Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

host-based image names: 'host' vs. 'authority' #9

Open
wking opened this issue Sep 11, 2017 · 20 comments
Open

host-based image names: 'host' vs. 'authority' #9

wking opened this issue Sep 11, 2017 · 20 comments

Comments

@wking
Copy link
Contributor

wking commented Sep 11, 2017

@cyphar's distribution-uri ABNF used authority, but I used host in #2 because:

Where they're needed, I expect users to be providing userinfo and port information via other channels, especially since docker etc. currently use : to delimit tags.

In #5 (here) and #7 (here), @xiekeyang has wanted support for localhost:8080/…. I understand that is useful for testing, but don't think it should part of the host-based image name spec.

The .well-known URL lookup functions over both HTTP and HTTPS (e.g. see here). But if you are extracting the port from the image name, there's no way to know which protocol to use except by attempting both on that port. Trying to connect to a server using the wrong TLS protocol and finding out that you picked the wrong protocol (which is what would happened if we tried HTTPS and HTTP on localhost:8080) seems like a bigger issue than trying to connect to a server on the usual port for the protocol and finding out that the server is not listening on that port at all (which is what happens in our current protocol polling).

And I see no value to being able to specify explicit ports in production. Do we really expect production users to enter example.com:8080/… image names? Why would the example.com admins not be serving those images from 443 or 80?

There is a benefit for testing, because you don't need root on your host box to test if you can point the ref-engine discovery client at a high port. But I think we should find a way to work around that in testing (some ideas here, although we don't have anything trivial yet), instead of relaxing the production host-based image name spec.

@xiekeyang
Copy link
Owner

With #11 addressed, {HOST}:{PORT} template can be supported, which I think is valuable, especially on private system. E.g. some teams have their own HUB, might with different image format, under one company's cloud platform. All distribution or discovery system hosts just use {IP}:{PORT}. The discovery implementation should allow any person to discover images on these host. So the name rules should be less restricted.

@wking
Copy link
Contributor Author

wking commented Sep 12, 2017 via email

@cyphar
Copy link

cyphar commented Sep 18, 2017

Just to be clear, the reason why I have stopped commenting on this project is because it's getting quite tiring and it looks like there's no interest to just use parcel (with some updates which I've mentioned to you both before). But I will comment on this point:

Where they're needed, I expect users to be providing userinfo and port information via other channels, especially since docker etc. currently use : to delimit tags.

: based tags were a complete mistake. Let's not repeat the mistakes of Docker. We should be using sane URI tagging (namely #fragments). This is why I argued for allowing fragment usage in the OCI spec.

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017

... it looks like there's no interest to just use parcel (with some updates which I've mentioned to you both before)...

I'm fine with using parcel. Once you get the discussed updates in, I think it will look pretty close to this.

We should be using sane URI tagging (namely #fragments). This is why I argued for allowing fragment usage in the OCI spec.

Absolutely agree, see here. But lots of folks are used to them, so low-colon image names may help them adjust.

And I still don't like explicit ports in host-based image names for the other reasons given in this issue.

@cyphar
Copy link

cyphar commented Sep 18, 2017

I'm fine with using parcel. Once you get the discussed updates in, I think it will look pretty close to this.

Cool, that's not the impression I was getting 😸. I am going to work on those updates for the next two weeks, with the eventual plan of merging parcel into the umoci project (with a separate binary for fetching of course, but it'll be using the umoci libraries).

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017

...with the eventual plan of merging parcel into the umoci project (with a separate binary for fetching of course, but it'll be using the umoci libraries).

I think we want a discovery spec like the ref-engine discovery spec, the OCI index template protocol, and the ref engine registry belong in either image-spec or a new discovery-focused OCI spec prpject. I think the OCI CAS template protocol and CAS engine registry belong in image-spec alongside its current urls. I don't see anything except alernative ref/CAS protocols and implementations ending up outside the OCI in umoci and such. But I'm not a maintainer for any of this, and I've been wrong before ;).

@cyphar
Copy link

cyphar commented Sep 18, 2017

I think that the spec should be in the OCI, but as I've said previously, the process to follow before we propose it as an OCI spec is:

  1. Write a draft spec document.
  2. Implement said draft.
  3. Use the implementation to make sure that it's sane.
  4. Accept feedback from the community.
  5. Propose it to the OCI.

I have started on 1 and 2. I will be doing 3 very soon once I've incorporated some of the updates we've discussed. 4 is going to happen after that quite naturally (I've talked to folks from quite a few interested parties that want to contribute and I've told them to hold off for a few weeks).

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017

I have started on 1 and 2...

And this repo is already through them for Python, with WIP on Go. Any differences between it and parcel's adjusted spec will show up in the implementations, which will help inform community feedback in both repos, which will in turn lead to repo changes. Eventually the TOB will like a discovery spec enough to put it under the OCI umbrella.

