media-types: Define '+gzip' structured syntax suffix

Leaning heavily on the existing entries in RFC 6839.  The suffix makes
it easy to clarify DiffIDs without requiring a particular layer media
type.  It also allows you to create image-layout instances where the
layers are stored uncompressed, which may be useful for cases such as:

* Binary diffing between layer blobs for cheaper updates of large
  layers [1].

* Compressing an image-layout tarball for a smaller smaller overall
  tarball (by avoiding the unnecessary fragmentation of compressing
  the individual blob entries).

Also update unpackLayer to handle both compressed and uncompressed
layers.  I expect unpackLayer will end up in image-tools, so I haven't
invested a lot of time polishing this implementation.  But without
*some* sort of change the manifest tests fail.

[1]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/%23opencontainers.2016-08-16.log.html#t2016-08-16T23:35:43

Signed-off-by: W. Trevor King <[email protected]>

Author: wking

config.md

@@ -28,7 +28,8 @@ Changing it means creating a new derived image, instead of changing the existing
 A layer DiffID is a SHA256 digest over the layer's uncompressed tar archive and serialized in the descriptor digest format, e.g., `sha256:a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9`.
 Layers must be packed and unpacked reproducibly to avoid changing the layer DiffID, for example by using tar-split to save the tar headers.
 
-NOTE: the DiffID is different than the digest in the manifest list because the manifest digest is taken over the gzipped layer for `application/vnd.oci.image.layer.v1.tar+gzip` types.
+The difference between DiffIDs and the layer digests in the [manifest's `layers`](manifest.md#image-manifest-property-descriptions) is that the layer digest is taken over the blob regardless of compression, while the DiffID is taken after removing any compression.
+For an `application/vnd.oci.image.layer.tar+gzip` layer, the layer digest is taken over the `application/vnd.oci.image.layer.tar+gzip` content, while the DiffID is take over the `application/vnd.oci.image.layer.tar` content.
 
 ### Layer ChainID
 

image/manifest.go

@@ -89,8 +89,16 @@ func (m *manifest) validate(w walker) error {
 }
 
 func (m *manifest) unpack(w walker, dest string) error {
+	recognizedLayerTypes := map[string]bool{
+		v1.MediaTypeImageLayer: true,
+		v1.MediaTypeImageLayer + "+gzip": true,
+		v1.MediaTypeImageLayerNonDistributable: true,
+		v1.MediaTypeImageLayerNonDistributable + "+gzip": true,
+	}
+
 	for _, d := range m.Layers {
-		if d.MediaType != string(schema.MediaTypeImageLayer) {
+		_, ok := recognizedLayerTypes[d.MediaType]
+		if !ok {
 			continue
 		}
 
@@ -104,7 +112,7 @@ func (m *manifest) unpack(w walker, dest string) error {
 				return nil
 			}
 
-			if err := unpackLayer(dest, r); err != nil {
+			if err := unpackLayer(dest, r, d.MediaType); err != nil {
 				return errors.Wrap(err, "error extracting layer")
 			}
 
@@ -120,16 +128,20 @@ func (m *manifest) unpack(w walker, dest string) error {
 	return nil
 }
 
-func unpackLayer(dest string, r io.Reader) error {
+func unpackLayer(dest string, r io.Reader, mediaType string) error {
 	entries := make(map[string]bool)
-	gz, err := gzip.NewReader(r)
-	if err != nil {
-		return errors.Wrap(err, "error creating gzip reader")
+
+	if strings.HasSuffix(mediaType, "+gzip") {
+		gz, err := gzip.NewReader(r)
+		if err != nil {
+			return errors.Wrap(err, "error creating gzip reader")
+		}
+		defer gz.Close()
+		r = gz
 	}
-	defer gz.Close()
 
 	var dirs []*tar.Header
-	tr := tar.NewReader(gz)
+	tr := tar.NewReader(r)
 
 loop:
 	for {

image/manifest_test.go

@@ -60,7 +60,8 @@ func TestUnpackLayerDuplicateEntries(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer os.RemoveAll(tmp2)
-	if err := unpackLayer(tmp2, r); err != nil && !strings.Contains(err.Error(), "duplicate entry for") {
+	err = unpackLayer(tmp2, r, "application/vnd.oci.image.layer.v1.tar+gzip")
+	if err != nil && !strings.Contains(err.Error(), "duplicate entry for") {
 		t.Fatalf("Expected to fail with duplicate entry, got %v", err)
 	}
 }

img/media-types.dot

@@ -3,7 +3,7 @@ digraph G {
     manifestList [shape=note, label="Manifest list\n<<optional>>\napplication/vnd.oci.image.manifest.list.v1+json"]
     manifest [shape=note, label="Image manifest\napplication/vnd.oci.image.manifest.v1+json"]
     config [shape=note, label="Image JSON\napplication/vnd.oci.image.config.v1+json"]
-    layer [shape=note, label="Layer tar+gzip\napplication/vnd.oci.image.layer.v1.tar+gzip\napplication/vnd.oci.image.layer.nondistributable.v1.tar+gzip"]
+    layer [shape=note, label="Layer tar archive\napplication/vnd.oci.image.layer.v1.tar\napplication/vnd.oci.image.layer.nondistributable.v1.tar"]
   }
 
   manifestList -> manifest [label="1..*"]

layer.md

@@ -4,12 +4,12 @@ This document describes how to serialize a filesystem and filesystem changes lik
 One or more layers are applied on top of each other to create a complete filesystem.
 This document will use a concrete example to illustrate how to create and consume these filesystem layers.
 
-This section defines the `application/vnd.oci.image.layer.v1.tar+gzip` and `application/vnd.oci.image.layer.nondistributable.v1.tar+gzip` [media types](media-types.md).
+This section defines the `application/vnd.oci.image.layer.v1.tar` and `application/vnd.oci.image.layer.nondistributable.v1.tar` [media types](media-types.md).
 
 ## Distributable Format
 
-Layer Changesets for the [mediatype](./media-types.md) `application/vnd.oci.image.layer.v1.tar+gzip` MUST be packaged in a [tar archive][tar-archive] compressed with [gzip][gzip].
-Layer Changesets for the [mediatype](./media-types.md) `application/vnd.oci.image.layer.v1.tar+gzip` MUST NOT include duplicate entries for file paths in the resulting [tar archive][tar-archive].
+Layer Changesets for the [media type](./media-types.md) `application/vnd.oci.image.layer.v1.tar` MUST be packaged in [tar archive][tar-archive].
+Layer Changesets for the [media type](./media-types.md) `application/vnd.oci.image.layer.v1.tar` MUST NOT include duplicate entries for file paths in the resulting [tar archive][tar-archive].
 
 ## Change Types
 
@@ -208,7 +208,7 @@ Where the basename name of `./etc/my-app-config` is now prefixed with `.wh.`, an
 
 ## Applying
 
-Layer Changesets of [mediatype](./media-types.md) `application/vnd.oci.image.layer.v1.tar+gzip` are applied rather than strictly extracted in normal fashion for tar archives.
+Layer Changesets of [media type](./media-types.md) `application/vnd.oci.image.layer.v1.tar` are applied rather than strictly extracted in normal fashion for tar archives.
 
 Applying a layer changeset requires consideration for the [whiteout](#whiteouts) files.
 In the absence of any [whiteout](#whiteouts) files in a layer changeset, the archive is extracted like a regular tar archive.
@@ -313,11 +313,10 @@ Any given image is likely to be composed of several of these Image Filesystem Ch
 Certain layers, due to legal requirements, may not be regularly distributable.
 Typically, such layers are downloaded directly from a distributor but are never uploaded.
 
-Layers that have these restrictions SHOULD be tagged with an alternative mediatype of `application/vnd.oci.image.layer.nondistributable.v1.tar+gzip`.
+Layers that have these restrictions SHOULD be tagged with an alternative media type of `application/vnd.oci.image.layer.nondistributable.v1.tar`.
 [Descriptors](descriptor.md) referencing these layers MAY include `urls` for downloading these layers.
 It is implementation-defined whether or not implementations upload layers tagged with this media type.
 
 [libarchive-tar]: https://github.com/libarchive/libarchive/wiki/ManPageTar5#POSIX_ustar_Archives
 [gnu-tar-standard]: http://www.gnu.org/software/tar/manual/html_node/Standard.html
 [tar-archive]: https://en.wikipedia.org/wiki/Tar_(computing)
-[gzip]: http://www.zlib.org/rfc-gzip.html

manifest.md

@@ -53,11 +53,13 @@ Unlike the [Manifest List](manifest-list.md), which contains information about a
         This [descriptor property](descriptor.md#properties) has additional restrictions for `layers[]`.
         Implementations MUST support at least the following media types:
 
-        - [`application/vnd.oci.image.layer.v1.tar+gzip`](layer.md)
-        - [`application/vnd.oci.image.layer.nondistributable.v1.tar+gzip`](layer.md#non-distributable-layers)
+        - [`application/vnd.oci.image.layer.v1.tar`](layer.md)
+        - [`application/vnd.oci.image.layer.nondistributable.v1.tar`](layer.md#non-distributable-layers)
 
         Manifests concerned with portability SHOULD use one of the above media types.
 
+        Entries in this field will frequently use the [`+gzip` structured syntax suffix](media-types.md#the-gzip-structured-syntax-suffix).
+
 - **`annotations`** *string-string map*
 
     This OPTIONAL property contains arbitrary metadata for the image manifest.

media-types.md

@@ -6,8 +6,48 @@ The following media types identify the formats described here and their referenc
 - `application/vnd.oci.image.manifest.list.v1+json`: [Manifest list](manifest-list.md#manifest-list)
 - `application/vnd.oci.image.manifest.v1+json`: [Image manifest](manifest.md#image-manifest)
 - `application/vnd.oci.image.config.v1+json`: [Image config](config.md)
-- `application/vnd.oci.image.layer.v1.tar+gzip`: ["Layer", as a gzipped tar archive](layer.md)
-- `application/vnd.oci.image.layer.nondistributable.v1.tar+gzip`: ["Layer", as a gzipped tar archive with distribution restrictions](layer.md#non-distributable-layers)
+- `application/vnd.oci.image.layer.v1.tar`: ["Layer", as a tar archive](layer.md)
+- `application/vnd.oci.image.layer.nondistributable.v1.tar`: ["Layer", as a tar archive with distribution restrictions](layer.md#non-distributable-layers)
+
+## Suffixes
+
+[RFC 6839][rfc6839] defines several structured syntax suffixes for use with media types.
+This section adds additional structured syntax suffixes for use with media types in OCI Image contexts.
+
+### The +gzip Structured Syntax Suffix
+
+[GZIP][rfc1952] is a widely used compression format.
+The media type [`application/gzip`][rfc6713] has been registered for such files.
+The suffix `+gzip` MAY be used with any media type whose representation follows that established for `application/gzip`.
+The media type structured syntax suffix registration form follows:
+
+Name: GZIP file format
+
+`+suffix`: `+gzip`
+
+References: [[GZIP][rfc1952]]
+
+Encoding considerations: GZIP is a binary encoding.
+
+Fragment identifier considerations:
+
+The syntax and semantics of fragment identifiers specified for `+gzip` SHOULD be as specified for `application/gzip`.
+(At publication of this document, there is no fragment identification syntax defined for `application/gzip`.)
+The syntax and semantics for fragment identifiers for a specific `xxx/yyy+gzip` SHOULD be processed as follows:
+
+* For cases defined in `+gzip`, where the fragment identifier resolves per the `+gzip` rules, then process as specified in `+gzip`.
+* For cases defined in `+gzip`, where the fragment identifier does not resolve per the `+gzip` rules, then process as specified in `xxx/yyy+gzip`.
+* For cases not defined in `+gzip`, then process as specified in `xxx/yyy+gzip`.
+
+Interoperability considerations: n/a
+
+Security considerations:
+
+See the "Security Considerations" sections of [RFC 1952][rfc1952] and [RFC 6713][rfc6713].
+Each individual media type registered with a `+gzip` suffix can have additional security considerations.
+
+Implementations MUST support the `+gzip` suffix for all [OCI Image Media Types](#oci-image-media-types).
+For example, they MUST support `application/vnd.oci.image.layer.v1.tar+gzip` and `application/vnd.oci.image.layer.nondistributable.v1.tar+gzip` for [manifest `layers`](manifest.md#image-manifest-property-descriptions) and `application/vnd.oci.image.manifest.v1+json+gzip` for [manifest list `manifests`](manifest-list.md#manifest-list-property-descriptions).
 
 ## Compatibility Matrix
 
@@ -27,11 +67,13 @@ This section shows where the OCI Image Specification is compatible with formats
 
 - [application/vnd.docker.distribution.manifest.v2+json](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#image-manifest-field-descriptions)
 
-### application/vnd.oci.image.rootfs.tar.gzip
+### application/vnd.oci.image.layer.tar
 
 **Interchangeable and fully compatible mime-types**
 
-- [application/vnd.docker.image.rootfs.diff.tar.gzip](https://github.com/docker/docker/blob/master/image/spec/v1.md#creating-an-image-filesystem-changeset)
+- With `+gzip`
+
+    - [application/vnd.docker.image.rootfs.diff.tar.gzip](https://github.com/docker/docker/blob/master/image/spec/v1.md#creating-an-image-filesystem-changeset)
 
 ### application/vnd.oci.image.config.v1+json
 
@@ -47,3 +89,7 @@ The following figure shows how the above media types reference each other:
 
 [Descriptors](descriptor.md) are used for all references.
 The manifest list being a "fat manifest" references one or more image manifests per target platform. An image manifest references exactly one target configuration and possibly many layers.
+
+[rfc1952]: https://tools.ietf.org/html/rfc1952
+[rfc6713]: https://tools.ietf.org/html/rfc6713
+[rfc6839]: https://tools.ietf.org/html/rfc6839

specs-go/v1/mediatype.go

@@ -25,11 +25,11 @@ const (
 	MediaTypeImageManifestList = "application/vnd.oci.image.manifest.list.v1+json"
 
 	// MediaTypeImageLayer is the media type used for layers referenced by the manifest.
-	MediaTypeImageLayer = "application/vnd.oci.image.layer.v1.tar+gzip"
+	MediaTypeImageLayer = "application/vnd.oci.image.layer.v1.tar"
 
 	// MediaTypeImageLayerNonDistributable is the media type for layers referenced by
 	// the manifest but with distribution restrictions.
-	MediaTypeImageLayerNonDistributable = "application/vnd.oci.image.layer.nondistributable.v1.tar+gzip"
+	MediaTypeImageLayerNonDistributable = "application/vnd.oci.image.layer.nondistributable.v1.tar"
 
 	// MediaTypeImageConfig specifies the media type for the image configuration.
 	MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json"