6.4 KiB
Executable File
| author |
|---|
| Vincent Batts (vbatts) |
OCI images
and their background
Timeline
- "specs" (2015-05-05) (DockerCon 15 moment)
- split to "runtime-spec" and "image-spec" (2016-03-23)
- created "distribution-spec" from docker/docker#9015 (2018-03-08)
(Should've basically gone in reverse!)
- v1.0.0 for runtime and image spec on 2017-07-19
- v1.0.0 for distribution spec on 2021-04-26
- v1.1.0-rc.1 currently for runtime-spec
- v1.1.0-rc3 currently for distribution-spec
- v1.1.0-rc4 currently for image-spec
Spec or source?
Open Containers Initiative really tried to only be specifications.
But straight away there was runc...
There are also -tools repos corresponding to specs (though these are poorly adopted).
Then there was go-digest, umoci, and selinux as well.
First, Useful tools
Install like:
VERSION=$(curl -s "https://api.github.com/repos/google/go-containerregistry/releases/latest" | jq -r '.tag_name')
OS=Linux # or Darwin, Windows
ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
or just go install github.com/google/go-containerregistry/cmd/crane@latest 😄
also, oras is good to be familiar with if you're importing their libraries.
also also, skopeo.
Now, about the image
For the most part it is a namechange of the corresponding docker data structures.
image-spec/media-types.md has more inforation.
The word "image" is effectively legacy that is here to stay.
Relationship
~~~graph-easy --as=boxart
digraph G {
{
imageIndex [label="Image Index\n<<optional>>\napplication/vnd.oci.image.index.v1+json"]
{
rank=same
manifest [label="Image manifest\napplication/vnd.oci.image.manifest.v1+json"]
}
config [label="Image config JSON\napplication/vnd.oci.image.config.v1+json"]
layer [label="Layer tar archive\napplication/vnd.oci.image.layer.v1.tar\napplication/vnd.oci.image.layer.v1.tar+gzip\napplication/vnd.oci.image.layer.nondistributable.v1.tar\napplication/vnd.oci.image.layer.nondistributable.v1.tar+gzip"]
}
imageIndex -> imageIndex [label="1..*"]
imageIndex -> manifest [label="1..*"]
manifest -> config [label="1..1"]
manifest -> layer [label="1..*"]
manifest -> manifest [label="0..1"];
}
~~~
"Artifacts"
Given the backwards evolution of OCI from image-spec to distribution-spec, packaging any objects that are not container specific feel like a hack.
But folks have been doing so for a while.
And registries arbitrarily chose how to blocklist or allowlist mediaTypes.
But not stopped masquerading mediaTypes.
Even Red Hat needing to publish src.rpms "in like manner" as the container images built from their binaries, in BuildSourceImage.
Guidance for an empty descriptor
Hands-on ...
crane --help
~~~crane --help
replaceme
~~~
Hands-on ...
crane manifest docker.io/alpine
{
"manifests": [
{
"digest": "sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "amd64",
"os": "linux"
},
"size": 528
},
{
"digest": "sha256:f748290eb66ad6f938e25dd348acfb3527a422e280b7547b1cdfaf38d4492c4b",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v6"
},
"size": 528
},
[...]
crane -v manifest docker.io/alpine
Hands-on ...
crane manifest docker.io/alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 1471,
"digest": "sha256:7e01a0d0a1dcd9e539f8e9bbd80106d59efbdf97293b3d38f5d7a34501526cdb"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3401613,
"digest": "sha256:7264a8db6415046d36d16ba98b79778e18accee6ffa71850405994cffa9be7de"
}
]
}
Hands-on ...
crane config docker.io/alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33
Show the contents of the application/vnd.docker.container.image.v1+json from the manifest
edit
docker pull docker.io/alpine
docker tag docker.io/alpine r.batts.cloud/alpine-test:latest
docker push r.batts.cloud/alpine-test:latest
crane edit manifest r.batts.cloud/alpine-test:latest
use application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.config.v1+json, and application/vnd.oci.image.layer.v1.tar+gzip.
docker rmi r.batts.cloud/alpine-test:latest
docker pull r.batts.cloud/alpine-test@sha256:b0050a40f615a0225485155f238034ac1cfd581e8071ba78aed5ca272e4dc9bb
docker run --rm r.batts.cloud/alpine-test@sha256:b0050a40f615a0225485155f238034ac1cfd581e8071ba78aed5ca272e4dc9bb echo howdy
crane manifest r.batts.cloud/alpine-test@sha256:b0050a40f615a0225485155f238034ac1cfd581e8071ba78aed5ca272e4dc9bb | jq .
crane manifest r.batts.cloud/alpine-test@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33 | jq .
crane delete r.batts.cloud/alpine-test@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33
crane delete r.batts.cloud/alpine-test@sha256:b0050a40f615a0225485155f238034ac1cfd581e8071ba78aed5ca272e4dc9bb