@cyphar
Copy link

cyphar commented Sep 18, 2017

My point is that "just push to OCI" (which is what it sounded like you were suggesting) doesn't make sense as a plan. We cannot skip (3) and (4). I will be doing (3) on both the openSUSE and SUSE side (as well as some other folks that have said they're interested in using parcel once I've finished reworking the spec). If the draft spec and implementation live in umoci I don't see why that is an issue for pushing to OCI (in fact it's a good thing because it would give more publicity and be easier for people to use the implementation).

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017

My point is that "just push to OCI" (which is what it sounded like you were suggesting) doesn't make sense as a plan. We cannot skip (3) and (4).

runtime-spec had two years of review and feedback under the OCI before cutting 1.0.0. I don't see why discovery needs to be fully baked before becoming an OCI Project (a new one, or part of image-spec).

If the draft spec and implementation live in umoci I don't see why that is an issue for pushing to OCI (in fact it's a good thing because it would give more publicity and be easier for people to use the implementation).

It's nothing insurmountable, but I'd like to see multiple implementations and a stand-alone spec, as we have for other OCI specs. Mixing it inwith everything else that umoci does makes those separations less obvious.

@cyphar
Copy link

cyphar commented Sep 18, 2017

runtime-spec had two years of review and feedback under the OCI before cutting 1.0.0.

And it was based on other implementations and specifications that had already been proved to be working. The same applies for image-spec. The biggest issue in my mind with just pushing it to OCI is that you have to deal with a lot of disagreements and so on, it's much simpler to write a specification that works and show it works before you submit it for further improvements.

That's how most specs actually end up being developed. Nobody sits down and says "let's design a protocol by first asking everyone to start talking at once", because that way nothing gets done. (Actually some specs are like that, and I think their general (lack of) quality and sanity justifies my skepticism in trying to get an unfinished and untested spec into a spec body).

It's nothing insurmountable, but I'd like to see multiple implementations and a stand-alone spec, as we have for other OCI specs.

And then someone who wants to use the spec has to download at least 3 different projects just to even begin playing with it. I prefer the rkt model of spec development, you write a spec document as part of an umbrella project and then you can spin it out into a self-contained project after it's incubated for a while.


In any case, I'm probably going to end up doing that anyway and we'll see where it takes us. I'll probably just link from cyphar/parcel to openSUSE/umoci (or maybe host the spec document in that project).

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017

The biggest issue in my mind with just pushing it to OCI is that you have to deal with a lot of disagreements and so on, it's much simpler to write a specification that works and show it works before you submit it for further improvements.

This is "consensus building". I agree that it's difficult, but feel that it's worth doing, and is easier the earlier you start, because there's not so much mass to block improvement.

And then someone who wants to use the spec has to download at least 3 different projects just to even begin playing with it.

If they want to alter the whole stack. But this repo uses several very-weakly-coupled micro specs to separate concerns. If tou want to use a different host-based image name approach, you can edit host-based-image-names.md and optionally oci_discover/host_based_image_names, and as long as yournew approach produces fields with the same names, leave the other specs and implementations in this repo alone.

In any case, I'm probably going to end up doing that anyway and we'll see where it takes us.

Ok. Let me know if/when you're ready for issues and PRs.

@cyphar
Copy link

cyphar commented Sep 18, 2017

The problem isn't that it's difficult, it's that in my experience it usually results in far lower-quality specifications. Also I was talking about a user, not someone trying to actually change the specification. I want users to be able to use this from very early on (the whole point of a fediverse is that users can actually understand how it works and how to use it).

But yes, give me a few weeks then I'll ping all of the relevant folks for comments.

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017

Also I was talking about a user, not someone trying to actually change the specification.

This should be a non-issue, with Go/Python/... package managers automatically pulling in any ancestor dependencies.

@cyphar
Copy link

cyphar commented Sep 18, 2017

That's not really how packaging works. You wouldn't make umoci require parcel, skopeo, runc, etc. It's already confusing enough to explain to people that you need umoci, skopeo, and runc in order to do anything useful with an OCI image.

@wking
Copy link
Contributor Author

wking commented Sep 18, 2017 via email

@cyphar
Copy link

cyphar commented Sep 19, 2017

None of that message appears related to what I was saying.

@wking
Copy link
Contributor Author

wking commented Sep 19, 2017 via email

@cyphar
Copy link

cyphar commented Sep 19, 2017

I think you missed this, which explains why you're talking about fairly unrelated topics.

(with a separate binary for fetching of course, but it'll be using the umoci libraries).

@wking
Copy link
Contributor Author

wking commented Sep 19, 2017

I think you missed this, which explains why you're talking about fairly unrelated topics.

(with a separate binary for fetching of course, but it'll be using the umoci libraries).

So maybe I got the direction wrong, and was expecting the library code currently in umoci would consume the library code currently in parcel, while you're planning on having the library code currently in parcel consume the library code currently in umoci?

Or you may be saying that the library code currently in umoci and parcel is going to be so intertwined that it will be only worth thinking about as one library?

Either way, I can just wait and see what you do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants