update test vendor to image-spec rc5 #241
Conversation
|
This is WIP since I need to rework the OCI transports for RC5 - just a placeholder for now |
runcom
changed the title
runcom
force-pushed
the
image-spec-rc5
branch
2 times, most recently
from
5acde2a
to
6fac654
Compare
|
@runcom We need to talk about how we are going to handle references given the discussion I've had upstream especially with opencontainers/image-spec#588 -- effectively the way it should be handled is like SQL queries. Hopefully |
mmm I don't understand why we went for using another library (umoci's) for OCI support in c/image (which is already a library) |
(*sigh* that seems rather overengineered and very ambiguous (how does one do matching on So far we’ve handled the similar docker schema2 functionality in
I don’t particularly care about how the OCI transport is implemented (e.g. I would be perfectly fine with a set of one-liners calling |
|
If I may jump in I think there's a valuable discussion in making
containers/image (and perhaps parts of containers/storage) bank off of
umoci for many of its operations. I spoke to @cyphar over twitter about
making this a thing that could happen, the editing features I need are
coming to umoci and the interface in containers/image from a lib
perspective is very nice.
Perhaps getting in a position where we can consume umoci as a lib would be
the best option? I am very, very happy to do this work if desired.
…On Fri, Mar 3, 2017 at 12:05 PM, Miloslav Trmač ***@***.***> wrote:
@runcom <https://github.com/runcom> We need to talk about how we are
going to handle references given the discussion I've had upstream
especially with opencontainers/image-spec#588
<opencontainers/image-spec#588> -- effectively
the way it should be handled is like SQL queries.
(*sigh* that seems rather overengineered and very ambiguous (how does one
do matching on os.version, or variant (is arm8 ≥ arm6l?); oh well, it
does define enough to be usable I guess.)
So far we’ve handled the similar docker schema2 functionality in
image/docker_list.go, i.e. when reading the image, we resolve the list
into a single manifest at the earliest opportunity. But that’s all that is
supported, there is no support for manifest list destinations, and copy.go
explicitly refuses to copy multi-images.
but ok...OCI support will probably drop from c/image eventually (I guess)
and skopeo can directly use umoci's library
I don’t particularly care about how the OCI transport is implemented (e.g.
I would be perfectly fine with a set of one-liners calling umoci), but it
does seem valuable to me to have OCI go through the types.ImageTransport
abstraction so that signatures and the unified copy pipeline etc. can be
used, and so that skopeo does not have to build a private abstraction over
containers/image and umoci; that would be a bit ridiculous.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#241 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ69FlCuSZcLsPnfFYppLrB-1a9KWQks5riHKKgaJpZM4ML-f9>
.
|
|
I have code to do a lot of what umoci does for docker images, and have
outstanding patches like moby/moby#28923 that
can finish the work for docker-specific image work.
…On Fri, Mar 3, 2017 at 12:08 PM, Erik Hollensbe ***@***.***> wrote:
If I may jump in I think there's a valuable discussion in making
containers/image (and perhaps parts of containers/storage) bank off of
umoci for many of its operations. I spoke to @cyphar over twitter about
making this a thing that could happen, the editing features I need are
coming to umoci and the interface in containers/image from a lib
perspective is very nice.
Perhaps getting in a position where we can consume umoci as a lib would be
the best option? I am very, very happy to do this work if desired.
On Fri, Mar 3, 2017 at 12:05 PM, Miloslav Trmač ***@***.***>
wrote:
> @runcom <https://github.com/runcom> We need to talk about how we are
> going to handle references given the discussion I've had upstream
> especially with opencontainers/image-spec#588
> <opencontainers/image-spec#588> -- effectively
> the way it should be handled is like SQL queries.
>
> (*sigh* that seems rather overengineered and very ambiguous (how does one
> do matching on os.version, or variant (is arm8 ≥ arm6l?); oh well, it
> does define enough to be usable I guess.)
>
> So far we’ve handled the similar docker schema2 functionality in
> image/docker_list.go, i.e. when reading the image, we resolve the list
> into a single manifest at the earliest opportunity. But that’s all that is
> supported, there is no support for manifest list destinations, and
> copy.go explicitly refuses to copy multi-images.
>
> but ok...OCI support will probably drop from c/image eventually (I guess)
> and skopeo can directly use umoci's library
>
> I don’t particularly care about how the OCI transport is implemented
> (e.g. I would be perfectly fine with a set of one-liners calling umoci),
> but it does seem valuable to me to have OCI go through the
> types.ImageTransport abstraction so that signatures and the unified copy
> pipeline etc. can be used, and so that skopeo does not have to build a
> private abstraction over containers/image and umoci; that would be a bit
> ridiculous.
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#241 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AABJ69FlCuSZcLsPnfFYppLrB-1a9KWQks5riHKKgaJpZM4ML-f9>
> .
>
|
Honestly I don’t know all that much about the wider runc / OCI / … ecosystem¹, @runcom ? My guess after a five-minute look at umoci is that c/image currently tends to deal with images as a single ~immutable unit, so converting between image formats and probably config formats makes sense as part of that, but editing layers and especially individual files inside is conceptually somewhat different (notably it really needs a semi-persistent staging area for in-progress multi-step edits). That’s not to say that the two shouldn’t be very easily interoperable, or they may even be a single repo/project—at the very least But then… Really, the project will grow in whichever way contributors want to take it :) Actually the Perhaps the * mitr shuts up now to stop displaying even more of his ignorance. |
|
I dunno. It just seems like there's a ton of overlap and that maybe a sink
for some of these core image/storage operations would be best. Perhaps I'm
too eager to unify something that doesn't need to be.
…On Fri, Mar 3, 2017 at 12:30 PM, Miloslav Trmač ***@***.***> wrote:
If I may jump in I think there's a valuable discussion in making
containers/image (and perhaps parts of containers/storage) bank off of
umoci for many of its operations.
Honestly I don’t know all that much about the wider runc / OCI / …
ecosystem¹, @runcom <https://github.com/runcom> ?
My *guess* after a five-minute look at umoci is that c/image currently
tends to deal with images as a single ~immutable unit, so converting
between image formats and probably config formats makes sense as part of
that, but editing layers and especially individual files inside is
conceptually somewhat different (notably it really needs a semi-persistent
staging area for in-progress multi-step edits). That’s not to say that the
two shouldn’t be very easily interoperable, or they may even be a single
repo/project—at the very least types.ImageReference or something like
that would be a nice thing to share.
But then…
¹ I came here for signatures; source/destination abstractions, copy.Image,
and format conversions all just grew from that and were not originally
anticipated.
Really, the project will grow in whichever way contributors want to take
it :)
Actually the containers-storage: transport is already somewhat awkward to
handle using our abstraction (assuming that a layer put into an
ImageDestination can be copied back out from an ImageSource unmodified,
which is not true for containers-storage), and if I understand umoci
correctly, having containers/image know about “local extracted images”
(which are not image-at-a-time sources/destinations) might make all of this
much clearer.
Perhaps the copy abstraction which completely hides the difference
between “push”/“pull”/“copy between servers” is just untenable…
* mitr shuts up now to stop displaying even more of his ignorance.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#241 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ6yU43OlG0EyNGKzM8wLzbQQyeNvYks5riHh2gaJpZM4ML-f9>
.
|
If you'd like to continue the good fight within the spec, that's your decision. Stephen Day made clear that in his opinion the tagging system of Docker (and thus all of the similar systems) is too simple and that a tagging system is much more useful for people.
That's the front-end of |
So you don't have to reimplement the OCI CAS interface. I mean, it's up to you ultimately, but I'm a bit concerned that |
I'm afraid I can’t spend time on that now. It does seem that a subset of that is easy enough to use in portable code, so I guess that’s what will end up happening… Or, *shrug*, I could just be wrong and this could be the right thing to do.
Sure, one-liners calling a library. Executing a binary would be more lines :)
Ah, OK. That is indeed much closer to the |
|
@runcom barring the unfortunate refs-as-annotations situation in -rc5 and the single test failing in here, is there anything else blocking this? I did a quick roundtrip of this through skopeo and seems fine on the surface, but I may be missing some details. |
|
Bump on my last comment. |
|
I'll fix the test meanwhile |
|
I've got a branch in Basically I think the best way of moving forward is that skopeo implement the most "simple" tagging implementation (which can be done with the current state of my umoci branch's OCI CAS library) -- more complicated manifest trees aren't necessary for the "simple" ca se. There are some complications with "updating" a tag, but umoci's updating implementation will probably never really want to work with non-unique tags (we'll see though). The kinda nice thing about rc5 is that I can implement references in |
|
I definitely have put umoci integration on my list of things that "would be a good thing" in |
|
@cyphar sorry, I didn't get if this PR still stand on his own and could be moved forward |
| @@ -54,7 +54,7 @@ func GuessMIMEType(manifest []byte) string { | |||
| } | |||
|
|
|||
| switch meta.MediaType { | |||
| case DockerV2Schema2MediaType, DockerV2ListMediaType, imgspecv1.MediaTypeImageManifest, imgspecv1.MediaTypeImageManifestList: // A recognized type. | |||
| case DockerV2Schema2MediaType, DockerV2ListMediaType: // A recognized type. | |||
There was a problem hiding this comment.
I vaguely remember there was an earlier conversation about this, but I can't remember the details: why is guessing that a manifest is OCI no longer applicable? Because a manifest can never be a stand-alone object with OCi without an index now? Or just because OCI decided not to include the type in the JSON?
There was a problem hiding this comment.
No mime type in Json anymore
There was a problem hiding this comment.
To expand on the above, it's because types are now implemented using descriptor types (so objects are no longer self-descriptive).
There was a problem hiding this comment.
Either way, this is awkward.
dirImageSourceandstorageImageSourcedepend onGuessMIMETypeto work; otherwisec/i/imageassumes schema1. (Not trivially fixable.)dockerImageDestinationdepends onGuessMIMETypefor settingContent-Typeon upload. (This one is probably fixable by adding an explicit parameter, and using thec/i/imagehandler to get the type we are using.)
Is there another heuristic we can use? e.g. schemaVersion == 2 && mediaType missing? Or perhaps together with config.mediaType?
There was a problem hiding this comment.
Thanks. Could the if meta.SchemaVersion == 2 code be unified with case 2 below?
|
ping @cyphar about #241 (comment) |
There was a problem hiding this comment.
Looks good as a first step for v1.0.0-rc5. My main worry was inconsistency with other referencing implementations but after some discussions with Steven the main point is that skopeo doesn't need to support all possible image structures (though umoci will try to implement that in a more unopinionated way).
| d = &md | ||
| break | ||
| } | ||
| } |
There was a problem hiding this comment.
Yeah, this logic works for the basic case and was the main thing I was worried about. Once I have a nice implementation in umoci, skopeo should be able to handle more complicated cases.
|
Out of partially related curiosity, what's the golang libraries plan to deal with opencontainers/image-spec#581 (comment)? |
| annotations := make(map[string]string) | ||
| annotations["org.opencontainers.ref.name"] = d.ref.tag | ||
| desc.Annotations = annotations | ||
| d.index.Manifests = append(d.index.Manifests, imgspecv1.ManifestDescriptor{ |
There was a problem hiding this comment.
This gives a bit of an impression that the code adds more manifests to an existing index, but we actually never read the original file and blindly overwrite it if it exists.
I guess the intent is to perhaps add the “update existing index” over time? If so, this code does make enough sense; if not, and the intent is to always do a simple overwrite, the code structure could probably be a bit simpler (do nothing in Commit, just build a single ImageIndex local variable in PutManifest).
There was a problem hiding this comment.
yup, the intent is to "update existing index"
There was a problem hiding this comment.
yup, the intent is to "update existing index"
As in, with this PR, or at some later time? Because it is not updating an existing index now.
There was a problem hiding this comment.
if you call PutManifest many times and at the end Commit you'll have a multi-manifest index with this code, am I stupidly missing something?
There was a problem hiding this comment.
Ah, true. I wasn’t considering that because we have no tools to do that (and the semantics of doing that + PutSignatures is unclear — what manifest are the signatures attached to?).
Anyway, that can be useful for someone who explicitly expects that oci: behavior, and it doesn’t break anything, so fair enough.
oci/layout/oci_transport.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| src := newImageSource(ref, d) |
There was a problem hiding this comment.
This duplication between NewImage and NewImageSource rather suggests that getManifestDescriptor should be called within newImageSource instead of supplied from the outside.
(That still allows getManifestDescriptor to be a method on ociReference if you want.)
| } | ||
| defer indexJSON.Close() | ||
| index := imgspecv1.ImageIndex{} | ||
| if err := json.NewDecoder(indexJSON).Decode(&index); err != nil { |
There was a problem hiding this comment.
This is shorter than ReadAll + Unmarshal, but doesn’t it also silently accept garbage (or a valid JSON?) after the processed object? And does that matter? (Quite possibly it doesn’t…)
oci/layout/oci_transport_test.go
Outdated
| @@ -239,6 +258,14 @@ func TestReferenceOCILayoutPath(t *testing.T) { | |||
| assert.Equal(t, tmpDir+"/oci-layout", ociRef.ociLayoutPath()) | |||
| } | |||
|
|
|||
| func TestReferenceIndexJSON(t *testing.T) { | |||
There was a problem hiding this comment.
Should this be TestReferenceIndexPath?
|
@mtrmac PTAL |
|
(skopeo needs updating as well go keep CI happy.) |
|
@mtrmac updated skopeo as well |
runcom
changed the title
|
LGTM pending tests / a skopeo update which passes tests. |
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
LGTM pending skopeo tests |
Signed-off-by: Antonio Murdaca runcom@redhat.com