manifest: Require support for runtime-spec configurations #451
Conversation
…ed config The image-tools framework has attempted this since d3ffc1c (oci-image-tool: implement create-runtime-bundle, 2016-06-02, opencontainers#114), but we didn't specify whether the translation was required or what the output of the translation should be. That means downstream consumers of an unpacked image couldn't be sure if they'd find a config.json or (if they found one) which runtime-spec versions it would be compatible with. With this commit, the config output becomes specified, so consumers can post-process their config.json and/or invoke a runtime-spec 1.0.0-rc2-compatible runtime on it without worrying about the presence or version of the unpacked config.json. I've picked 1.0.0-rc2 as the most recent runtime-spec commit. As the runtime-spec moves forward with more RCs, I expect we'll want to bump this to keep up. Once runtime-spec hits 1.0, we can probably freeze the target, since post 1.0 releases in runtime-spec's 1.x line are unlikely to make translation from the config format easier, and any 1.x-compatible runtime will be able to handle 1.0 configs. Signed-off-by: W. Trevor King <[email protected]>
We probably need to keep application/vnd.oci.image.config.v1+json untouched, since e94aa35 (schema: add a docker v2.2 backwards compat test, 2016-06-15, opencontainers#145) and other maintainer activity suggest a goal of bit-for-bit compatibility with the current Docker schemas (excepting media types). However, requiring Docker support doesn't mean we can't *also* require support for configuration formats that are easier for image authors to use. Of course, with the (greatly) increased flexibility comes a lot more risk. Image consumers in general, and runtime-spec-based-image consumers in particular, should use a sanitization tool like [1]. The runtime-spec config also lacks support for diffIDs, but local image tooling is still welcome to record the digests of uncompressed layers and use that for local optimizations. You have to fetch the compressed layer at least once to perform the uncompression, but you'd have to do that to verify the old diffID anyway. [1]: opencontainers/runtime-tools#219 Signed-off-by: W. Trevor King <[email protected]>
wking
force-pushed
the
runtime-spec-config
branch
from
2a75b50 to
0a46871
Compare
|
The current spec is pretty vague about how
application/vnd.oci.image.config.v1+json should be unpacked. I've
filed #454 to make that more clear, and then rebased this PR on top of
#454. So #454 should be reviewed first (it is independent of whether
we require support for application/vnd.oci.runtime.config.v1+json),
and this PR should be reviewed if/when both #454 and
opencontainers/runtime-spec#611 have landed.
|
|
Rejected This places unnecessary portability requirements on the runtime-spec and unnecessary cross-platform requirements on the image-spec. Doing this will result in an over-coupled system, that is inflexible and complex to upgrade. Docker spent several versions decoupling these and it would be unfortunate if OCI went in the opposite direction. I would be much in favor of making a version of the config that is driven based on the actual requirements of an image, rather than a misplaced notion of DRY or NIH. |
|
On Mon, Nov 21, 2016 at 12:21:38PM -0800, Stephen Day wrote:
This PR is asking for: configDigest := manifest.Config.digest With the current spec, most unpackers would presumably error out with “I have no idea how to create a runtime config from an The only implementation I can think of that's more decoupled is “the |
|
I 100% agree, we shouldn't do this. The config.json is explicitly not portable between hosts and we should add language to the runtime-spec to say that these configs are designed not to be transported or largely even moved between hosts. |
|
closing xref #479 |
|
On Wed, Nov 30, 2016 at 02:47:49PM -0800, Brandon Philips wrote:
The config.json is explicitly not portable between hosts…
Portable is a fuzzy line which depends on the distribution context.
If I'm only distributing within my cluster a large fraction of the
runtime config will be portable. But if I'm distributing to generic
hosts via a public registry a much smaller fraction will be portable.
This fuzziness is why we rolled back the portable/specific split in
opencontainers/runtime-spec#284. I think the same fuzziness will be a
problem with any translation from an image config to a runtime config,
and think that this PR is a sane way to empower users to make their
own portability calls (via post-unpack sanitization).
However, a well-defined mapping between image configs and runtime
configs (following the initial work in #454 and #479) will cover
whatever portions of the runtime config that the image-spec
maintainers feel are sufficiently portable to distribute. And folks
can always use ~~annotations~~ Labels to distribute everything else.
I just think that's more hoop-jumping than it's worth.
|
3 participants
We probably need to keep
application/vnd.oci.image.config.v1+jsonuntouched, since #145 and other maintainer activity suggest a goal of bit-for-bit compatibility with the current Docker schemas (excepting media types). However, requiring Docker support doesn't mean we can't also require support for configuration formats that are easier for image authors to use.Of course, with the (greatly) increased flexibility comes a lot more risk. Image consumers in general, and runtime-spec-based-image consumers in particular, should use a sanitization tool like the one I've floated in opencontainers/runtime-tools#219.
The runtime-spec config also lacks support for diffIDs, but local image tooling is still welcome to record the digests of uncompressed layers and use that for local optimizations. You have to fetch the compressed layer at least once to perform the uncompression, but you'd have to do that to verify the old diffID anyway.
This PR requires opencontainers/runtime-spec#611 for typing the runtime-spec config.