-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update test vendor to image-spec rc5 #241
Conversation
This is WIP since I need to rework the OCI transports for RC5 - just a placeholder for now |
5acde2a
to
6fac654
Compare
@runcom We need to talk about how we are going to handle references given the discussion I've had upstream especially with opencontainers/image-spec#588 -- effectively the way it should be handled is like SQL queries. Hopefully |
mmm I don't understand why we went for using another library (umoci's) for OCI support in c/image (which is already a library) |
(*sigh* that seems rather overengineered and very ambiguous (how does one do matching on So far we’ve handled the similar docker schema2 functionality in
I don’t particularly care about how the OCI transport is implemented (e.g. I would be perfectly fine with a set of one-liners calling |
If I may jump in I think there's a valuable discussion in making
containers/image (and perhaps parts of containers/storage) bank off of
umoci for many of its operations. I spoke to @cyphar over twitter about
making this a thing that could happen, the editing features I need are
coming to umoci and the interface in containers/image from a lib
perspective is very nice.
Perhaps getting in a position where we can consume umoci as a lib would be
the best option? I am very, very happy to do this work if desired.
…On Fri, Mar 3, 2017 at 12:05 PM, Miloslav Trmač ***@***.***> wrote:
@runcom <https://github.com/runcom> We need to talk about how we are
going to handle references given the discussion I've had upstream
especially with opencontainers/image-spec#588
<opencontainers/image-spec#588> -- effectively
the way it should be handled is like SQL queries.
(*sigh* that seems rather overengineered and very ambiguous (how does one
do matching on os.version, or variant (is arm8 ≥ arm6l?); oh well, it
does define enough to be usable I guess.)
So far we’ve handled the similar docker schema2 functionality in
image/docker_list.go, i.e. when reading the image, we resolve the list
into a single manifest at the earliest opportunity. But that’s all that is
supported, there is no support for manifest list destinations, and copy.go
explicitly refuses to copy multi-images.
but ok...OCI support will probably drop from c/image eventually (I guess)
and skopeo can directly use umoci's library
I don’t particularly care about how the OCI transport is implemented (e.g.
I would be perfectly fine with a set of one-liners calling umoci), but it
does seem valuable to me to have OCI go through the types.ImageTransport
abstraction so that signatures and the unified copy pipeline etc. can be
used, and so that skopeo does not have to build a private abstraction over
containers/image and umoci; that would be a bit ridiculous.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#241 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ69FlCuSZcLsPnfFYppLrB-1a9KWQks5riHKKgaJpZM4ML-f9>
.
|
I have code to do a lot of what umoci does for docker images, and have
outstanding patches like moby/moby#28923 that
can finish the work for docker-specific image work.
…On Fri, Mar 3, 2017 at 12:08 PM, Erik Hollensbe ***@***.***> wrote:
If I may jump in I think there's a valuable discussion in making
containers/image (and perhaps parts of containers/storage) bank off of
umoci for many of its operations. I spoke to @cyphar over twitter about
making this a thing that could happen, the editing features I need are
coming to umoci and the interface in containers/image from a lib
perspective is very nice.
Perhaps getting in a position where we can consume umoci as a lib would be
the best option? I am very, very happy to do this work if desired.
On Fri, Mar 3, 2017 at 12:05 PM, Miloslav Trmač ***@***.***>
wrote:
> @runcom <https://github.com/runcom> We need to talk about how we are
> going to handle references given the discussion I've had upstream
> especially with opencontainers/image-spec#588
> <opencontainers/image-spec#588> -- effectively
> the way it should be handled is like SQL queries.
>
> (*sigh* that seems rather overengineered and very ambiguous (how does one
> do matching on os.version, or variant (is arm8 ≥ arm6l?); oh well, it
> does define enough to be usable I guess.)
>
> So far we’ve handled the similar docker schema2 functionality in
> image/docker_list.go, i.e. when reading the image, we resolve the list
> into a single manifest at the earliest opportunity. But that’s all that is
> supported, there is no support for manifest list destinations, and
> copy.go explicitly refuses to copy multi-images.
>
> but ok...OCI support will probably drop from c/image eventually (I guess)
> and skopeo can directly use umoci's library
>
> I don’t particularly care about how the OCI transport is implemented
> (e.g. I would be perfectly fine with a set of one-liners calling umoci),
> but it does seem valuable to me to have OCI go through the
> types.ImageTransport abstraction so that signatures and the unified copy
> pipeline etc. can be used, and so that skopeo does not have to build a
> private abstraction over containers/image and umoci; that would be a bit
> ridiculous.
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#241 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AABJ69FlCuSZcLsPnfFYppLrB-1a9KWQks5riHKKgaJpZM4ML-f9>
> .
>
|
Honestly I don’t know all that much about the wider runc / OCI / … ecosystem¹, @runcom ? My guess after a five-minute look at umoci is that c/image currently tends to deal with images as a single ~immutable unit, so converting between image formats and probably config formats makes sense as part of that, but editing layers and especially individual files inside is conceptually somewhat different (notably it really needs a semi-persistent staging area for in-progress multi-step edits). That’s not to say that the two shouldn’t be very easily interoperable, or they may even be a single repo/project—at the very least But then… Really, the project will grow in whichever way contributors want to take it :) Actually the Perhaps the * mitr shuts up now to stop displaying even more of his ignorance. |
I dunno. It just seems like there's a ton of overlap and that maybe a sink
for some of these core image/storage operations would be best. Perhaps I'm
too eager to unify something that doesn't need to be.
…On Fri, Mar 3, 2017 at 12:30 PM, Miloslav Trmač ***@***.***> wrote:
If I may jump in I think there's a valuable discussion in making
containers/image (and perhaps parts of containers/storage) bank off of
umoci for many of its operations.
Honestly I don’t know all that much about the wider runc / OCI / …
ecosystem¹, @runcom <https://github.com/runcom> ?
My *guess* after a five-minute look at umoci is that c/image currently
tends to deal with images as a single ~immutable unit, so converting
between image formats and probably config formats makes sense as part of
that, but editing layers and especially individual files inside is
conceptually somewhat different (notably it really needs a semi-persistent
staging area for in-progress multi-step edits). That’s not to say that the
two shouldn’t be very easily interoperable, or they may even be a single
repo/project—at the very least types.ImageReference or something like
that would be a nice thing to share.
But then…
¹ I came here for signatures; source/destination abstractions, copy.Image,
and format conversions all just grew from that and were not originally
anticipated.
Really, the project will grow in whichever way contributors want to take
it :)
Actually the containers-storage: transport is already somewhat awkward to
handle using our abstraction (assuming that a layer put into an
ImageDestination can be copied back out from an ImageSource unmodified,
which is not true for containers-storage), and if I understand umoci
correctly, having containers/image know about “local extracted images”
(which are not image-at-a-time sources/destinations) might make all of this
much clearer.
Perhaps the copy abstraction which completely hides the difference
between “push”/“pull”/“copy between servers” is just untenable…
* mitr shuts up now to stop displaying even more of his ignorance.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#241 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ6yU43OlG0EyNGKzM8wLzbQQyeNvYks5riHh2gaJpZM4ML-f9>
.
|
If you'd like to continue the good fight within the spec, that's your decision. Stephen Day made clear that in his opinion the tagging system of Docker (and thus all of the similar systems) is too simple and that a tagging system is much more useful for people.
That's the front-end of |
So you don't have to reimplement the OCI CAS interface. I mean, it's up to you ultimately, but I'm a bit concerned that |
I'm afraid I can’t spend time on that now. It does seem that a subset of that is easy enough to use in portable code, so I guess that’s what will end up happening… Or, *shrug*, I could just be wrong and this could be the right thing to do.
Sure, one-liners calling a library. Executing a binary would be more lines :)
Ah, OK. That is indeed much closer to the |
@runcom barring the unfortunate refs-as-annotations situation in -rc5 and the single test failing in here, is there anything else blocking this? I did a quick roundtrip of this through skopeo and seems fine on the surface, but I may be missing some details. |
Bump on my last comment. |
I'll fix the test meanwhile |
I've got a branch in Basically I think the best way of moving forward is that skopeo implement the most "simple" tagging implementation (which can be done with the current state of my umoci branch's OCI CAS library) -- more complicated manifest trees aren't necessary for the "simple" ca se. There are some complications with "updating" a tag, but umoci's updating implementation will probably never really want to work with non-unique tags (we'll see though). The kinda nice thing about rc5 is that I can implement references in |
I definitely have put umoci integration on my list of things that "would be a good thing" in |
@cyphar sorry, I didn't get if this PR still stand on his own and could be moved forward |
@@ -54,7 +54,7 @@ func GuessMIMEType(manifest []byte) string { | |||
} | |||
|
|||
switch meta.MediaType { | |||
case DockerV2Schema2MediaType, DockerV2ListMediaType, imgspecv1.MediaTypeImageManifest, imgspecv1.MediaTypeImageManifestList: // A recognized type. | |||
case DockerV2Schema2MediaType, DockerV2ListMediaType: // A recognized type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I vaguely remember there was an earlier conversation about this, but I can't remember the details: why is guessing that a manifest is OCI no longer applicable? Because a manifest can never be a stand-alone object with OCi without an index now? Or just because OCI decided not to include the type in the JSON?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No mime type in Json anymore
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To expand on the above, it's because types are now implemented using descriptor types (so objects are no longer self-descriptive).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either way, this is awkward.
dirImageSource
andstorageImageSource
depend onGuessMIMEType
to work; otherwisec/i/image
assumes schema1. (Not trivially fixable.)dockerImageDestination
depends onGuessMIMEType
for settingContent-Type
on upload. (This one is probably fixable by adding an explicit parameter, and using thec/i/image
handler to get the type we are using.)
Is there another heuristic we can use? e.g. schemaVersion
== 2
&& mediaType
missing? Or perhaps together with config.mediaType
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Could the if meta.SchemaVersion == 2
code be unified with case 2
below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
ping @cyphar about #241 (comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good as a first step for v1.0.0-rc5. My main worry was inconsistency with other referencing implementations but after some discussions with Steven the main point is that skopeo doesn't need to support all possible image structures (though umoci
will try to implement that in a more unopinionated way).
d = &md | ||
break | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this logic works for the basic case and was the main thing I was worried about. Once I have a nice implementation in umoci
, skopeo
should be able to handle more complicated cases.
Out of partially related curiosity, what's the golang libraries plan to deal with opencontainers/image-spec#581 (comment)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’d be much happier with GuestManifestMIMEType
working as expected. I guess I could be persuaded to give up on that, but it seems fairly possible to handle…
annotations := make(map[string]string) | ||
annotations["org.opencontainers.ref.name"] = d.ref.tag | ||
desc.Annotations = annotations | ||
d.index.Manifests = append(d.index.Manifests, imgspecv1.ManifestDescriptor{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This gives a bit of an impression that the code adds more manifests to an existing index, but we actually never read the original file and blindly overwrite it if it exists.
I guess the intent is to perhaps add the “update existing index” over time? If so, this code does make enough sense; if not, and the intent is to always do a simple overwrite, the code structure could probably be a bit simpler (do nothing in Commit
, just build a single ImageIndex
local variable in PutManifest
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, the intent is to "update existing index"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, the intent is to "update existing index"
As in, with this PR, or at some later time? Because it is not updating an existing index now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you call PutManifest
many times and at the end Commit
you'll have a multi-manifest index with this code, am I stupidly missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, true. I wasn’t considering that because we have no tools to do that (and the semantics of doing that + PutSignatures
is unclear — what manifest are the signatures attached to?).
Anyway, that can be useful for someone who explicitly expects that oci:
behavior, and it doesn’t break anything, so fair enough.
oci/layout/oci_transport.go
Outdated
if err != nil { | ||
return nil, err | ||
} | ||
src := newImageSource(ref, d) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This duplication between NewImage
and NewImageSource
rather suggests that getManifestDescriptor
should be called within newImageSource
instead of supplied from the outside.
(That still allows getManifestDescriptor
to be a method on ociReference
if you want.)
} | ||
defer indexJSON.Close() | ||
index := imgspecv1.ImageIndex{} | ||
if err := json.NewDecoder(indexJSON).Decode(&index); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is shorter than ReadAll
+ Unmarshal
, but doesn’t it also silently accept garbage (or a valid JSON?) after the processed object? And does that matter? (Quite possibly it doesn’t…)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't matter afaict
oci/layout/oci_transport_test.go
Outdated
@@ -239,6 +258,14 @@ func TestReferenceOCILayoutPath(t *testing.T) { | |||
assert.Equal(t, tmpDir+"/oci-layout", ociRef.ociLayoutPath()) | |||
} | |||
|
|||
func TestReferenceIndexJSON(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be TestReferenceIndexPath
?
@mtrmac PTAL |
(skopeo needs updating as well go keep CI happy.) |
@mtrmac updated skopeo as well |
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Antonio Murdaca runcom@redhat.com