Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cos package type #270

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add cos package type #270

wants to merge 2 commits into from

Conversation

alowayed
Copy link

@alowayed alowayed commented Nov 10, 2023
edited

The Container-Optimized OS (COS) is a Google provided operating system that is optimized to run containers. "Container-Optimized OS does not include a package manager; as such, you'll be unable to install software packages directly on an instance" source. The pre-installed packages can be found by inspecting etc/cos-package-info.json. These packages are maintained by Google. The repository is not publicly accessible, hence no default repository.

Example of what cos-package-info.json looks like:

{
    "installedPackages": [
        {
            "category": "dev-lang",
            "name": "python-exec",
            "version": "17162.336.16",
            "ebuild_version": "2.0.1-r1"
        },
        ...
    ],
    "buildTimePackages": [
        {
            "category": "app-admin",
            "name": "eselect",
            "version": "17162.336.16",
            "ebuild_version": "1.4.8"
        },
        ...
    ],
}

Packages also depend on the COS version which can be found in etc/os-release similar to other OSes like Debian, Ubuntu, etc. Hence the inclusion of the distro qualifier similar to deb's distro qualifier.

It's unclear if category or ebuild_version should be included in the PURL qualifiers for completeness. And if the PURL should contain info on whether this is an installed or build time package. That doesn't have to be part of the official spec.

@stevespringett stevespringett added the PURL type definition Non-core definitions that describe and standardize PURL types label Feb 3, 2024
@pombredanne
Copy link
Member

@alowayed Thanks... I have many small and pointed questions for you to pounder:

  • Is there any public place where I can see and fetch one of these containers?
  • I see there are ebuild references... is this a Gentoo-based distro of sorts?
  • How and where are packages built?
  • If I get a list of packages from etc/cos-package-info.json how/where can I then fetch the binaries and source code for these packages?
  • How can I know which files are for which packages on a given rootfs/image/layer?
  • What other metadata can I get for these packages? Something like license, origin, download URLs?
  • How can I relate these packages to some other data sources like vulnerabilities? Is there such thing as advisories for these packages?
  • Are you distributing these as container images on some public registry of sorts?

I hope I am not overwhelming you with all these!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
PURL type definition Non-core definitions that describe and standardize PURL types
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@alowayed @pombredanne @stevespringett