Add proposal for image conversion service #167
Conversation
|
@ktock Please see if the proposal makes sense for stargz |
|
|
||
| **Nydus:** Nydus image is a container accelerated image format provided by the Dragonfly image-service project, which offers the ability to pull image data on demand, without waiting for the entire image pull to complete and then start the container. It has been put in production usage and shown vast improvements over the old OCI image format in terms of container launching speed, image space, and network bandwidth efficiency, as well as data integrity. The Nydus image can also serve as an example and reference implementation for the on-going OCI image spec v2 discussion. For more details, please refer to [README](https://github.com/dragonflyoss/image-service). | ||
|
|
||
| **Stargz:** Stargz is a lazily-pullable image format proposed by [stargz snapshotter project](https://github.com/containerd/stargz-snapshotter). Lazy pulling means a container can run without waiting for the pull completion of the image and necessary chunks of the image are fetched on-demand. This format is compatible to OCI/Docker images so this can be pushed to standard container registries (e.g. ghcr.io) as well as this is still runnable even on eStargz-agnostic runtimes including Docker. eStargz format is based on stargz image format by CRFS but comes with additional features like runtime optimization and content verification. For more details, please refer to [README](https://github.com/containerd/stargz-snapshotter). |
There was a problem hiding this comment.
Can we do s/stargz/estargz in this doc? Stargz Snapshotter project maintains eStargz but not stargz.
| ```golang | ||
| type Driver interface { | ||
| // Type returns the name of image format provider, e.g. nydus, stargz. | ||
| Type() string | ||
| // CheckHealth returns a nil error, means that the driver works fine. | ||
| CheckHealth() error | ||
| // Convert the source image to the target image, where Option provides | ||
| // some conversion options. If successful, the conversion result will | ||
| // be returned, otherwise a non-nil error will be returned. | ||
| Convert(ctx context.Context, sourceRef, targetRef string, opt Option) (Result, error) | ||
| } | ||
| ``` |
There was a problem hiding this comment.
According to this interface, pulling the original image and pushing the converted one is Driver's responsibility, right? If so, how are the registry credentials managed? (e.g. how does ICS provide the creds to the Driver)?
There was a problem hiding this comment.
Thanks, neglected this part, how about this change?
There was a problem hiding this comment.
With a webhook-based architecture, IMO ICS needs to fetch registry credential on its own instead of trying to get it from Harbor automatically. So maybe it can get it via k8s secrets etc. But I'm not sure how it works with Harbor user tenants. @steven-zou Do you have any suggestions?
| - Configure ICS to give robot permission and select a image conversion driver, such as Nydus or Stargz, then deploy as a webhook handle service. | ||
| - Create a new http type webhook, set the endpoint url provided by ICS, allows to configure when to trigger image conversion based on event types (such as artifact push) and filter conditions (such as repository name). | ||
|
|
||
|  |
There was a problem hiding this comment.
Could we have the definition of Jov ServiceJob Service mentioned in this figure?
There was a problem hiding this comment.
Great, will do that. To my understanding, the Job Service in harbor is responsible for maintaining job queue and sending out the webhook requests, is that so? @wy65701436 .
imeoer
force-pushed
the
master
branch
3 times, most recently
from
fb9589a
to
da9cb8c
Compare
| // Base64 encoded <username:password> string. | ||
| Auth string |
There was a problem hiding this comment.
I think username and password should have separated fields from each other.
And how is tls-related configuration passed to the Driver?
I think passing the registry-related configuration to Driver will make the interface complex. So how about performing pull/push on ICS-side (not Driver)? Image contents can be shared between ICS and Driver using something like the content store of containerd.
There was a problem hiding this comment.
- Should be ok.
- Does it refer to Internal TLS communication?
- I agree that ICS should do the pull and push operations, not Driver itself. If using content store, will we have dependencies on containerd and snapshotter service? Nydusify (a standalone nydus image conversion tool) currently fetches the tar.gz file of layer directly and unpacks it into a directory to do the conversion. However, nydusify should really consider taking advantage of content store and snapshotter snapshots to eliminate the need to pull and unpack, which the nydus Driver can adapt. Maybe we can design like:
Convert(ctx context.Context, src ocispec.Descriptor, opt Option) (dst *ocispec.Descriptor, error)There was a problem hiding this comment.
Does it refer to Internal TLS communication?
According to the proposal ICS contains configurations related to cert, etc.
# https related config
https:
# https port for harbor, default is 443.
port: 443
# The path of cert and key files.
certificate: /path/to/certificate
private_key: /path/to/private_keySo I was interested in how these information will be shared to Driver.
But now we are discussing about doing pull/push fully inside ICS (not Driver) so we don't need to care about it anymore.
Convert(ctx context.Context, src ocispec.Descriptor, opt Option) (dst *ocispec.Descriptor, error)
LGTM about this interface.
I think snapshotter and content store are separated components and don't depend on each other. So having the content store in ICS is just enough to share image contents with Driver.
There was a problem hiding this comment.
But now we are discussing about doing pull/push fully inside ICS (not Driver) so we don't need to care about it anymore.
Ok, it makes sense.
I think snapshotter and content store are separated components and don't depend on each other. So having the content store in ICS is just enough to share image contents with Driver.
The nydus conversion relies on the unpacked directory tree, so a snapshotter may be needed for nydus conversion in the future, but in any case, I think this interface is feasible for now.
|
Could you elaborate how does end user map the converted image to the original one? I assume the converted image can't be recognized by the scanner, and cannot be signed? How do we ensure the project level policies are enforced to converted images such that vulnerable ones are blocked? IMO, this is more important than inter-op between Harbor and the ICS. |
@reasonerjt We can configure the |
By reference do you mean I think if the relationship can be enforced then yes, using |
|
@reasonerjt Yes, means |
|
There may be race condition when 2 convertors try to modify the same index.json? |
|
@reasonerjt Maybe we can design a workflow to avoid the race condition situation, for example, we can put the conversion job into a FIFO queue by repo level, the previous job will be canceled once has a new job be submitted in the same repo. In addition, an annotation can be added to the converted image to record the digest of original image, which the ICS or user can check to decide whether to push or use the converted image. |
@reasonerjt |
@liubogithub @reasonerjt This also looks good. How to avoid inconsistency between the original and converted image is a good question, and I've added it to the end of the proposal. It'd be a pleasure for us to discuss this in the image acceleration working group. |
Signed-off-by: Yan Song <imeoer@linux.alibaba.com>
Remove the content about the trigger method in Harbor side. Signed-off-by: Yan Song <imeoer@linux.alibaba.com>
Signed-off-by: Yan Song imeoer@linux.alibaba.com