyPDF2 in Lambda function
- "libdbus-glib-1.so.2: cannot open shared object file: No such file or directory"
- Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY
- Best way to store Firebase admin private key file for AWS lambda
- AWS Elastic Beanstalk and Secret Manager
- Unable to upload data using sagemaker_session.upload_data in s3 bucket that I created, it is getting stored in default s3 bucket
- Parse Aws IoT message in python
- How to temporarily switch profiles for AWS CLI?
- Python Sqlalchemy insert data into AWS Redshift
- Using AWS Bedrock Prompt Management with InvokeCommand