-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Hub support for OCI Artifacts & ORAS #129
Comments
It would be really helpful to have some conformance tests. |
agreed. The tests would need to validate the spec, which i’m waiting on reviewers: opencontainers/artifacts#13
|
Deltas are a way to avoid downloading a full copy if a layer tar file if you have a previous version of the layer available locally. In testing these deltas have been shown to be around 10x to 100x smaller than the .tar.gz files for typical Linux base images. In the typical client-side case we have some previous version of the image stored in container-storage somewhere, which means that we have an uncompressed files available, but not the actual tarball (compressed or not). This means we can use github.com/alexlarsson/tar-diff which takes two tar files and produces a delta file which when applied on the untar:ed content of the first tarfile produces the (bitwise identical) content of the uncompressed second tarfile. It just happens that the uncompressed tarfile is exactly what we need to reproduce, because that is how the layers are refered to in the image config (the DiffIDs). How this works is that we use OCI artifacts to store, for each regular image a manifest with information about the available deltas for the image. This image looks like a regular manifest, except each layer contains a tar-diff (as a blob) an uses the existing annotations key to record which DiffIDs the layer applies to. For example, a manifest would look like this: ``` { "schemaVersion": 2, "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356", "size": 3 }, "layers": [ { "mediaType": "application/vnd.redhat.tardiff", "digest": "sha256:49402288de20a465616174a38aca4746f46be2c3f9519fe4d14fc7f83f44a32a", "size": 7059734, "annotations": { "com.redhat.deltaFrom": "sha256:b9137868142acd7ce4d62216e2b03e63e9800e2b647bf682492d3e9c5e66277c", "com.redhat.deltaTo": "sha256:c88d2d437799c2879fded33ee358429e1eb954968a25f3153e2e0e26fef7ef28" } } ] } ``` The config blob is just an json file containing "{}". Ideally it should not be of type application/vnd.oci.image.config.v1+json, because that is reserved for docker-style images. However, as explained in oras-project/oras#129, docker hub doesn't currently support any other type. For registries that support OCI artifacts we should instead use some other type so that tooling can know that this is not a regular image. The way we attach the delta manifest to the image is that we store it in the same repo and a tag name based on the manifest digest like "delta-${shortid}". The delta layers record which DiffID they apply to, which is what we want to use to look up the pre-existing layers to use as delta source material, and it is what the delta apply will generate. This means however that using the deltas only works if we're allowed to substitute blobs, but this doesn't seem to be an issue in the typical case.
Deltas are a way to avoid downloading a full copy if a layer tar file if you have a previous version of the layer available locally. In testing these deltas have been shown to be around 10x to 100x smaller than the .tar.gz files for typical Linux base images. In the typical client-side case we have some previous version of the image stored in container-storage somewhere, which means that we have an uncompressed files available, but not the actual tarball (compressed or not). This means we can use github.com/alexlarsson/tar-diff which takes two tar files and produces a delta file which when applied on the untar:ed content of the first tarfile produces the (bitwise identical) content of the uncompressed second tarfile. It just happens that the uncompressed tarfile is exactly what we need to reproduce, because that is how the layers are refered to in the image config (the DiffIDs). How this works is that we use OCI artifacts to store, for each regular image a manifest with information about the available deltas for the image. This image looks like a regular manifest, except each layer contains a tar-diff (as a blob) an uses the existing annotations key to record which DiffIDs the layer applies to. For example, a manifest would look like this: ``` { "schemaVersion": 2, "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356", "size": 3 }, "layers": [ { "mediaType": "application/vnd.redhat.tardiff", "digest": "sha256:49402288de20a465616174a38aca4746f46be2c3f9519fe4d14fc7f83f44a32a", "size": 7059734, "annotations": { "com.redhat.deltaFrom": "sha256:b9137868142acd7ce4d62216e2b03e63e9800e2b647bf682492d3e9c5e66277c", "com.redhat.deltaTo": "sha256:c88d2d437799c2879fded33ee358429e1eb954968a25f3153e2e0e26fef7ef28" } } ] } ``` The config blob is just an json file containing "{}". Ideally it should not be of type application/vnd.oci.image.config.v1+json, because that is reserved for docker-style images. However, as explained in oras-project/oras#129, docker hub doesn't currently support any other type. For registries that support OCI artifacts we should instead use some other type so that tooling can know that this is not a regular image. The way we attach the delta manifest to the image is that we store it in the same repo and a tag name based on the manifest digest like "delta-${shortid}". The delta layers record which DiffID they apply to, which is what we want to use to look up the pre-existing layers to use as delta source material, and it is what the delta apply will generate. This means however that using the deltas only works if we're allowed to substitute blobs, but this doesn't seem to be an issue in the typical case. Signed-off-by: Alexander Larsson <alexl@redhat.com>
Deltas are a way to avoid downloading a full copy if a layer tar file if you have a previous version of the layer available locally. In testing these deltas have been shown to be around 10x to 100x smaller than the .tar.gz files for typical Linux base images. In the typical client-side case we have some previous version of the image stored in container-storage somewhere, which means that we have an uncompressed files available, but not the actual tarball (compressed or not). This means we can use github.com/alexlarsson/tar-diff which takes two tar files and produces a delta file which when applied on the untar:ed content of the first tarfile produces the (bitwise identical) content of the uncompressed second tarfile. It just happens that the uncompressed tarfile is exactly what we need to reproduce, because that is how the layers are refered to in the image config (the DiffIDs). How this works is that we use OCI artifacts to store, for each regular image a manifest with information about the available deltas for the image. This image looks like a regular manifest, except each layer contains a tar-diff (as a blob) an uses the existing annotations key to record which DiffIDs the layer applies to. For example, a manifest would look like this: ``` { "schemaVersion": 2, "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356", "size": 3 }, "layers": [ { "mediaType": "application/vnd.redhat.tardiff", "digest": "sha256:49402288de20a465616174a38aca4746f46be2c3f9519fe4d14fc7f83f44a32a", "size": 7059734, "annotations": { "com.redhat.deltaFrom": "sha256:b9137868142acd7ce4d62216e2b03e63e9800e2b647bf682492d3e9c5e66277c", "com.redhat.deltaTo": "sha256:c88d2d437799c2879fded33ee358429e1eb954968a25f3153e2e0e26fef7ef28" } } ] } ``` The config blob is just an json file containing "{}". Ideally it should not be of type application/vnd.oci.image.config.v1+json, because that is reserved for docker-style images. However, as explained in oras-project/oras#129, docker hub doesn't currently support any other type. For registries that support OCI artifacts we should instead use some other type so that tooling can know that this is not a regular image. The way we attach the delta manifest to the image is that we store it in the same repo and a tag name based on the manifest digest like "delta-${shortid}". The delta layers record which DiffID they apply to, which is what we want to use to look up the pre-existing layers to use as delta source material, and it is what the delta apply will generate. This means however that using the deltas only works if we're allowed to substitute blobs, but this doesn't seem to be an issue in the typical case. Signed-off-by: Alexander Larsson <alexl@redhat.com>
Docker Hub supporting for OCI artifacts are tracked here docker/roadmap#135 |
This is now shipped so we can close this issue. |
@justincormack
The following is content prepared for
./implementors.md
. While Docker Hub now supports OCI Image as amediaType
(yeah), it doesn't yet support additionalmedaiTypes
, required to represent additional artifacts like Helm, Singularity and other development types.Docker Hub
ORAS does not provide a default registry. Use the docker.io as the domain for docker hub.
Docker Hub does not yet accept null config files. It does accept empty
config.json
files with{}
as the content.Docker Hub does not yet accept
mediaTypes
beyondapplication/vnd.oci.image.config.v1+json
which is reserved for container images that can be run withdocker run
andcontainerd run
.Authenticating with Docker Hub
Create an empty
config.json file
Pushing Artifacts to Docker Hub
The following works, however it pushes the text file as an OCI image, indicating it would be supported by
docker run
,containerd run
and scanned by security scanners. Which of course would fail.Pulling Artifacts from Docker Hub
The text was updated successfully, but these errors were encountered: