-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import OCI (base) images as-is #51
Comments
My current plan for implementation is to piggy-back on #43 in order to introduce a new For now, I'm thinking we will restrict the Technically, a descriptor is allowed ("OPTIONAL" in the specification) to include This will also have implications for scripts like For PoC purposes, I plan to build something as a standalone tool for now, but with the explicit intent to make this part of |
Initial PR: #61 👀 |
In the case of base images (
debian
,alpine
,ubuntu
, etc), using aDockerfile
as our method of ingestion doesn't really buy us very much. It made sense at the time it was implemented ("allDockerfile
, all the time"), but at this point they're all some variation onFROM scratch \n ADD foo.tar.xz / \n CMD ["/bin/some-shell"]
, and cannot reasonably be "rebuilt" when their base image changes (which is one of the key functions of the official images) since they are the base images in question.Functionally, consuming a tarball in this way isn't that much different from consuming a raw tarball that's part of, say, an OCI image layout (https://github.com/opencontainers/image-spec/blob/v1.0.2/image-layout.md) -- it's some tarball plus some metadata about what to do with it.
For less trivial images, there's a significant difference (and I'm not proposing to use this for anything beyond simple one-layer base images), but for a single layer this would be basically identical.
As a more specific use case, the Debian
rootfs.tar.xz
files are currently 100% reproducible. Unfortunately, some of that gets lost when it gets imported into Docker, and thus it takes some additional effort to get from the Docker-generated rootfs back to the original debuerreotype-generated file (see debuerreotype/docker-debian-artifacts#147 (comment) for an example where I've done so).With the ability to consume an OCI image directly, I would be able to use something like debuerreotype/debuerreotype#108 to go even further and have a 100% fully reproducible image digest as well, and it would be easier to trace a given published image back to the reproducible source generated by the upstream tooling.
The text was updated successfully, but these errors were encountered: