-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Convert a serialization config JSON to a OCI runtime configuration. #87
Comments
On Tue, May 24, 2016 at 06:44:43PM -0700, Sergiusz Urbaniak wrote:
I don't think this is possible. For example, the image-spec schema Stepping back, I see no reason for the image-spec repo to care about If the “we don't care what's inside the directory” approach from my
|
@wking exposed ports is useful metadata from the image. I think it needs to exist to retain useful UX from builder to runner. I am really really unclear on what you want to see here. Furthermore, retaining the UX of container runtimes is a desirable part of the spec and explicitly called out in the README and image format spec project proposal:
|
On Wed, May 25, 2016 at 08:22:16AM -0700, Brandon Philips wrote:
Then I think you want to file a PR against runtime-spec (or a
As I understand it, #82 handles unpacking a local directory from layer Teaching image-spec about what's inside the distributed directory |
@wking the runtime can IGNORE this information and it can be used by a higher level system. I will file an issue about how to convert it but I don't think dropping it makes sense. |
@wking I disagree with your suggestion of the split. The image format needs a way of expressing runtime defaults that aren't host specific which the runtime spec has not tackled and made difficult by recombining everything into a single config.json. |
On Wed, May 25, 2016 at 09:11:49AM -0700, Brandon Philips wrote:
And I'm fine with that, although I think we want to be careful about
I think that such a narrowly-scoped image-spec would be easier to
With the narrowly-scoped image-spec, you can add as many localization On Wed, May 25, 2016 at 09:13:45AM -0700, Brandon Philips wrote:
The orchestration layer needs to do that sort of thing, but I don't |
Fixes opencontainers#99, opencontainers#87 Signed-off-by: Sergiusz Urbaniak <sur@coreos.com>
Fixes opencontainers#99, opencontainers#87 Signed-off-by: Sergiusz Urbaniak <sur@coreos.com>
Fixes opencontainers#99, opencontainers#87 Signed-off-by: Sergiusz Urbaniak <sur@coreos.com>
Fixes opencontainers#99, opencontainers#87 Signed-off-by: Sergiusz Urbaniak <sur@coreos.com>
Fixes opencontainers#99, opencontainers#87 Signed-off-by: Sergiusz Urbaniak <sur@coreos.com>
I think what we should do is just have an annotation on the runtime spec config that lists the exposed ports. Something like:
Then that can be consumed by whatever tool is setting up the networking. |
On Mon, Jun 06, 2016 at 10:50:41PM -0700, Brandon Philips wrote:
This approach doesn't work as well for more complex values like the |
To what end do we add stuff to the runtime config.json though? We could simply say that the original manifest sits inside the bundle instead. The reason this annotation is needed in the container runtime is because presumably an OCI network plugin would need to read this to setup forwarding firewalls or something. cc @opencontainers/runtime-spec-maintainers to discuss. @mrunalp lets put this on the agenda tomorrow on how these things interoperate. |
On Tue, Jun 07, 2016 at 04:40:25PM -0700, Brandon Philips wrote:
“copy the full serialization config to separate file” was one of my
And they can access that information in the bundle directory without |
@wking fair point. I think the runtime spec maintainers should chime in on this point of external files vs serialized metadata into the config.json. |
On Tue, Jun 07, 2016 at 04:50:56PM -0700, Brandon Philips wrote:
I've filed opencontainers/runtime-spec#492 to see if they have any |
On Wed, May 25, 2016 at 01:21:39PM -0700, W. Trevor King wrote 1:
Trying another angle at this… If the mapping from RunConfig 2 to runtime-spec's config.json 3 is
The only possible benefit I see to funneling through RunConfig is that |
@wking the main reason for keeping the config format as-is: 7.g "The first version of the OCI Specification should strive to be backwards compatible with the initial container image format..." We might add a new media-type to the image spec to allow folks to provide a runtime spec directly but in its current form this spec only requires users to change the media-types in the manifest with a |
On Tue, Jun 14, 2016 at 10:17:46AM -0700, Brandon Philips wrote:
I'm not clear on spec entries for backwards compat vs. tooling support |
@wking There is a cost to throwing out backwards compatibility at the format level: large numbers of objects in a registry CAS need to be re-interpreted. Because only the manifest and manifest list change with the |
On Wed, Jun 15, 2016 at 07:59:45AM -0700, Brandon Philips wrote:
That's only true if you want the registry to translate versions on the |
The validation/unpacking code doesn't really care what the reference and CAS implemenations are. And the new generic interfaces in image/refs and image/cas will scale better as we add new backends than the walker interface. The old tar/directory distinction between image and imageLayout is gone. The new CAS/refs engines don't support directory backends yet (I plan on adding them once the engine framework lands), but the new framework will handle tar/directory/... detection inside layout.NewEngine (and possibly inside a new (cas|refs).NewEngine when we grow engine types that aren't based on image-layout). I'd prefer casLayout and refsLayout for the imported packages, but Stephen doesn't want camelCase for package names [1]. [1]: #159 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
This issue was moved to opencontainers/image-tools#25 |
On Tue, Sep 20, 2016 at 07:49:16PM -0700, Brandon Philips wrote:
I think we want to re-open this as: Can we drop the ‘config’ property from That's a spec decision, not a tooling decision. And I still see a |
Based on image-spec, which currently exposes [1]: * User (user and group by ID or name) Represented in runtime-spec by process.user.*, although I'm clearing additionalGids for now because the old formats gave no way to represent that. * Memory (limit) Represented in runtime-spec by linux.resources.memory.limit and solaris.cappedMemory.physical. * MemorySwap (memory + swap limit) Represented in runtime-spec by linux.resources.memory.swap and solaris.cappedMemory.physical + solaris.cappedMemory.swap. * CpuShares (relative weight vs. other containers) Represented in runtime-spec by linux.resources.cpu.shares. Solaris has an ncpus property, but no shares analog. * ExposedPorts (a set of port/protocol entries) This is not covered by runtime-spec, but image-spec was planning on stuffing it into annotations [2]. * Env (array of environment variables) Represented in runtime-spec by process.env. * Entrypoint (array of positional arguments) Represented in runtime-spec by process.cmd. * Cmd (array of positional arguments) Represented in runtime-spec by process.cmd. * Volumes (set of directories which should have data volumes mounted on them) Represented in runtime-spec by mounts, although Volumes doesn't include source locations. * WorkingDir (initial working directory of container process) Represented in runtime-spec by process.cwd. Entrypoint and Cmd are slightly different and have a few different forms each [3,4]. Both are represented in the runtime-spec config by process.args. This commit sets all other config settings to their default values, and it clears mounts[].source to mimic the Volumes information. image-spec currently sets up source-less bind-mounts when translating Volumes [5]. With the sanitization command, *any* runtime configuration can be sanitized to be just as safe and limited as the current image-spec config. [1]: https://github.com/opencontainers/image-spec/blob/v0.5.0/serialization.md#container-runconfig-field-descriptions [2]: opencontainers/image-spec#87 (comment) Subject: Convert a serialization config JSON to a OCI runtime configuration. [3]: https://docs.docker.com/engine/reference/builder/#entrypoint [4]: https://docs.docker.com/engine/reference/builder/#cmd [5]: https://github.com/opencontainers/image-spec/blob/v0.5.0/image/config.go#L127-L136 Signed-off-by: W. Trevor King <wking@tremily.us>
Re-opening this as the topic is still coming up in various contexts and it's nagging at me. Even if we don't define a process here, we should have some nod towards what users should do (e.g. given an image-spec compatible image how do I even start to think about ending up with a runtime-spec compatible bundle?) |
For reference, I've implemented this in |
#454 has a very small step in this direction, although to get something reliable / certifiable you'd probably need to specify how more runtime-config field are populated. #451 avoids translation entirely, letting the image-spec tooling treat the config as an opaque blob. |
This is effectively done with #492. Though there's still some in-flight PRs that clean up some of the language. |
As per #82 (comment): Currently, the
oci-image-tool
supports a simple unpacking mechanism to inspect deflated images and validation.More concretely the config/image JSON https://github.com/opencontainers/image-spec/blob/master/serialization.md#image-json-description has to be converted to a https://github.com/opencontainers/runtime-spec/blob/master/config.md#container-configuration-file.
The text was updated successfully, but these errors were encountered: