OCI Image Format Spec
New project proposal: The TOB will create a new OCI project tasked with creating a software shipping container image format spec (OCI Image Format) with security, naming, and distribution. In addition the OCI TOB will establish a new set of maintainers for this new project with people who have expertise in image formats, transport mechanisms, and package management.
Initial Recommendation: Over the last 16 months we have seen evolution of container formats towards solid technical underpinnings. When the AppC project was introduced in December 2014 its goals were to create an open specification shared between implementations while addressing concerns in the Docker v1 image format around content addressable images, signing, and a federated/delegatable namespace. Today, the Docker v2.2 image format is close to having all of the desirable traits of AppC while having widespread registry implementations in projects/products from Amazon, Google, CoreOS, Docker, Huawei, and JFrog.
This new OCI project would be recommended to start with the Docker v2.2 specification, improve any remaining technical concerns, and create an OCI project and maintainers to develop and shepard an OCI Image Fromat Spec. By starting from this project we intend to standardize and improve the understood properties of a container image format, namely:
Image that is content addressable
Security that is based on signing image content address
Naming that is federated based on DNS (enables ec2 cr, gcr, quay.io, localhost registry, etc) and can be delegated
Distribution that is based on HTTPS and enables other protocols (e.g. dockyard bittorrent p2p)
Initial Maintainers: to be brainstormed on a separate thread.
Cooperation with OCI Runtime Project: The OCI Runtime Specs project is working diligently to create a specification for the lifecycle of a running container. The OCI Image Format Spec project should work with the OCI Runtime Spec project so that the an image can support the UX that users have come to expect from container engines like Docker and rkt. Namely the ability to pull human names with implied context (OS, arch, etc) and have them run with no additional arguments:
docker run example.com/org/app:v1.0.0
rkt run example.com/org/app,version=v1.0.0
This implies that the Software Shipping Container Spec contain sufficient information to launch the application on the target platform e.g. command, arguments, environment variables, etc.
Q: Why a new project?
A: The first OCI spec centered around defining the run side of a container. This is generally seen to be an orthogonal concern to the shipping container component. As practical examples of this separation you see many organizations separating these concerns into different teams and organizations: the Docker Distribution project and the Docker containerd project; Amazon ECS and Amazon EC2 Container Registry, etc.
Q: Why start this work now?
A: We are seeing many independent implementations of container image handling including build systems, registries, and image analysis tools. As an organization we would like to encourage this growth and bring people together to ensure a technically correct and open specification continues to evolve reflecting the OCI values.
Q: What happens to AppC or Docker Image Formats?
A: Existing formats can continue to be a proving ground for technologies, as needed. For example, in line with the OCI values, we expect mechanisms like the AppC name delegation will help inspire portions of the OCI Software Shipping Container project. The OCI Image Format project should strive to provide a dependable open specification that can be shared between different tools and be evolved for years or decades of compatibility; as the deb and rpm format have.
Proposed Roadmap
March ?? v0.0.0
Import Docker v2.2 format
April 4th v0.1.0
Spec factored for top to bottom reading with three audiences in-mind:
Build system creators
Image registry creators
Container engine creators
Test cases for each of the potential users exercising build, push, and pull verbs
April 18th v0.2.0
Release version of spec with improvements from two independent experimental implementations from OCI members e.g. Amazon Container Registry and rkt
May 16th v1.0.0
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
The fact that the image can be distributed is key, not the method in
in which it is distributed, so I don't see why you would worry about
specifics there.
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
My reading of that was that HTTPS must be supported to be compliant with the OCI spec, but the bundle format should allow for other protocols to be used if the particular implementation supported them. Brandon: can you clarify whether that's correct?
My reading of that was that HTTPS must be supported to be compliant with the OCI spec, but the bundle format should allow for other protocols to be used if the particular implementation supported them. Brandon: can you clarify whether that's correct?
On Fri, Feb 26, 2016 at 5:19 PM Jason Bouzane <jbou...@google.com> wrote:My reading of that was that HTTPS must be supported to be compliant with the OCI spec, but the bundle format should allow for other protocols to be used if the particular implementation supported them. Brandon: can you clarify whether that's correct?
In my mind without specifying something we really aren't creating a shipping container as we have no baseline to test against. We should design flexibility for other schemes as I know we all share a common interest in other methods like p2p, etc. And starting with docker v2.2 spec I know that flexibility exists.Overall, I think we all acknowledge that nearly all containers are being shipped over HTTPS today and we should start with that design with that in mind. Otherwise, we could end up designing for 0% market share with this spec.
And again, I don't see how that's true. Unless you assume that the
bundle is always available via the same named entity as is present in
the human readable tag. E.g. if I tag something as
www.example.org/pony-server/1.0, and I get back the digest 0xaabbccdd,
where do I go to find the bundle that corresponds to that digest?
www.example.org? The issues only seem orthogonal if you make some
limiting assumptions about how discovery works.
I don't think a distributable format is especially useful if you've
defined no actual method of distribution and discovery. I suppose it
helps in the sense that if I'm wiling to write interop layers to go
grab my bundle and all of its references from one system like EC2 and
then shove them into another, like Azure or GCE, using whatever
proprietary methods of distribution they've defined, I have some
guarantee that they will understand the bundles, even if I have to
code to three different protocols to move a bundle between them. But
it seems to me much more useful if I can send the bundle to each of
them the same way, or, better yet, upload the bundles to a single
repository and reference the bundles from any of the three just by
giving them the DNS name of the service that's storing them.
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
As an LF representative here, I suggest adding the "project structure" to the agenda for tomorrow's TOB meeting. From my understanding, the original intention was to have one TDC with multiple OCI projects. Each project can have their a) own list of maintainers or b) one list of maintainers across all OCI projects. The charter can be modified to support what option people prefer.
Is everyone OK with adding that as a topic?
TOB Members-Please read this proposal based on our call. We are all very busy. So, at a minimum please reply with one of three options:
- Agree with this proposal
- Disagree with this proposal
- Lets discuss, I need more information
Also, it looks like our next meeting is centering around Mar 4th: http://doodle.com/poll/9gdepaaygtcvidrt
Thank You,
Brandon
OCI Image Format Spec
New project proposal: The TOB will create a new OCI project tasked with creating a software shipping container image format spec (OCI Image Format) with security, naming, and distribution. In addition the OCI TOB will establish a new set of maintainers for this new project with people who have expertise in image formats, transport mechanisms, and package management.
Initial Recommendation: Over the last 16 months we have seen evolution of container formats towards solid technical underpinnings. When the AppC project was introduced in December 2014 its goals were to create an open specification shared between implementations while addressing concerns in the Docker v1 image format around content addressable images, signing, and a federated/delegatable namespace. Today, the Docker v2.2 image format is close to having all of the desirable traits of AppC while having widespread registry implementations in projects/products from Amazon, Google, CoreOS, Docker, Huawei, and JFrog.
This new OCI project would be recommended to start with the Docker v2.2 specification, improve any remaining technical concerns, and create an OCI project and maintainers to develop and shepard an OCI Image Fromat Spec. By starting from this project we intend to standardize and improve the understood properties of a container image format, namely:
Image that is content addressable
Security that is based on signing image content address
Naming that is federated based on DNS (enables ec2 cr, gcr, quay.io, localhost registry, etc) and can be delegated
Distribution that is based on HTTPS and enables other protocols (e.g. dockyard bittorrent p2p)
Initial Maintainers: to be brainstormed on a separate thread.
Cooperation with OCI Runtime Project: The OCI Runtime Specs project is working diligently to create a specification for the lifecycle of a running container. The OCI Image Format Spec project should work with the OCI Runtime Spec project so that the an image can support the UX that users have come to expect from container engines like Docker and rkt. Namely the ability to pull human names with implied context (OS, arch, etc) and have them run with no additional arguments:
docker run example.com/org/app:v1.0.0
rkt run example.com/org/app,version=v1.0.0
This implies that the Software Shipping Container Spec contain sufficient information to launch the application on the target platform e.g. command, arguments, environment variables, etc.
FAQ
Q: Why a new project?
A: The first OCI spec centered around defining the run side of a container. This is generally seen to be an orthogonal concern to the shipping container component. As practical examples of this separation you see many organizations separating these concerns into different teams and organizations: the Docker Distribution project and the Docker containerd project; Amazon ECS and Amazon EC2 Container Registry, etc.
Q: Why start this work now?
A: We are seeing many independent implementations of container image handling including build systems, registries, and image analysis tools. As an organization we would like to encourage this growth and bring people together to ensure a technically correct and open specification continues to evolve reflecting the OCI values.
Q: What happens to AppC or Docker Image Formats?
A: Existing formats can continue to be a proving ground for technologies, as needed. For example, in line with the OCI values, we expect mechanisms like the AppC name delegation will help inspire portions of the OCI Software Shipping Container project. The OCI Image Format project should strive to provide a dependable open specification that can be shared between different tools and be evolved for years or decades of compatibility; as the deb and rpm format have.
Proposed Roadmap
March ?? v0.0.0
Import Docker v2.2 format
April 4th v0.1.0
Spec factored for top to bottom reading with three audiences in-mind:
Build system creators
Image registry creators
Container engine creators
Test cases for each of the potential users exercising build, push, and pull verbs
April 18th v0.2.0
Release version of spec with improvements from two independent experimental implementations from OCI members e.g. Amazon Container Registry and rkt
May 16th v1.0.0
--
You received this message because you are subscribed to the Google Groups "Technical Oversight Board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tob+uns...@opencontainers.org.
New project proposal: The TOB will create a new OCI project tasked with creating a software shipping container image format spec (OCI Image Format) with security, naming, and distribution. In addition the OCI TOB will establish a new set of maintainers for this new project with people who have expertise in image formats, transport mechanisms, and package management.
I share the view that a content-addressable image format is missing from the spec. I however disagree that naming, signing, and distribution mechanism need to be defined as part of OCI, for several reasons.
Our experience at Docker is that naming and signing were part of the original image format and removed in recent iterations. We learned the hard way that these aspects could very well be implemented at the upper layers, allowing both for a better separation of concerns, and for exploration of alternative ways of achieving those goals.
I see in OCI a great way to solidify ideas on which everyone can agree on. As far as content distribution goes, the only aspect on which I believe consensus exists today is that a content-addressable image format is the cornerstone. I would have a hard time getting consensus even among my immediate coworkers for anything above this.
As for specifying a content-addressable image format, I do believe that Docker’s v2.2 manifest can be a good starting point.
My team is currently going through the difficult process of rebasing our container engine on top of OCI. This, to my knowledge, will mark the first widespread deployment of an OCI implementation, and I’m sure we’ll learn a lot from it.
We see so much value in this standard that we didn’t want to wait for a 1.0 of the spec, but I’m very concerned about fragmenting the efforts while the runtime spec is incomplete (most notably still lacking Windows support), and while getting changes through is already pretty slow and complex.
I respectfully suggest to give priority to a complete 1.0 runtime spec, and plan designing a content-addressable image format as a next step.
Thank you all for your hard work on OCI.
--
Arnaud Porterie
@icecrime