FR: loose mode allowing Docker mediaTypes
#724
Comments
Describe alternatives you've considered @thesayyn thanks for taking a deep dive into zot. This particular topic has been debated internally and our current position is that if you want to be in docker ecosystem, the best docker registry is really the "docker distribution" itself.
References: |
rchincha
added
feature
I get that but I don't see how allowing
Using distribution is one option, but that wouldn't work for the use case I have in mind as it is supposed to be used with a container runtime using the official images. Also, provides only Linux binaries which I don't think going to change anytime soon. As far as I can tell zot already supports Line 552 in a702a23 Line 438 in a702a23 @rchincha I'd be willing to work on this if it makes any difference. |
@thesayyn Could you elaborate on this some more? |
Using the distribution requires you to be on Linux as they only publish Linux images and binaries which is not feasible for my use case. I need to run a registry that is platform agnostic and can run on Linux and Darwin and optionally on windows. |
|
@thesayyn maybe fairly simple to just build docker distribution/registry binaries from source for your arch/os. Did you consider that? |
|
Yes. This is not preferable as there is no guarantee that it wouldn’t break with a random commit given the lack of testing for the platforms that I am building. Also, requires me to publish prebuilt binaries with each version. |
|
@rchincha Any thoughts? We'd really benefit from this as a backward compatibility feature in https://github.com/bazel-contrib/rules_oci. As far as you are concerned signing is completely unrelated to what media type is the image using. cosign does not care if you are using docker media types or oci media types |
|
@thesayyn Supporting docker format on-the-wire but converting to OCI layout is probably something we could consider. But this means signatures, etc become invalid. Would this be acceptable for your use case? |
|
@rchincha We discussed this over at google/go-containerregistry#1293. signatures and sboms become more important each day so this implicit conversion might not be a good idea. |
For rules_oci, have you considered https://github.com/project-stacker/stacker? |
Yes.
|
|
@thesayyn for cross-platform build you need the build system itself to run on another platform. Curious about what other platforms you need to be supported? |
darwin/linux/windows. optionally other platforms such as freebsd. |
|
Is there a way to make I get this when trying to push a docker built image to the latest zot: Removing intermediate container 3c7624421517
---> 25c5addfd02d
Warning: One or more build-args [TEXT] were not consumed
Successfully built 25c5addfd02d
Successfully tagged localhost:5000/hello-azure-golang:9b57448bbfc9f22e3[67]
The push refers to repository [localhost:5000/hello-azure-golang]
5f58d1899b3a: Preparing
59ed5b393ba8: Preparing
9fce6bd02a21: Preparing
59ed5b393ba8: Pushed
9fce6bd02a21: Pushed
5f58d1899b3a: Pushed
manifest invalid: manifest invalid
Error: Process completed with exit code 1. |
|
Can As a workaround, can do it in two steps.
https://github.com/containers/skopeo This is the reason we had to write |
|
bumping into this again. I'd like really like to see this supported here. a significant number of images out in the wild still use docker media types today (not v1 but v2) and this mode would allow those images to be stored inside zot. converting them on pulling seems like an option but these days lots of images ship with cosign signatures that are attached to it them via digests. I still don't see a problem allowing images with docker media types to be stored in zot behind a flag that is turned off by default. @rchincha would you reconsider this? |
|
@thesayyn Pls. don't get us wrong, absolutely see why this would be needed. This is likely going to a fully vertical integrated stack (HTTP APIs, layout, interaction with zot-specific extensions) etc - so basically a parallel implementation of "docker distribution"-lite. That said, do you want to consider submitting a PR and let's see how it looks like. |
This confuses me. Tools working with the Docker media types are still pushing/pulling with the OCI distribution-spec. The only difference is the media type of the manifest, which has all the same fields as the OCI manifests (which is why conversion tools are easy to build). I haven't dug into the Zot internals in a while, but I don't believe the API would need to change for this. |
|
This is currently the most commented and 👍 open Issue in this repository. It would be really nice if you reconsider support for allowing Docker mediaTypes. If not, it would be nice that it is documented somewhere that zot doesn't support pushing/storing Docker images. We spent some time automating the installation of zot only to find out that it doesn't support Docker. |
|
As it stands, Zot currently also cannot store in-toto attestations created by Cosign: sigstore/cosign#1397 (comment) It looks like Cosign tries to store the attestations using docker-specific media-types. |
|
After reading this and related issues and PRs, I want to challenge the definition of what it even means to be "vendor neutral". It seems to be the interpretation of Zot that "vendor neutral" means to only support a very specific set of media types. This is "fine" (even though I don't fully agree with this definition for pragmatic reasons discussed here and elsewhere), but I don't think this is the only possible interpretation. I think Zot could also be "vendor neutral" by being "vendor agnostic", as in "Zot doesn't care for the media types of the stored artifacts, except when providing additional features for specific known media types, like signatures". (I really really want to move from Harbor to Zot, but not supporting Cosign attestations and Docker-CE is a total show-stopper). |
|
@ChristianCiach curious why cosign attestations are broken. |
|
@rchincha That's because cosign only implements (guarded behind an experimental flag) OCI support for signatures and sboms, but not for attestations. See sigstore/cosign#1397 (comment) Unfortunately there has been absolutely no progress in cosign about this since it got very experimental OCI support for signatures and sboms earlier this year. |
|
@rchincha Mentioned this in a comment above
Sounds like if we want Zot to support docker media types someone needs to open a PR. Then the maintainers could see how bad or easy it is to support Zot. Maybe it could be put behind a config option (as mentioned above, |
|
A minimum viable candidate would be to get |
|
Looking at this #1385 I don't really understand the big deal around this issue, if that's all that it takes why not do it? Being vendor agnostic/independent doesn't mean blocking specific vendors. |
|
It's not just that. We would need to read the image mediatypes, and populate the data in our internal DB for features such as search and the CVE scanner to work. Also it is not clear to me if the docker client respects the OCI distribution spec, If I remember correctly there were some issues when pushing blobs in multiple chunks. Coding something around the spec specifically to make docker work, means the code would not be not vendor agnostic. |
|
I see, what about some conversion midleware or proxy even, if you want to keep it separate? |
|
This is getting ridiculous. I'm building an image with kaniko, which can produce OCI images, but as the base image (which i'm not going to rebuild) is not an OCI image, so the output is a also Docker image - which i then can't push. Yes, you want to be OCI compliant. But The World™ isn't at that stage yet. You're shooting yourself in the foot, knee and balls by shutting out a large audience that can't just switch to 100% OCI compliance... because that's not how things work in the real world. This is really frustrating, and checking every couple of months to see if you guy show any kind of understanding by now, but still getting the same stubbornness, doesn't help with considering Zot as a viable container registry candidate. |
|
@jangrewe does this workaround not work for you? skopeo copy --format=oci baseimage into zot In fact, point zot to the upstream using sync/mirroring, and this would be seamless (signatures etc notwithstanding of course) Now, use kaniko pointing to the baseimage in zot |
|
https://github.com/aldinokemal/go-oci Hey, I just set up something super simple so you guys can run for example we can do Push process
Result
|
|
IMHO, except for image signatures for originally docker images, there are two very viable workarounds:
|
... but still not solutions to be able use Zot as a drop-in replacement which doesn't require changing dozens of CI images to include either of those tools, and then thousands of CI pipelines to use those new images. So: No, "workarounds" are not an option for us, which means Zot isn't an option. |
Issue project-zot#724 Signed-off-by: Ramkumar Chinchani <[email protected]>
|
#2714 |
GoogleContainerTools/kaniko#1836 A word of caution - it is not Can folks build a |
Issue project-zot#724 Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 A new config section under "HTTP" called "Compat" is added which currently takes a list of possible compatible legacy media-types. Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported. Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 A new config section under "HTTP" called "Compat" is added which currently takes a list of possible compatible legacy media-types. Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported. Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 A new config section under "HTTP" called "Compat" is added which currently takes a list of possible compatible legacy media-types. Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported. Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 A new config section under "HTTP" called "Compat" is added which currently takes a list of possible compatible legacy media-types. Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported. Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 A new config section under "HTTP" called "Compat" is added which currently takes a list of possible compatible legacy media-types. Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported. Signed-off-by: Ramkumar Chinchani <[email protected]>
Issue project-zot#724 A new config section under "HTTP" called "Compat" is added which currently takes a list of possible compatible legacy media-types. Only "docker2s2" (Docker Manifest V2 Schema V2) is currently supported. Signed-off-by: Ramkumar Chinchani <[email protected]>
Is your feature request related to a problem? Please describe.
Right now only OCI standard mediaTypes are allowed and anything else gets rejected such as Docker V2 Manifest and ManifestList
Describe the solution you'd like
It would help a lot to have a loose mode where Docker V2 images are allowed to be stored inside the registry.
Describe alternatives you've considered
Converting docker v2 images to be have OCI mediaTypes and Config but that breaks provenance as signatures change due to mediaTypes and Config changes during conversion.
Additional context
I know the whole point of zot is to be vendor-neutral but I believe it would help a lot of people if we allowed this. Also, docker v2 images are mostly used image format in the wild.
PS: I noticed that zot does not enforce what mediaType
config/blobshas as long as their descriptors use OCI standard mediaTypes.Likely to prevent issues such as #622
The text was updated successfully, but these errors were encountered: