Docker Hub image pablof7z/nsecbunkerd:latest is arm64-only — fails on amd64 hosts #6

New issue

Open

opened 2026-05-25 21:56:06 +00:00 by padreug · 0 comments

padreug commented 2026-05-25 21:56:06 +00:00

Owner

Copy link

Symptom

Pulling and running pablof7z/nsecbunkerd:latest on an amd64 host (Linux x86_64) prints a warning at pull time:

nsecbunker The requested image's platform (linux/arm64/v8) does not match
the detected host platform (linux/amd64/v4) and no specific platform was
requested

…then at start the container immediately crash-loops:

nsecbunker-1  | exec /usr/local/bin/node: exec format error
nsecbunker-1  | exec /usr/local/bin/node: exec format error
...
Status: Restarting (255) Less than a second ago

The arm64 binary inside the image can't execute on an x86_64 kernel; Docker doesn't auto-emulate without explicit qemu setup, and Compose's restart: on-failure keeps looping the failure forever.

Root cause

The published image on Docker Hub at docker.io/pablof7z/nsecbunkerd:latest has only an linux/arm64/v8 manifest entry, no linux/amd64. Build/publish pipeline is single-arch.

Workaround

Build locally from source (which is what we ended up doing in our deploy). After applying patches #1, #2, #3, docker build produces a host-native image.

Real fix

Set up multi-arch publishing for the Docker Hub image:

# .github/workflows/docker-publish.yml (or equivalent CI)
- name: Set up QEMU
  uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
  uses: docker/setup-buildx-action@v3

- name: Login to Docker Hub
  uses: docker/login-action@v3
  ...

- name: Build and push
  uses: docker/build-push-action@v5
  with:
    context: .
    platforms: linux/amd64,linux/arm64
    push: true
    tags: pablof7z/nsecbunkerd:latest

(Adapt to whatever CI Pablo's using.)

Most home-server / dev users are on x86_64; arm64-only image essentially limits deployments to Raspberry-Pi-style hosts unless they build from source.

Acceptance

• Workaround: we build locally.
• Multi-arch image published upstream.
• Or, if we're going to maintain our own fork long-term, publish our own multi-arch image at git.atitlan.io/aiolabs/nsecbunkerd:<tag> via Forgejo Actions or similar.

Cross-refs

• Combined with #1, #2, #3, makes upstream effectively unusable from a clean clone on amd64. The fork was created in part to manage all these patches together.
• Discovered during aiolabs/lnbits#18 phase 2 spike.

## Symptom Pulling and running `pablof7z/nsecbunkerd:latest` on an amd64 host (Linux x86_64) prints a warning at pull time: ``` nsecbunker The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v4) and no specific platform was requested ``` …then at start the container immediately crash-loops: ``` nsecbunker-1 | exec /usr/local/bin/node: exec format error nsecbunker-1 | exec /usr/local/bin/node: exec format error ... Status: Restarting (255) Less than a second ago ``` The arm64 binary inside the image can't execute on an x86_64 kernel; Docker doesn't auto-emulate without explicit qemu setup, and Compose's `restart: on-failure` keeps looping the failure forever. ## Root cause The published image on Docker Hub at `docker.io/pablof7z/nsecbunkerd:latest` has only an `linux/arm64/v8` manifest entry, no `linux/amd64`. Build/publish pipeline is single-arch. ## Workaround Build locally from source (which is what we ended up doing in our deploy). After applying patches #1, #2, #3, `docker build` produces a host-native image. ## Real fix Set up multi-arch publishing for the Docker Hub image: ```yaml # .github/workflows/docker-publish.yml (or equivalent CI) - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 ... - name: Build and push uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64 push: true tags: pablof7z/nsecbunkerd:latest ``` (Adapt to whatever CI Pablo's using.) Most home-server / dev users are on x86_64; arm64-only image essentially limits deployments to Raspberry-Pi-style hosts unless they build from source. ## Acceptance - [x] Workaround: we build locally. - [ ] Multi-arch image published upstream. - [ ] Or, if we're going to maintain our own fork long-term, publish our own multi-arch image at `git.atitlan.io/aiolabs/nsecbunkerd:<tag>` via Forgejo Actions or similar. ## Cross-refs - Combined with #1, #2, #3, makes upstream effectively unusable from a clean clone on amd64. The fork was created in part to manage all these patches together. - Discovered during `aiolabs/lnbits#18` phase 2 spike.

padreug referenced this issue 2026-06-20 18:50:52 +00:00

Remove the redundant, always-failing npm run prisma:migrate step in start.js #31

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dev

docs-migration-runbook

issue-9-fix-create-new-key-race

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

aiolabs/nsecbunkerd#6

No description provided.