Wings delays server startup due to OCI attestation manifests (in-toto) on ghcr.io #5598
Description
Current Behavior
When starting a server, Wings performs a docker manifest inspect on the container
image before boot. This causes a delay of 20-35 seconds on the "Pulling Docker
container image" step, even when the image is already present locally.
tcpdump analysis reveals a ~19 second gap between Docker sending a request to
ghcr.io and receiving the response, occurring on a specific manifest fetch.
Expected Behavior
Server should start without significant delay when the Docker image is already
present locally.
Steps to Reproduce
- Use an egg with image ghcr.io/parkervcp/yolks:nodejs_21
- Start or restart a server
- Observe the delay on "Pulling Docker container image..."
Reproducible with:
time docker manifest inspect ghcr.io/parkervcp/yolks:nodejs_21 > /dev/null
Consistently takes 20-35 seconds
Root cause identified via tcpdump + docker manifest inspect --verbose:
The image index contains 4 manifests: amd64, arm64, and 2x architecture: unknown
which are in-toto attestations (Sigstore/SBOM provenance). Docker fetches all of
them sequentially. ghcr.io throttles the attestation requests server-side (~19s),
visible as a gap between the last request sent and the response received.
docker manifest inspect ghcr.io/parkervcp/yolks:nodejs_21 | grep -E "mediaType|architecture"
mediaType: application/vnd.in-toto+json <--- attestation, not a real image
mediaType: application/vnd.in-toto+json <--- attestation, not a real image
Panel Version
1.12.1
Wings Version
1.12.1
Games and/or Eggs Affected
Node.js egg (and likely any egg using parkervcp/yolks or ptero-eggs/yolks images)
Docker Image
ghcr.io/parkervcp/yolks:nodejs_21
Error Logs
https://ptero.co/0C6RLRIs there an existing issue for this?
- I have searched the existing issues before opening this issue. I understand that maintainers may close this issue without communication if I have not provided sufficient information.