crane: GCR Image build bug (OCI vs Docker layer format)

[ReDemoNBR]

Describe the bug

The v0.14.0 crane image on GCR says it is an OCI image, but contains a Docker layer, which doesn't conform to the OCI specification and breaks builds that use crane in a Dockerfile/Containerfile.

To Reproduce

Tested on a linux/amd64 host

### Containerfile
FROM gcr.io/go-containerregistry/crane:v0.14.0 AS crane

FROM docker.io/alpine:3.17
COPY --from=crane /ko-app/crane /usr/bin/crane

$ podman build -t example .

This fails with the output:

Error: 2 errors occurred:
	* creating build container: preparing image configuration: resetting recorded compression for "containers-storage:[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev]@f8a28633ef263ab667cc7930c350b553e6c4332b8852b714a0f0245d6c877aee": preparing updated manifest, layer "sha256:72164b581b02b1eb297b403bcc8fc1bfa245cb52e103a3a525a0835a58ff58e2": unsupported MIME type for compression: application/vnd.docker.image.rootfs.diff.tar.gzip
	* creating build container: preparing image configuration: resetting recorded compression for "containers-storage:[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev]@d45a133e4f0b36b23a70055866528d1d7fcc6f4a486f44b2f88dd511125fef1a": preparing updated manifest, layer "sha256:72164b581b02b1eb297b403bcc8fc1bfa245cb52e103a3a525a0835a58ff58e2": unsupported MIME type for compression: application/vnd.docker.image.rootfs.diff.tar.gzip

Expected behavior

The command should build the image

Additional context

When inspecting the image, we can see that it uses the OCI format, but contains a Docker layer.

This will print the multi-arch manifest list

$ skopeo inspect --raw docker://gcr.io/go-containerregistry/crane:v0.14.0 | jq .

{
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "size": 1968,
      "digest": "sha256:bfa854b4312c6947d5fe96a63f5d9115d1e4ccc330668195ef64716e53b4f1c5",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    [... skipped for brevity]
  ]
}

Then, we will use the linux/amd64 platform specific (as an example, but I also confirmed on linux/arm) digest to inspect the layers:

$ skopeo inspect --raw docker://gcr.io/go-containerregistry/crane@sha256:bfa854b4312c6947d5fe96a63f5d9115d1e4ccc330668195ef64716e53b4f1c5 | jq .

The output:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "size": 1881,
    "digest": "sha256:d45a133e4f0b36b23a70055866528d1d7fcc6f4a486f44b2f88dd511125fef1a"
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
      "size": 103735,
      "digest": "sha256:10f855b03c8aee4fb0b9b7031c333640d684bd9ee6045f11f9892c7fea394701"
    },
    ... [skipped for brevity]
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 98,
      "digest": "sha256:72164b581b02b1eb297b403bcc8fc1bfa245cb52e103a3a525a0835a58ff58e2"
    },
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 8410379,
      "digest": "sha256:6ff4dd532debff59c2a7155e3f2556fd43461c7f09814c6d9b1a172eccaca00d"
    }
  ]
}

You can see the 2 last layers in the array are application/vnd.docker.image.rootfs.diff.tar.gzip, which are Docker layers, not OCI layers.

I am not sure how kaniko works, but maybe declaring the image as Docker and the Manifest List as Docker v2s2 can fix the problem

[imjasonh]

I believe this is because the image is built with an old version of ko, which had this bug:

go-containerregistry/cloudbuild.yaml

Line 22 in 53189d3

curl -L -o ko.tar.gz https://github.com/google/ko/releases/download/v0.8.2/ko_0.8.2_Linux_i386.tar.gz

Upgrading to the latest ko, v0.13.0, should help. See #1607