-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make checkpoint image compatible with OCI spec #8661
Comments
cc: @sudo-bmitch, @cpuguy83, @dmcgowan |
Change SGTM |
My preference would be to define a custom config media type since you're able to define the other media types. The content of the config can initially match the empty descriptor that OCI is defining ( {
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.containerd.container.checkpoint.v1+json",
"digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"size": 2
},
"layers": [
{
"mediaType": "application/vnd.containerd.container.checkpoint.runtime.options+proto",
"digest": "sha256:d8183a03f8f3429623e6aa55d13c70d1bfc282fe5c3d6562180fdc55c7614589",
"size": 28
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:5d2658d1a60d482d801448be4273f36eb100f9200b7d853fd7a7ef9b3b7d849e",
"size": 562159
},
{
"mediaType": "application/vnd.containerd.container.criu.checkpoint.criu.tar",
"digest": "sha256:5536b71f469c59440af8cc9456b8d4d212c37215c04639691c5eca5a552b6ae4",
"size": 187392
},
{
"mediaType": "application/vnd.containerd.container.checkpoint.config.v1+proto",
"digest": "sha256:f95684011fe7045e7d9d0751398123f98f845b8e43abb1e9213941dd3797d710",
"size": 13869
},
{
"mediaType": "application/vnd.containerd.container.checkpoint.options.v1+proto",
"digest": "sha256:7d3151453569712d136c98a8cce017f677b6a39c5114c6f570c0ea2f5a4bce68",
"size": 42
}
],
"annotations": {
"io.containerd.checkpoint.content.group": "checkpoint",
"io.containerd.checkpoint.image.version": "1"
}
} For the image index, make sure to define a mediaType {
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
// base image manifest/index
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"digest": "sha256:1e5b537724aa619a2e4957bf112e553a2a8c7df809a40dc5c3a386edd7140d48",
"size": 320,
"annotations": {
"io.containerd.image.name": "docker.io/library/busybox:latest",
"org.opencontainers.image.ref.name": "latest",
"io.containerd.checkpoint.content.group": "base"
}
},
{
// pull up amd64 descriptor from above manifest for fallback
"digest": "sha256:5cd3db04b8be5773388576a83177aff4f40a03457a63855f4b9cbe30542b9a43",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"platform": {
"architecture": "amd64",
"os": "linux"
},
"size": 528,
"annotations": {
// adjust annotations as needed
"io.containerd.image.name": "docker.io/library/busybox:latest",
"org.opencontainers.image.ref.name": "latest",
"io.containerd.checkpoint.content.group": "base"
}
},
{
// checkpoint image manifest
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:dc744ab1e0bb95b448c1c9881a72d521b626290606995a7bea5902a07457bb3f",
"size": 1246,
"platform": {
"architecture": "amd64",
"os": "linux"
},
"annotations": {
"io.containerd.checkpoint.content.group": "checkpoint"
}
}
],
"annotations": {
"io.containerd.checkpoint.runtime": "io.containerd.runc.v2",
"io.containerd.checkpoint.snapshotter": "overlayfs",
"org.opencontainers.image.ref.name": "docker.io/library/busybox:latest",
"io.containerd.checkpoint.image.version": "1"
}
} |
Thanks for the feedback.
This makes sense to me.
Makes sense +1.
Would this cause problem since it's a duplicate manifest? Or maybe another option is to just expand the base image index and include the manifest directly? |
We added this to the spec a while back and I believe it matches what implementations already do:
The idea being that your runtime knows to look for the checkpoint descriptor so it will keep searching past the first platform match until it sees the expected annotations. But older runtimes and other tooling would match on the container image. This is only useful if the checkpoint index would ever be passed to something other than a checkpoint runtime. If that's not a possible use case, then skip that suggestion and keep it simple. |
To clarify, do you suggest pull up the base image manifest to the index, and get rid of the base image index? If that's case then we are on the same page. It's something like:
I think in most (not sure if all) cases this would only be passed to a checkpoint runtime. We can keep it as an optimization that's nice to have, and we can always add it if it turns out to be necessary. |
I left the base index in there too, to handle the cases where things are pinned to that digest. |
This means runtime will get duplicate entries as it walk through all entries recursively. I'm not sure if that would cause issues in some runtimes, so I'll leave it open and see if anyone else has a feedback on it. |
Also, one other question is on the
Do we need to use the |
Here's an image to test, and see if you run busybox or alpine:
The reason we added My fear in seeing how it's used is that people see a new feature and assume they must use every new feature available, turning on all the switches just because they exist, rather than because of a need. The result is an artifact that may be less portable (e.g. ECR will block a manifest with fields they don't recognize, and |
Thanks @sudo-bmitch. I looked at
Regarding
I included it originally because I was trying to use the empty config. Now that I use a custom type for the config, I assume the |
Nested would have been a better tag than recursive. It's an index inside of an index, one image is busybox, the other is alpine. This is so that you can see if the runtime sees a conflict trying to run both, picks the one in the nested index, or never even queries the nested index when it is parsing the top level index.
Yes. |
Yeah I tried with containerd and it seems to start busybox from what I can tell. I think a recursive index would probably also work. Still I think this could be an enhancement we can use in case we actually need it in the future. For now, I'm inclined to just keep things simple by just having the base image index inside the checkpoint image index. Let me know if that makes sense. |
The new approach looks much cleaner. Related to what @cpuguy83 said about referrers, I think it might be interesting to link the checkpoint manifest to the base image via the new |
Makes sense. I've added the |
@tianouya-db seem everyone is happy with your proposal, are you going to make a PR for this? |
What is the problem you're trying to solve
Today the checkpoint image generated by containerd (using
ctr container checkpoint
orctr task checkpoint
) has a special format which does not conform to OCI spec. As a result, the image is rejected by container registries (e.g. Harbor, dockerhub).Specifically, the image index generated with
ctr container checkpoint --image --rw --task
is like this:It violates OCI spec on the requirement that each object in the
manifests
array must be a descriptor of a manifest or another index.Describe the solution you'd like
We propose a new format for the checkpoint image generated by containerd. The new format conforms better to OCI spec, so that it can be accepted by the container registries.
Image index
The first entry in
manifests
is the base image manifest or index, and the second entry is the manifest for the checkpoint content. We also propose these two annotations:base
orcheckpoint
1
. Versioning on the checkpoint images generated by containerd, to maintain backward compatibility.Checkpoint manifest
The manifest is packaged as an OCI artifact, with these fields to call out:
artifactType:application/vnd.containerd.container.checkpoint.tar
- the field is required for an OCI artifact, and the value is one we propose for containerd checkpointapplication/vnd.containerd.container.checkpoint.v1+json
that we propose for containerd, and we can use an empty payload to start withcheckpoint
1
Changes required
The following functions will need to be updated:
Additional context
The text was updated successfully, but these errors were encountered: