-
Notifications
You must be signed in to change notification settings - Fork 663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCI Image Deprecation: vendor support #903
base: main
Are you sure you want to change the base?
OCI Image Deprecation: vendor support #903
Conversation
Hi Valentin, I'm not a maintainer just FYI, but have some opinions here I thought worth sharing. It's a great problem area and I agree that outdated software is a problem in most environments, and welcome proposals to make it easier to manage. However, I'd be worried about anything attempting to rely on immutably set future dates as a measure of supportability for an image. You can have some faith that an organisation like Canonical could maintain support as promised, but I would find it hard to trust these dates regardless of the vendor. I feel like the only thing they could tell you is when you're unlikely to be able to receive support (the date has passed) although even then, as you say, support periods can be extended. I would be hesitant to rely on them to tell me my image was supported. Secondly, what does it mean that an image is supported? Does it mean security fix updates will be provided? Does it mean bugs will be fixed? What kind of bugs? Do you have to pay for support? There are a lot of unanswered questions. I'd also like to propose an alternative - a model along the lines of Certificate Revocation Lists. If an image were to include a link to a CRL style API that lists the digests of outdated images (although that would need to be defined more precisely) then images could be checked by scanning tools, registries, or other clients, especially as the lists could be decentralised to avoid tracking (which as you mention is generally frowned upon!) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of my suggestions are to align this with the verbosity of the other annotations. I've added this to this week's OCI discussion, feel free to join in. Note, I'm not a maintainer here, so I defer to them for any decisions on this.
The DCO check is also throwing this error:
Not sure if it's picking up the "noreply" email from your local Git environment, or your GitHub account. |
Hi @ValentinViennot, This basically makes it interesting when you can add the annotation, and how would users consume it. {
"mediaType": "application/vnd.oras.artifact.manifest.v1+json",
"artifactType": "org.cncf.oras.manifest.annotations",
"blobs": [],
"subjectManifest": {
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333",
"size": 16724
},
"annotations": {
"io.cncf.oras.artifact.support.end-of-life": "<date>",
"io.cncf.oras.artifact.redirect-to": "registry.example.com/product:v3"
}
} It would be interesting to hear more about your thoughts on the timing issues for additional annotations. |
was just coming to comment, and saw that Lasker said similar. Making these annotations as first-class keys, I do not think this workflow will ultimately provide the flexibility desired. If there were an extension on support, it could not be modified without changing the image digest. If there were a change in the URL, it would change the image digest. Instead, working with our Referrers WorkingGroup, such that this kind of support information could be attached to an image digest, then future updates to this information would not change the image digest itself. |
Signed-off-by: Valentin Viennot <valentin@viennot.me>
182ec00
to
6b64041
Compare
Aligning with the verbosity of other annotations as per @sudo-bmitch's feedback - Date formats aligned on rfc3339 - Less verbosity - Less strict Signed-off-by: Valentin Viennot <valentin@viennot.me>
Thanks for the prompt replies, and apologies for the long lag!
@Jamstah, I'm glad you suggest this option as this is the WIP proposal I mentioned in Future work! A significant advantage I also see there is the ability to depreciate at the image level (instead of product level). However, the work involved seems big enough that I considered product-level depreciation valuable enough on its own to split proposals and start with the easier one. |
Thanks @sudo-bmitch for the suggestions. All addressed! (and indeed, my local config wasn't right) |
@SteveLasker @vbatts, I did not know about the Referrers WorkingGroup! Sounds exciting and much more relevant for this scenario indeed. I will have a look there. (edit: from what I understand, the ORAS artefact spec would even enable to dynamically append to an image "this image is now deprecated, go look there instead".) |
The reference type working group makes a lot of sense for a way to update these annotations on existing images without modifying the image. The ORAS artifact spec is one of the options we are considering, but even if accepted, it would be quite some time before registries are updated to support the new artifact media type and APIs. More importantly, once we have reference types sorted, I believe we would still want to define these annotations. The question may be more about how runtimes and build tooling should check for these annotations. Do we want to support annotations on any of the index, image, and any associated reference types? If they are only set on an index, they may be missed if running an image by the image digest. Requiring a check of artifacts before building or running any image could result in a lot of overhead in certain situations (depending on our implementation, there could be lots of other references to the same image that need to be filtered through on the client side, pulling each one). I've also been working on tooling that makes setting annotations on an existing image a lot easier ( @vbatts what are your thoughts on approving this now to get the annotations defined for some use cases today, since we'd still want these same annotations to use it via reference types later? |
@sudo-bmitch, Yes, that's one of the issues I have in mind. The idea was to first go with a quick and easy proposal, even if it only covers specific product-level support situations. Later, to explore something more like CRLs. An incremental approach in which reference types can base on this initial work to solve the dynamic depreciation is appealing!
I like the idea! I'm trying to think about how we could encourage this behaviour. The argument is also that, from looking at an OCI image's manifest, you could tell which one has vendor support and for how long. In the proposal, "End of life" is meant to be shorter and could be what you propose, and "End of support" is specified only when long-term enterprise support is available. |
@SteveLasker, some thoughts on your questions:
I agree that this proposal covers only a limited subset of "End of life" scenarios, particularly the long-term supported products with an organisation behind them. It doesn't solve the generic depreciation problem (which we might solve with something in the spirit of Certificates Revocation Lists or reference types). Your question made me realise that I forgot to specify in the initial PR that the all
Now that I clarified my PR's missing part, this part should also make more sense. The idea is first to help end-users avoid using outdated content and make the best decision from the start (as in, picking images with support timelines compatible with their project). But the information – in this proposal – is really to cover product-level support for long-term vendor-supported products.
The problem with OCI resource depreciation is more extensive, and the reference types seem like a cleaner approach to solve it. |
I tend to agree that "support shouldn't be shortened", unless an exploit makes the product unsupportable. There are likely other cases, such as acquisition or the company ceases to exist.
I'd actually suggest this is a leftover of x509 and CRL hitting their limits. Requiring a client to continually check back, with continued extensions sets expectations that unless there's an extension, there's an expiration. This suggests that all products would set some short life to ___, whether it's an EOL or another valid state. This will require more entries to continue to extend, more clients to continue to check for that extension. Not all products will know this, but many will try and add this information as it's "part of the automation". I'd suggest this will be too much info and too much chatter.
I continue to hear this, which I struggle with. k8s is far more complex as millions of instances exist across clouds and on-prem instances. k8s continues to make major changes. ipv6 as an example. Yes, it does take time, but there's a start date, and folks engage on moving things forward. I'm hopeful to see the output of the working group evolve the standards. There are far fewer registry instances than k8s. Isn't this really an example of: Standard evolve through incubation, and execution, with parallel standards efforts. The annotation idea came from early implementations that solve these problems as well as the filtering and sorting on the reference types. |
I like proposal but
state nameswe use these lifecycle states based on Microsoft Lifecycle Policy: extra statesmight make sense to add 2 additional states Proposed additionsorg.opencontainers.image.support.state - the lifecycle/support state example
noteFROM should mask org.opencontainers.image.support.* tools should warn if image includes org.opencontainers.image.support.ref that doesn't match the image ref. |
A lot of this is confusing to me since the annotation is on the manifest, and the manifest will have a digest. So if someone pulls by digest or one of multiple tags to the same digest, this implies the behavior should be different for each. It also has a lot in common with the Docker schema v1 images that tightly integrated the tag into the manifest, which made copying images to other registries or retagging an image would create a new manifest. |
While I think the topic is important, I am not sure a image annotation cuts it. There is this „image is supported“ notion, where supported means vendor will give you updated(!) new images. So by definition, no matter o a image is eol or not, you will need to install a new one. so maybe this should more focus on „we invent to roll a new version no later than“? And also make eos dates for stable tags. btw, which reference specs it is no problem to attach „revocation“ or „update notice“ to existing images, that looks like a better road to travel? Especially as it can also be used by other entities (like „this image is in the company registry for reproduceabilty reasons but the governance department says „do not use use or new product builds“. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With a rebase the shorter link syntax will work. The reference types working group has been merged, but I don't think that affects this too much. EOS/EOL data could be attached as an annotation only referrer, but I'd lean towards pushing a short lived manifest and periodically extending the date with a new manifest. Either way that would involve defining the annotations so I'm comfortable approving with the minor change.
@@ -27,6 +27,12 @@ This specification defines the following annotation keys, intended for but not l | |||
* version MAY be [Semantic versioning-compatible](http://semver.org/) | |||
* **org.opencontainers.image.revision** Source control revision identifier for the packaged software. | |||
* **org.opencontainers.image.vendor** Name of the distributing entity, organization or individual. | |||
* **org.opencontainers.image.support.end-of-life** Date and time when the image stops receiving new features and bug fixes (security updates may continue). (Date-time as defined by [RFC 3339](https://tools.ietf.org/html/rfc3339#section-5.6).) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* **org.opencontainers.image.support.end-of-life** Date and time when the image stops receiving new features and bug fixes (security updates may continue). (Date-time as defined by [RFC 3339](https://tools.ietf.org/html/rfc3339#section-5.6).) | |
* **org.opencontainers.image.support.end-of-life** Date and time when the image stops receiving new features and bug fixes (security updates may continue). (Date-time as defined by [RFC 3339][rfc3339].) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question about this one:
Date and time when the image stops receiving new features and bug fixes
Considering that images are immutable, this is a little confusing. Wouldn't this be a completely new image anyway? Also, doesn't EOL mean also no security patches?
@@ -27,6 +27,12 @@ This specification defines the following annotation keys, intended for but not l | |||
* version MAY be [Semantic versioning-compatible](http://semver.org/) | |||
* **org.opencontainers.image.revision** Source control revision identifier for the packaged software. | |||
* **org.opencontainers.image.vendor** Name of the distributing entity, organization or individual. | |||
* **org.opencontainers.image.support.end-of-life** Date and time when the image stops receiving new features and bug fixes (security updates may continue). (Date-time as defined by [RFC 3339](https://tools.ietf.org/html/rfc3339#section-5.6).) | |||
* `image.vendor` and `image.support.info` SHOULD also be defined | |||
* **org.opencontainers.image.support.end-of-support** Date and time when the image stops receiving support, including new features, bug fixes, and security updates. (Date-time as defined by [RFC 3339](https://tools.ietf.org/html/rfc3339#section-5.6).) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* **org.opencontainers.image.support.end-of-support** Date and time when the image stops receiving support, including new features, bug fixes, and security updates. (Date-time as defined by [RFC 3339](https://tools.ietf.org/html/rfc3339#section-5.6).) | |
* **org.opencontainers.image.support.end-of-support** Date and time when the image stops receiving support, including new features, bug fixes, and security updates. (Date-time as defined by [RFC 3339][rfc3339].) |
Re-reading this thread again after @SteveLasker sent it to me back in April, a few things that are not clear (at least to me) on the purpose of those annotations and how they should be used. Here is a real scenario: As @adrosa mentioned above, there are ~70 images that have the Let's assume that those are annotations on the Bionic product. This is LTS with 5 years of support (right?), which means that every image will have annotation for EOS 2023-04-something (correct?). This means that I should feel OK to use On the other hand, annotating each image like Having a standardized way to set those annotations across registries (using the Referrers) and synching it across registries would be great because it can open a lot of opportunities for automation, policy enforcement, etc. Thoughts? |
The annotations are set on individual manifests, and you'll want to include each platform specific manifest in a multi-platform image. Pushing an artifact with On the plus side with an annotation only artifact using For the less complex use cases, I don't see a need to hold back defining these annotations while solutions for the complex use cases are found. |
@sudo-bmitch Is there another thread that discusses all those use cases and how they can be handled? For example, this one:
I had a discussion with @SteveLasker about not deleting the old one but just pushing the most recent one. Though, then the question is how the consumer of that information queries the registry for the most recent one. |
"The most recent one" assumes that only a single source can define an annotation only artifact. What if there are multiple sources? How would you merge them if multiple sources define the same annotation? How would you specify to delete an annotation? I worry there are too many unknowns trying to make a generic solution that extends the artifact list on a manifest. The best I can suggest is making a new artifact type, that happens to define everything in annotations, and define the policies for that type of artifact separate from the manifest and it's annotations. I don't think new artifact types something OCI is ready to define (that's left up to the community). But if we did, that would probably need a new working group. |
Yes, with the reference types working group merged, I agree with the approach of:
|
This solution would be the easiest, indeed. (However, as you said, it does not answer the question, "until when is the product supported?") |
@ValentinViennot and I started looking at the different scenarios for using this type of metadata. It is going beyond retiring images. Would be happy to collaborate with more folks on this. |
Just for the sake of being explicit, I have concerns about the specific annotations being proposed (essentially echoing @vbatts early in the thread; #903 (comment)); given the immutable nature of images, I'd unfortunately be a NACK on this one. 🙇 (Some of the discussion here about "what's the 'latest' |
The thing is that in reality one needs to keep making new container images for a stable tag to e.g. pull in glibc security fixes. So given that, any "support extension" changes could easily be done as part of just...updating the image for security or other bugfixes. Could someone running a "distroless" image with a statically linked app binary inside get away with not updating it for months or even years? Maybe...but I'm pretty skeptical. A lot of this discussion IMO got way too bike-sheddy and I'll xref #1152 (comment) here - systemd already "standardized" SUPPORT_END which from my PoV is simple and adequate as a starting point. |
Summary
This proposal discusses a solution to improve the deprecation of vendor-supported products distributed as OCI images. The effectiveness of the proposed solution depends on OCI tooling and registries implementing derived features.
We intend to introduce new OCI annotations to add the “End of Support” and “End of Life” dates information to the OCI image metadata. This would allow vendors to provide a standardised product-level support timeline information that can then be used by registries, marketplaces, and image tooling.
Background
Container images are immutable and are often distributed in a decentralised manner. As a consequence, deprecating outdated versions and controlling their distribution is a difficult and yet-to-be-resolved issue [1].
Vendor-supported software usually follows the following lifecycle: start of development, general availability, end of life, end of support.
Let’s say “Ubuntu 16.04” (docker.io/library/ubuntu:16.04) reaches end of life, there is no way of warning downstream users that they should consider moving away from this container image.
We identified three solution areas:
Additionally, we split into two types of deprecation:
Motivation
There’s currently no good story to OCI images deprecation, including on popular public registries such as Docker Hub [1].
From a vendor point of view, this can lead to bad reputation with use of outdated images and difficulty to track versions in use. However, purely retiring an image by removing old tags would potentially break downstream users and could lead to ever worse scenarios.
From an end-user perspective, it’s a risk and a potential liability to keep using unsupported or abandoned versions of OCI images without being aware of it.
We believe that a solution could be implemented at the OCI specification level leading to subsequent implementations in OCI-compliant solutions such as registries and image tooling. In short, we need a plan for what happens to the dead images.
Proposal
Support annotations
We propose to extend the
org.opencontainers.image
annotations with information regarding the support and deprecation timelines. It is expected that the maintenance and support are provided by the entity identified inorg.opencontainers.image.vendor
.org.opencontainers.image.support.end-of-life
Date after which the software won’t receive new features/updates from the publisher. Users should stop using this OCI image and move to a newer version. Publishers may or may not continue to ship security updates. On this day, the OCI image is deprecated.
org.opencontainers.image.vendor
MUST provide contact information to the entity responsible for supportorg.opencontainers.image.support.info
SHOULD provide necessary information for the end user to access the support servicesorg.opencontainers.image.support.end-of-support
Date after which the software won’t receive service, support, or security updates from the publisher. Users must stop using this OCI image. On this day, the OCI image is considered outdated, dangerous to use, and might become unavailable.
support.end-of-life
is also specifiedorg.opencontainers.image.support.info
URL or text to provide more information about vendor support and upgrade options.
Limitations
org.opencontainers.image.vendor
Future Work
Dynamic deprecation for unpredictable product support and for “build on build” image deprecation (i.e. when a new build is released, to deprecate the previously tagged and now replaced content) (— I have a proposal in progress, but any suggestions are welcome!)
References
[1] docker/hub-feedback#907
[2] https://www.iso.org/iso-8601-date-and-time-format.html
Signed-off-by: Valentin Viennot valentin.viennot@canonical.com