Share via

Error when deploying an Azure Container App image: Selected tag uses an invalid operating system ''

Ian Corera 25 Reputation points
2026-04-14T23:00:42.7766667+00:00

I am getting the following error when creating a container app from an image in ACR: Selected tag uses an invalid operating system ''. Below is the full Dockerfile used to create the image that is pushed it to ACR. I have tested the image in Docker Desktop. I am unable to create an Azure Container App from it.

FROM python:3.12-slim

WORKDIR /app

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY server.py .

EXPOSE 5000

CMD ["python", "server.py"]
Azure Container Apps
Azure Container Apps

An Azure service that provides a general-purpose, serverless container platform.

0 comments

Answer accepted by question author

  1. Rakesh Mishra 8,420 Reputation points Microsoft External Staff Moderator
    2026-04-15T00:13:10.6466667+00:00

    Hi Ian,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    The error "Selected tag uses an invalid operating system" doesn't mean your Dockerfile is invalid. In fact, your Dockerfile is perfectly fine for a standard Linux container. The issue lies in the hidden metadata generated by modern Docker build tools and how Azure Container Apps parses it.

    The Root Cause

    If you are using a recent version of Docker Desktop, it uses Docker Buildx as the default build engine. Starting from Buildx v0.10, Docker automatically attaches SLSA provenance attestations (build metadata) to your image when you push it.

    These attestations are packaged as part of a multi-part OCI manifest list, and the "operating system" metadata for the attestation itself is marked as unknown/unknown. When Azure Container Apps tries to pull the image by its tag, it encounters this attestation manifest first, fails to read a valid operating system, and throws the exact error you are seeing: Selected tag uses an invalid operating system ''.

    Additionally, if you are building this locally on an Apple Silicon Mac (M1/M2/M3), Docker builds the image for ARM64 by default, which Azure Container Apps (expecting linux/amd64) will also reject.

    The Solution

    You can fix this by explicitly disabling the provenance attestation and enforcing the correct architecture when you run your docker build command.

    Run the following command in the directory with your Dockerfile:

    Bash

    docker buildx build --platform linux/amd64 --provenance=false -t <your-acr-name>.azurecr.io/<your-image-name>:<new-tag> --push .

    What this command does:

    1. --provenance=false: Stops Docker from attaching the "unknown" attestation metadata, so Azure Container Apps will read the pure container manifest directly.
    2. --platform linux/amd64: Ensures the image is compiled for standard x86-64 servers, which is the underlying architecture Azure Container Apps relies on.
    3. --push: Pushes it directly to your ACR in one step.

    Note: Be sure to replace the bracketed placeholders with your actual ACR details. I highly recommend using a new tag (like v2) so Azure doesn't rely on cached, broken metadata from the old tag.

    Deploy the Container App using the new tag, and it should run successfully. Let me know in comments if still facing issue.

    Note: This response is drafted with the help of AI systems.

    5 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 88,075 Reputation points MVP Volunteer Moderator
    2026-04-14T23:09:40.6266667+00:00

    That error typically means Azure Container Apps can’t determine the OS/architecture metadata from the image manifest in ACR, not that your Dockerfile itself is invalid. Your Dockerfile seems fine for a Linux container, so the issue is more likely related to how the image was built and pushed.

    One possible common cause is building with Docker Buildx and pushing a multi-platform or OCI index image where the manifest doesn’t clearly resolve to a single linux/amd64 image. Azure Container Apps expects a Linux image with a concrete platform, typically linux/amd64.

    If you built the image on Apple Silicon (M1/M2/M3) or used buildx without specifying a platform, the pushed image may be linux/arm64 or a multi-arch manifest. ACA often fails with the “invalid operating system ''” message in that case.

    Rebuild and push the image explicitly targeting linux/amd64:

    docker buildx build --platform linux/amd64 -t <acr-name>.azurecr.io/<repo>:<tag> --push .

    If you are not using buildx, you can still force the platform:

    docker build --platform linux/amd64 -t <acr-name>.azurecr.io/<repo>:<tag> .
docker push <acr-name>.azurecr.io/<repo>:<tag>

    Also verify what was pushed:

    docker manifest inspect <acr-name>.azurecr.io/<repo>:<tag>

    You should see something like:

    "os": "linux",
"architecture": "amd64"

    If the os field is missing or empty, or if only arm64 is present, Azure Container Apps will reject it with the error you’re seeing.

    Another possible cause is using an OCI image index instead of a Docker v2 schema manifest. If you used buildx with --output type=oci, ACA may not interpret it correctly. Stick to the default registry push behavior as shown above.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.