ARTIFACTORY: Duplicate Docker pushes with containerd image store enabled

ARTIFACTORY: Duplicate Docker pushes with containerd image store enabled
Products
Frog_Artifactory
Content Type
Use_Case
AuthorFullName__c
Tom Arie
articleNumber
000006369
FirstPublishedDate
2025-03-12T12:07:00Z
lastModifiedDate
2025-05-14
VersionNumber
8
Overview 

With the release of Docker Desktop version 4.34, the new containerd image store feature has been officially enabled by default causing a conflict in the docker push command. 
When containerd image store is enabled, the docker push command currently pushes the same tag twice, once as a multi-architecture (list.manifest) and again as a single image (manifest) under the same tag potentially detecting the action as an overwrite.

Example of a push command that results duplicate push: 


docker build . --push --platform linux/amd64 --tag
artifactory.com/docker-local/alpine:latest
User-added image    

Impact

Artifactory users lacking Delete/Overwrite permissions may intermittently receive a forbidden error message when pushing docker images using buildx. The error may look similar to this:
ERROR: failed commit on ref "manifest-sha256:bb83a97dce240571adc84d589e33f7a2cbb8312aa7e12d6290de48814e87ecbf": unexpected status from PUT request to https://artifactory.com/v2/docker-local/alpine/manifests/latest: 403 Forbidden
In addition, the tree browser will display both list.manifest and manifest under the same tag, which can cause some confusion. Importantly, there is no impact on storage, as both manifests will reside without utilizing extra space.


Resolution Steps

We have proactively reached out to Docker regarding this matter, and a related issue has been opened and successfully merged: Docker PR #3023. This fix will be included in a future Buildx release.

To mitigate the impact until the Buildx version containing the above fix is released, we recommend that customers take the following steps: First, ensure that any users without Delete/Overwrite permissions disable the containerd image store feature. This can be done by either of the following approaches:
Modifying the docker engine config:
"features": {
            "containerd-snapshotter": false
      },
Unchecking the "Use containerd for pulling and storing images" inside Docker Desktop UI (supported from version 4.33.0)

Lastly, we encourage customers to stay informed about future updates to this article. 
If you need additional assistance or have questions, please contact our support team.