You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: image.md
+39-25Lines changed: 39 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,66 +9,77 @@ Images are meant to be portable such that they can be used to reliably move file
9
9
A compliant image contains the following pieces of information:
10
10
11
11
1. An OCI [`config.json`](config.md) file.
12
-
This file is REQUIRED to be present in the image, unless this image is a dependent image, in which case it is OPTIONAL.
12
+
This file is REQUIRED to be present in the image.
13
13
The `config.json` file contains the host independent configuration information necessary to execute the container.
14
14
See [`config.json`](config.md) for more information.
15
15
16
-
1. The root filesystem of the filesystem bundle.
17
-
This directory MUST be present in the image, however it MAY be empty (not contain any files or folders).
18
-
As specified in the `config.json` file, this directory contains the files that make up the root filesystem of the container.
19
-
This directory MAY contain only a portion of the complete set of files that make up the filesystem bundle, in which case the remaining set of files MUST be found in one of the dependent images.
20
-
21
16
1. References to dependent images.
22
17
If present, this OPTIONAL information MUST be in a file called `required.json`.
23
18
This file MUST be a JSON encoded array of references to images as specified in the [Dependent Images](#dependent-images) section.
24
19
25
20
1. Dependent images.
26
-
An image MAY choose to include dependent images as directories within the image.
27
-
If present, each dependent image MUST be placed in a directory whose name is the same as its ID.
28
-
Within each directory MUST be a complete OCI compliant image definition.
29
-
Note that within each dependent image's directory there MAY be a whiteout.json file.
21
+
An image MAY include dependent images as directories within the image.
22
+
Each dependent image MUST be placed in a directory whose name is the same as its ID (see the [IDs](#ids) section for more details about IDs).
23
+
The contents of each directory MUST adhere to the following:
24
+
* there MAY be a `whiteout.json` file (see [Whiteout List](#whiteout-list)).
25
+
* there MUST be a directory called `rootfs` which contains the root filesystem of that image.
26
+
* there MAY be additional "extension files".
27
+
28
+
The ID MUST be generated over the above contents in the order specified.
30
29
31
30
1. Whiteout list.
32
-
An image MAY choose to include a list of files that are to be considered to be deleted from the root filesystem even though they are included within the image's root filesystem directory.
31
+
An image MAY choose to include a list of files that are to be considered to be deleted from dependent images even though they are included within the dependent image's root filesystem directory.
33
32
It is an implementation detail to decide how this whiteout list is processed but an implementation MUST ensure that any container that is created from this image will behave the same as if those files were not in the root filesystem at all.
34
33
The whiteout list MUST be in a file called `whiteout.json`.
35
34
See the [Whiteout List](#whiteout-list) section for more details.
36
35
36
+
1. The root filesystem of the filesystem bundle.
37
+
This directory MUST be present in the image, however it MAY be empty (not contain any files or folders).
38
+
As specified in the `config.json` file, this directory contains the files that make up the root filesystem of the container.
39
+
This directory MAY contain only a portion of the complete set of files that make up the filesystem bundle, in which case the remaining set of files MUST be found in one of the dependent images.
40
+
41
+
1. ID of the root filesystem.
42
+
This data MUST be a cryptographic hash of the whiteout list file, if present, and the root filesystem directory (including the directory itself), in that order.
43
+
If there are dependent images then this MUST NOT include the dependent image's data.
44
+
This REQUIRED information MUST be in a file called `rootfs.ID`
45
+
See the [IDs](#ids) section for more details.
46
+
37
47
1. Extension files.
38
48
An image MAY choose to include additional files and directories in the image.
39
49
40
50
1. The ID of the image.
51
+
This data MUST be a cryptographic hash of all the data listed above, in the order specified.
52
+
For the purposes of calculating the ID, the order of processing the extension files MUST be in case-sensitive alphabetical order.
41
53
This REQUIRED information MUST be in a file called `ID`.
42
-
See the [Image ID](#image-id) section for more details.
54
+
See the [IDs](#ids) section for more details.
43
55
44
56
## Serialization of an Image
45
57
46
58
An image MUST be a `tar` of the pieces of data that make up an image as specified in the [Image Contents](#image-contents) section.
47
59
The order in which the data is serialized in the `tar` MUST be the same as the order specified in that section.
48
-
The serialization of the "dependent images" MUST be in the same order in which those dependent images are listed in the `requires.json` file.
60
+
The serialization of the "dependent images" directories, if any, MUST be in the same order in which those dependent images are listed in the `requires.json` file.
49
61
The serialization of the "extension files" MUST be in case-sensitive alphabetical order.
62
+
Note that "extension files", irrespective of their names, MUST appear after the `rootfs.ID` file for the image.
50
63
51
64
Each file or directory specified in the [Image Contents](#image-contents) section MUST appear at the root of the `tar` without a leading `/` in their names.
52
65
53
66
For example, a listing of the `tar` of an image might look like this:
@@ -92,11 +103,11 @@ The `requires.json` file MUST be a JSON encoded array matching this format:
92
103
The order of the images, `ID`s, in the array MUST be in the order in which the images are to be "layed down" into the filesystem bundle that is generated from this image.
93
104
In other words, the first image in the array is written to the filesystem first, and subsequent images are overlayed on top - potentially overlaying an ealier image's files.
94
105
95
-
## Image ID
106
+
## IDs
96
107
97
-
An image's `ID` MUST be a cryptographic hash of image's contents in the order specified in the [Image Contents](#image-contents) section.
108
+
An `ID` MUST be a cryptographic hash of the data being protected, in the order specified for that ID.
98
109
99
-
An image's `ID` MUST be a string of the form `<algorithm>-<hash value>`.
110
+
An `ID` MUST be a string of the form `<algorithm>-<hash value>`.
100
111
The `algorithm` part of the string MUST be in lower-case.
101
112
For example, `sha512` not `SHA512`.
102
113
@@ -123,7 +134,10 @@ The contents of this directory MUST appear to be materizlied in such a way as to
123
134
The exact mechanism, process and order, by which those files are materialized on disk is an implementation detail, however in the end it MUST appear as though all of the files from the images were written to disk in the order they were specified in the `requires.json` file.
124
135
This means that each dependent image's `whiteout.json` file MUST appear to be processed during the materialization of that image so that if a subsequent image creates a file by the same name as one mentioned in the `whiteout.json` file then it will not be deleted.
125
136
126
-
The `config.json` file of any dependent images, if present, are ignored by the expansion process.
137
+
If a dependent image is not present in the image, and the implementation is unable to locate the referenced image by its ID, then an error MUST be generated.
138
+
139
+
The image, and dependent images, MUST be verified by calculating the hash/ID of the materialized image on disk and comparing that value with the ID from the image.
140
+
If they do not match then an error MUST be generated.
127
141
128
142
This specification does not mandate any requirements on the processing of the extension files.
129
143
In other words, implementations are not required to materialize them on disk in the filesystem bundle.
0 commit comments