TOB Members,
As requested on our last call, here is an alternative proposal for a new project around an OCI Distribution Format.
OCI Distribution Format Spec Proposal
The Open Container Initiative has made significant progress towards the definition of a lightweight, universal runtime container format, and is about one month away from a release candidate version of the spec. When the OCI was first established, its goals were to create an open specification shared between implementations that allowed the distribution and execution of containers; and optional layers defining signing and naming. The OCI was established with a clear charter and with extensively discussed scope, and it is our responsibility as a TOB to govern in a manner consistent with that charter and scope.
Charter: https://www.opencontainers.org/governance
Scope: https://www.opencontainers.org/governance/oci-scope-table
The scope table in particular touches on all four aspects of Brandon’s original proposal, and very explicitly establishes both that we should take a layered approach and that certain layers should be optional or out of scope. Attempting to add too much to the base OCI specs during this innovation phase will slow down the current rate of evolution that some of the layers are undergoing.
This proposal recommends that the TOB continues with the initial plans of creating a software shipping container distribution format spec (OCI Distribution Format) that includes a simple, distributable, filesystem bundle format, compatible with most popular storage and distribution mechanisms, in particular those implementing content-addressable storage such as Docker registry and ipfs.
The recommendation is to start with a simplified version of the Docker v2.2 specification, and create a new OCI project to develop and shepherd an OCI Distribution Format Spec. The objectives of this particular initiative are:
Define a filesystem bundle that can be serialized and hashed to ensure content integrity, ensuring interoperability between implementations.
Create a reference spec for an optional layer that describes how to use digital signatures to verify the integrity of the content.
Create a reference spec for an optional layer that allows DNS based naming.
This proposal is fully in-line with the charter of the OCI initiative as defined in https://www.opencontainers.org/governance, and in particular, it follows directly from the OCI Scope Table that all of the members of the OCI initiative agreed to.
Given the close relationship with the OCI Runtime Spec 1.0, some of the work around defining this OCI Distribution Format should either wait for the Runtime spec to be finalized, or at least be done in a way such that the OCI Distribution Format specification is ensured to be compatible.
March
April
May
June
Thank you,
When the OCI was first established, its goals were to create an open specification shared between implementations that allowed the distribution and execution of containers; and optional layers defining signing and naming. The OCI was established with a clear charter and with extensively discussed scope, and it is our responsibility as a TOB to govern in a manner consistent with that charter and scope.
The recommendation is to start with a simplified version of the Docker v2.2 specification, and create a new OCI project to develop and shepherd an OCI Distribution Format Spec. The objectives of this particular initiative are:
Define a filesystem bundle that can be serialized and hashed to ensure content integrity, ensuring interoperability between implementations.
Create a reference spec for an optional layer that describes how to use digital signatures to verify the integrity of the content.
Create a reference spec for an optional layer that allows DNS based naming.
I think there are essentially two differences between this proposal and the one that was approved last week[1]. Please let me know if you think this is accurate.
## No Distribution
For example, the Docker v2.2 manifest tells you, essentially, get blob-A, blob-B, and blob-C. If we skip on defining a layer of how an HTTP request must be structured to fetch A, B, and C blobs we are sunk.
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
Also, we have to be cognizant of (6)(l) in the charter regarding at least two weeks for review and time to explore compromise solutions.Issues should be referred to the TOB sufficiently in advance of a meeting to provide an appropriate time for TOB members to evaluate the issues, and the positions of the TDC, the positions of users, as well as sufficient time to explore compromise solutions. It is expected an appropriate review should require at least a two-week review period, though it is recognized some timecritical circumstances may call for a shorter review (e.g. security issues).Brandon also added a note about voting for the TOB's review.
https://github.com/opencontainers/tob/pull/3My suggestion is to have a discussion tomorrow to further explore consensus.Is this OK Brandon?
I can.
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
On Fri, Mar 11, 2016 at 12:31 PM, Chris Wright <chr...@redhat.com> wrote:
> Yes. W/out one or both of you and Diogo, we weren't making useful
> progress. Expecting to try again next week.
Or on the email thread :-)
I don't think I will personally will ever agree that a distribution in the base layer is a good idea, but if all TOB and OCI Members are ok with a charter change that adds optional HTTP transport as an optional layer, I don't think I would be opposed to that.
It would also be good if we adjusted the language of the proposal slightly, to match more closely what we currently have on our governance docs. In particular, we should explicitly point out that the bundle format should be an OCI base-layer.
OCI Image Format Spec
New project proposal: The TOB will create a new OCI project tasked with creating a software shipping container image format spec (OCI Image Format) with security and naming as components. In addition the OCI TOB will establish a new set of maintainers for this new project with people who have expertise in image formats and package management.
Initial Recommendation: Over the last 16 months we have seen evolution of container formats towards solid technical underpinnings. When the AppC project was introduced in December 2014 its goals were to create an open specification shared between implementations while addressing concerns in the Docker v1 image format around content addressable images, signing, and a federated/delegatable namespace. Today, the Docker v2.2 image format is close to having all of the desirable traits of AppC while having widespread registry implementations in projects/products from Amazon, Google, CoreOS, Docker, Huawei, and JFrog.
This new OCI project would be recommended to start with the Docker v2.2 specification, improve any remaining technical concerns, and create an OCI project and maintainers to develop and shepherd an OCI Image Format Spec. By starting from this project we intend to standardize and improve the understood properties of a container image format. This new project will have the objectives of specifying the following components:
A serialized image format (base layer)
A process of hashing the image format for integrity and content-addressing (base layer)
Signatures that are based on signing image content address (optional layer)
Naming that is federated based on DNS and can be delegated (optional layer)
Initial Maintainers: to be brainstormed on a separate thread.
Cooperation with OCI Runtime Project: The OCI Runtime Specs project is working diligently to create a specification for the lifecycle of a running container. The OCI Image Format Spec project should work with the OCI Runtime Spec project so that an image can support the UX that users have come to expect from container engines like Docker and rkt. Primarily the ability to run an image with no additional arguments:
docker run example.com/org/app:v1.0.0
rkt run example.com/org/app,version=v1.0.0
This implies that the OCI Image Format contain sufficient information to launch the application on the target platform e.g. command, arguments, environment variables, etc.
Q: Why doesn't this project mention distribution?
A: Distribution, for example using HTTP as both Docker v2.2 and AppC do today, is not part of this project initially. This is because the OCI scope table says this is out of scope; but largely the TOB discussion has deemed it is necessary to an optional layer that defines this. To make a practical system that can work end-to-end the TOB is going to have to work quickly and diligently to fix the scope table. See this thread https://groups.google.com/a/opencontainers.org/d/msg/tob/A3JnmI-D-6Y/tLuptPDHAgAJ
Q: Why a new project?
A: The first OCI spec centered around defining the run side of a container. This is generally seen to be an orthogonal concern to the shipping container component. As practical examples of this separation you see many organizations separating these concerns into different teams and organizations: the Docker Distribution project and the Docker containerd project; Amazon ECS and Amazon EC2 Container Registry, etc.
Q: Why start this work now?
A: We are seeing many independent implementations of container image handling including build systems, registries, and image analysis tools. As an organization we would like to encourage this growth and bring people together to ensure a technically correct and open specification continues to evolve reflecting the OCI values.
Q: What happens to AppC or Docker Image Formats?
A: Existing formats can continue to be a proving ground for technologies, as needed. For example, in line with the OCI values, we expect mechanisms like the AppC name delegation will help inspire portions of the OCI Software Shipping Container project. The OCI Image Format project should strive to provide a dependable open specification that can be shared between different tools and be evolved for years or decades of compatibility; as the deb and rpm format have.
Proposed Roadmap
March ?? v0.0.0
Import Docker v2.2 format
April 18th v0.1.0
Spec factored for top to bottom reading with three audiences in-mind:
Build system creators
Image registry creators
Container engine creators
Test cases for each of the potential users exercising build, push, and pull verbs
May 16th v0.2.0
Release version of spec with improvements from two independent experimental implementations from OCI members e.g. Amazon Container Registry and rkt
June 13th v1.0.0
Release initial version of spec with two independent non-experimental implementations from OCI members
On Thu, Mar 17, 2016 at 10:59:56PM +0000, Brandon Philips wrote:
> … but largely the TOB discussion has deemed it is necessary to an
> optional layer that defines this.
This fails to parse for me. A narrow fix might be:
… but largely the TOB discussion has deemed it is necessary to
define this in an optional layer.
TOB Members,
As requested on our last call, here is an alternative proposal for a new project around an OCI Distribution Format.OCI Distribution Format Spec Proposal
The Open Container Initiative has made significant progress towards the definition of a lightweight, universal runtime container format, and is about one month away from a release candidate version of the spec. When the OCI was first established, its goals were to create an open specification shared between implementations that allowed the distribution and execution of containers; and optional layers defining signing and naming. The OCI was established with a clear charter and with extensively discussed scope, and it is our responsibility as a TOB to govern in a manner consistent with that charter and scope.
Charter: https://www.opencontainers.org/governance
Scope: https://www.opencontainers.org/governance/oci-scope-table
The scope table in particular touches on all four aspects of Brandon’s original proposal, and very explicitly establishes both that we should take a layered approach and that certain layers should be optional or out of scope. Attempting to add too much to the base OCI specs during this innovation phase will slow down the current rate of evolution that some of the layers are undergoing.
This proposal recommends that the TOB continues with the initial plans of creating a software shipping container distribution format spec (OCI Distribution Format) that includes a simple, distributable, filesystem bundle format, compatible with most popular storage and distribution mechanisms, in particular those implementing content-addressable storage such as Docker registry and ipfs.
The recommendation is to start with a simplified version of the Docker v2.2 specification, and create a new OCI project to develop and shepherd an OCI Distribution Format Spec. The objectives of this particular initiative are:
Define a filesystem bundle that can be serialized and hashed to ensure content integrity, ensuring interoperability between implementations.
Create a reference spec for an optional layer that describes how to use digital signatures to verify the integrity of the content.
Create a reference spec for an optional layer that allows DNS based naming.
This proposal is fully in-line with the charter of the OCI initiative as defined in https://www.opencontainers.org/governance, and in particular, it follows directly from the OCI Scope Table that all of the members of the OCI initiative agreed to.
Given the close relationship with the OCI Runtime Spec 1.0, some of the work around defining this OCI Distribution Format should either wait for the Runtime spec to be finalized, or at least be done in a way such that the OCI Distribution Format specification is ensured to be compatible.
Proposed Timeline and Roadmap
March
- Define the maintainers that will responsible for delivering this spec
April
- Beginning defining a filesystem bundle format based on a simplified version of the Docker v.2.2 specification
May
- First complete draft of OCI Distribution Format spec
June
- Release initial version of OCI Distribution Format spec (This aligns with OCI Runtime Container Format spec v1.0 timing)
--Thank you,
Diogo Mónica