fix: ubuntu:24.04 base image + remove platforms: flag to fix ARM64 on RK3588#149
Merged
Merged
Conversation
python:3.12-slim (Debian Trixie) ARM64 packages are compiled with Pointer Authentication (PAC, ARMv8.3-A). RK3588 (Cortex-A76/A55) is ARMv8.2-A and does not implement PAC. The Linux kernel returns ENOEXEC for PAC-guarded ELF binaries on hardware without PAC support, causing an 'exec format error' even though the image is correctly built for arm64. Ubuntu 24.04 ARM64 packages do not use PAC and run correctly on RK3588. Use a venv to work around Ubuntu 24.04 PEP 668 pip restrictions.
…che contamination On an ubuntu-24.04-arm native runner, setting platforms: linux/arm64 in setup-buildx-action forces a docker-container driver (QEMU-backed) instead of using the host builder. This causes the layer cache to be shared with amd64 builds, pulling stale amd64 base OS layers into an arm64 image. Rename the registry cache key from :buildcache to :buildcache-arm64 to avoid reusing the stale amd64 cache that accumulated before this fix.
There was a problem hiding this comment.
Pull request overview
This PR updates the container build and publish pipeline to restore usability on RK3588 (ARMv8.2-A) by avoiding Debian/PAC-incompatible base layers and preventing ARM64 builds from reusing a contaminated cache.
Changes:
- Switch Docker base image to
ubuntu:24.04, install Python 3.12 via apt, and use a venv to work around PEP 668 restrictions. - Adjust GitHub Actions docker publish workflow to omit explicit
platforms: linux/arm64on a native ARM64 runner and use a new:buildcache-arm64registry cache tag.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
Dockerfile |
Changes base image to Ubuntu 24.04, installs Python from apt, and uses a venv before installing the project. |
.github/workflows/docker-publish.yml |
Removes explicit platforms: and renames the registry cache tag for ARM64 builds. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ldx comment Revert action major versions to what was present before this PR: - actions/checkout@v6 - sigstore/cosign-installer@v4.1.1 - docker/setup-buildx-action@v4 - docker/login-action@v4 - docker/metadata-action@v6 These downgrades were not required for the ARM64/PAC fix and could introduce unintended behaviour differences (Copilot review feedback). Also fix the misleading comment on setup-buildx-action: the action uses a docker-container builder by default, not a "host builder". The comment now correctly describes why omitting `platforms:` avoids QEMU-backed cross-compilation and cache contamination.
The previous commit accidentally dropped the original workflow comments (copyright header, step descriptions, URLs, sigstore notes) and downgraded build-push-action from v7 to v6. This commit restores all original comments verbatim and integrates the ARM64 explanation as NOTE blocks within the existing comment sections, keeping the diff minimal and reviewable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problems fixed
Two separate issues combined to make the published image unusable on RK3588 hardware since PR #141.
1. BuildKit cache contamination (CI workflow)
setup-buildx-actionwithplatforms: linux/arm64on a nativeubuntu-24.04-armrunner forces a QEMU-backed docker-container builder instead of using the host builder. This builder shares a layer cache namespace with amd64 builds. The old:buildcacheregistry tag still contained amd64 base OS layers, so subsequent arm64 builds pulled those stale layers — producing an image where/bin/shand the entire base OS are amd64 ELF, causingexec format errorat container startup.Fix: Remove
platforms: linux/arm64from bothsetup-buildx-actionandbuild-push-action. On a native arm64 runner, omitting the flag builds for the host architecture without QEMU. Rename the cache key to:buildcache-arm64to avoid reusing the poisoned cache.2. Pointer Authentication (PAC) incompatibility with Debian base (Dockerfile)
Even with a correctly built arm64 image,
python:3.12-slim(Debian Trixie) cannot run on RK3588. Debian Trixie ARM64 packages are compiled with Pointer Authentication (PAC), an ARMv8.3-A feature. The RK3588 SoC (Cortex-A76 + Cortex-A55) implements ARMv8.2-A only — it has no PAC hardware. The Linux kernel returnsENOEXECwhen attempting to execute a PAC-guarded ELF binary on hardware without PAC support, which is why/usr/bin/python3.12and even/bin/shimmediately crash.Ubuntu 24.04 ARM64 packages are not compiled with PAC and run correctly on ARMv8.2-A hardware including RK3588, RK3568, and other Rockchip SoCs.
Fix: Change
FROM python:3.12-slim→FROM ubuntu:24.04. Install Python 3.12 from Ubuntu apt packages. Use avenvto work around Ubuntu 24.04's PEP 668 pip restriction.Verification
After this fix the image must:
od -An -j18 -N1 -tx1 /usr/bin/python3.12rkllama_serverwithoutexec format erroron RK3588 hardwareChanges
DockerfileFROM ubuntu:24.04instead ofpython:3.12-slim; add venv; install Python from apt.github/workflows/docker-publish.ymlplatforms: linux/arm64from both Buildx steps; rename cache key to:buildcache-arm64