--
You received this message because you are subscribed to the Google Groups "dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev+uns...@opencontainers.org.
Could we get clarification on how the oras approach can handle multiple media types against the same name?
--
{ "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 1885, "digest": "sha256:eb68d2e2f59a9e5ea880ccc5715672ba5238c3f03d0ad596689564c675a986b4" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip", "size": 92818888, "digest": "sha256:e46172273a4e4384e1eec7fb01091c828a256ea0f87b30f61381fba9bc511371", "urls": [ ] },
This looks like a classic discussion of tech and scenarios.
We seem to be saying, the existing tech supports A. Can we get scenario B to fit into the existing tech?
As opposed to, we have this new/evolved scenario. How can Tech A support Scenario B, and what, if anything, do we need to do to change Tech A to properly support scenario B?
So, let me bubble up and ask a scenario based question:
If we’re looking at registries to support multiple artifact types, do we think the various tools that want to push/pull to registries should know about all the other artifact types?
As an experience, (exact CLI details not important) can I:
Or, in docker-hub syntax
As we expand registries to be artifact stores, I think of them as cloud based file systems.
For the git example, I can save a config.json file to the same git repo as config.yaml. I can save a Foo.doc to the same directory as Foo.ppt.
The problem with this analogy is registries are 3 dimensional.
To date, registries only dealt with them as 2 dimensional
As we evolve registries to artifact stores, a given artifact has three elements:
You could argue git has versions as well, but they’re not as prominent as a tag/version. You can get the older version, but it’s not a mainline scenario. It’s a fallback. Registries support versions as a primary scenario. We’re saying artifact type is a new primary scenario.
I agree a specific client should deal with all the conflicts and resolutions of various elements that make up a named reference. If I push a windows and linux image to the same repo with a multi-arch tag, I’d expect the “docker tooling” to cope with this. It knows these because they have the docker image artifact type.
However, if I push a helm chart, a CNAB, docker-compose file, an msix, (name several new artifact types), should I expect each one of those tools to manipulate a common index?
Or, can we hash the names by artifact types?
I realize this is a change, possibly a BIG change to what currently exists. If we can agree on the scenario, we can then figure out how to achieve the scenario.
I also realize that getting OCI Distribution 1.0 out is a pressing concern. Stephen, rightly so, keeps bringing this up. Just as getting Helm 3.0 and CNAB out is a priority.
What I’m asking is can we agree on the scenario, then figure out how to sequence the steps to get to that wonderful place?
Safely is the concern.
While each client tool can technically pull and update the index, it’s like saying different tools that save files to a directory should be responsible for updating the file system index.
“Just because you can, doesn’t mean you should”
The secondary example is more realistic, and is the multi-arch scenario and assumes each sub object is an intentional reference to the name:tag.
Hi,
Our team is responsible for the CNAB to OCI PoC and I’ve been following this conversation and the various other discussions (OCI meeting, Cloud Native Slack, etc.).
A CNAB references at least an invocation image and, optionally, other images that the bundle requires. This makes an OCI image index a natural starting point.
Our proposal for packaging CNAB is to:
Use an OCI image index with media type “application/vnd.oci.image.index.v1+json”
Use a CNAB specific config type, something like “application/vnd.oci.cnab.config.v1+json”
This descriptor would reference an OCI image manifest (“application/vnd.oci.image.manifest.v1+json”) that wraps the config blob
Use a CNAB specific type for the invocation image manifest descriptor, something like “application/vnd.oci.cnab.invocation.v1+json”
This descriptor would reference an OCI image manifest (“application/vnd.oci.image.manifest.v1+json”) or an OCI image index (“application/vnd.oci.image.index.v1+json”)
Use a CNAB specific type for the component image manifest descriptor, something like “application/vnd.oci.cnab.component.v1+json”
This descriptor would also reference an OCI image manifest or an OCI image index
Add annotations here for metadata about the component, like it’s original name and the corresponding component name in the bundle.json.
Top-level annotations with application metadata
We should reuse existing annotations where we can
We should define some new ones where Helm, CNAB and other things intersect
Note: The current CNAB to OCI code does not reflect this proposal but the changes would be relatively simple.
An example manifest follows:
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.cnab.config.v1+json",
"digest": "sha256:d59a1aa7866258751a261bae525a1842c7ff0662d4f34a355d5f36826abc0341",
"size": 291,
},
{
"mediaType": "application/vnd.oci.cnab.invocation.v1+json",
"digest": "sha256:196d12cf6ab19273823e700516e98eb1910b03b17840f9d5509f03858484d321",
"size": 506,
},
{
"mediaType": "application/vnd.oci.cnab.component.v1+json",
"digest": "sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213",
"size": 507,
"annotations": {
"io.cnab.component_name": "component-1",
"io.cnab.original_name": "nginx:2.12",
}
},
{
"mediaType": "application/vnd.oci.cnab.component.v1+json",
"digest": "sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213",
"size": 507,
"annotations": {
"io.cnab.component_name": "component-2",
"io.cnab.original_name": "backend:1.5",
}
},
],
"annotations": {
"com.docker.app.format": "cnab",
"io.cnab.keywords": "[\"keyword1\",\"keyword2\"]",
"io.cnab.runtime_version": "v1.0.0-WD",
"io.cnab.type": "io.docker.app",
"org.opencontainers.image.authors": "[{\"name\":\"docker\",\"email\":\"doc...@docker.com\",\"url\":\"docker.com\"}]",
"org.opencontainers.image.description": "description",
"org.opencontainers.image.title": "my-app",
"org.opencontainers.image.version": "0.1.0"
}
}
The associated CNAB config manifest would be:
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.cnab.config.v1+json",
"size": 7023,
"digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
}
}
From my reading of the spec, we would require changes to:
The expected media type for index manifest descriptors
The expected media type for image manifest config descriptors
More practically, this requires that registries:
Support OCI indices
Support new descriptor media types
I’m not particularly worried about (1). For (2), it will likely be a vendor choice if they want to whitelist a set of media types, coordinate this whitelisting (as suggested by Steve Lasker), or allow any media type.
The CNAB to OCI PoC shows how to circumnavigate both of these requirements: It can fallback to a Docker Manifest List and use annotations to duck type.
Relating this proposal to Jimmy’s proposal for Helm charts, I see:
CNAB and Helm can both be packaged as existing high-level OCI manifests (OCI index and OCI image respectively)
CNAB and Helm both need support for new descriptor media types
Helm needs a new media type for layers
I wonder if we could just use “application/vnd.oci.image.layer.v1.tar+gzip” for this?
CNAB and Helm can likely find common ground for annotations
If this proposal looks like the right direction, we’re happy to update CNAB to OCI (or get a PR doing so!) or to use whatever library implements the functionality in Docker App. You can find me and some of our team at Docker on the Cloud Native Slack so feel free to reach out. I don’t want to fragment the conversations around the format so we must be sure to post any decisions here too.
Regards,
Chris Crone
For all those that feel TLDR;
With this wave of proposals, container registries will quickly evolve to becoming a new cloud based file system. Yes, it’s a registry, but once you can store 2-3 different artifact types, customers will want to store hundreds of different artifact types. And, why wouldn’t they?
The details of these emails surface issues with storing multiple artifact types in a single location.
- If registries support all sorts of artifacts (multiple dozens of types) how do tools and users reason over them?
- how would duffle search know to only list CNABs, Helm search list charts, msix only list msix, ARM or Cloud Formation tooling only list their templates?
- how does a registry listing (like docker hub) list the various artifacts, showing them as the types they are?
- how do vulnerability scanners know what they’re pulling, so they know how to scan them?
- how do registry listings know what actions to put on an artifact? (Run an image, deploy a Chart, install a foo2)?
- how do different teams, who work on independent components of a swath of services, push their independent components to the registry?
- how do we allow tools to work independently? Meaning, duffle, Helm, Docker-application, msix, foo2, shouldn’t have to know about the other artifacts to push to a registry?
- how do we sign artifacts, individually or as a group?
- how easily is it for the next artifact type to be supported by OCI registries? Does a registry owner need to do anything more than possibly know what icon to associate with the artifact type? Can the registry and tools easily understand it’s a foo2, compared to an image or other known artifacts?
- how does this all look when we have dozens and dozens of types? This is the file system directory comparison I’m trying to make with extensions.
The decisions we make today, will make an impact for a loooong time and a lot of people. We can either put a thing out there and let people interpret this on their own, and we wind up with wall of lockers, stuffed with awkwardly sized backpacks and duffle bags, all shoved in willy nilly, with the bag straps hanging out.
Take a look at :tags. Are they versions, platforms, architectures? All of the above? Can you do tooling to understand the tag in a consistent fashion?
I’m hopeful we can do better, and agree to a structure that can be easily interpreted by humans and tools alike.