Can I build and push to registry an OCI image which will run in docker?

[jwalters-gpsw]

Dumb question. Can I build and push to registry an OCI image which will run in docker? I would like to build container images that can be run in docker (would prefer rkt, but thats a different story) but I don't want to have to use docker to build the images.

Is that possible? What would be a simple example?

[cgonyeo]

acbuild master has the ability to build OCI images (it hasn't made it into a release yet). Currently it works with one of the older v1.0 release candidates, and needs to be updated to work with the current version of the spec. I'm waiting for v1.0 of OCI to be released before making the changes.

acbuild doesn't support pushing images to a registry itself, perhaps you could import a built image into docker and upload it with that? I have no clue what docker's OCI support looks like.

[lucab]

For reference, I've successfully built an OCI (-rc3) image with acbuild from master and pushed to a docker v2 registry with skopeo. There are however three gotchas:

• OCI 1.0 is not yet finalized so interoperability will definitely break as things progress through release candidates
• acbuild produces an oci.tgz, while skopeo expects a plain directory. Just unzipping and untarring will do it
• there is no push/pull specification for OCI, so pushing to any registry means down-converting to docker v2 images

[mwuertinger]

I am also trying to build an OCI with acbuild and to push it with skopeo:

$ ./acbuild begin --build-mode=oci
$ ./acbuild copy acbuild /acbuild # just add acbuild to the image for demo purposes
$ ./acbuild set-exec /acbuild
$ ./acbuild write myimage.oci
$ mkdir myimage
$ tar xf myimage.oci -C myimage
$ ./skopeo copy oci:myimage docker://mwuertinger/oci-test

However, when I try to pull this with Docker (v1.12.6), I get:

$ docker pull mwuertinger/oci-test
Using default tag: latest
latest: Pulling from mwuertinger/oci-test

d55c176aaf3d: Pull complete 
layers from manifest don't match image configuration

Any help is appreciated. @lucab could you maybe show us more details about how exactly you built and pushed the image?

[lucab]

@mwuertinger I'm sorry but I wasn't pulling from docker, so I can't help much in your case. However your image seems to be there and I was able to pull with rkt and other tools and see the binary in there (which is however missing its dynamic libraries). I think this is skopeo missing some manifest adjustments needed by Docker but I'm no OCI expert, so you may want to report this there.

[mwuertinger]

Thanks, @lucab. Meanwhile I traced it back to https://github.com/moby/moby/blob/master/distribution/pull_v2.go#L629

    if downloadedRootFS != nil {
        // The DiffIDs returned in rootFS MUST match those in the config.
        // Otherwise the image config could be referencing layers that aren't
        // included in the manifest.
        if len(downloadedRootFS.DiffIDs) != len(configRootFS.DiffIDs) {
            return "", "", errRootFSMismatch
        }

        for i := range downloadedRootFS.DiffIDs {
            if downloadedRootFS.DiffIDs[i] != configRootFS.DiffIDs[i] {
                return "", "", errRootFSMismatch
            }
        }
    }

I will try to debug this tomorrow and will report back here if I find something meaningful.

[runcom]

@mwuertinger could you open an issue at https://github.com/projectatomic/skopeo?

[mwuertinger]

I finally got it to work and submitted a pull request for acbuild: https://github.com/containers/build/pull/307 However, I do not know enough about OCI to tell whether this is a bug in Docker or in acbuild. Any input is appreciated.

[mwuertinger]

The PR is merged now, however, there's another problem: acbuild currently produces images in the OCI v1.0.0-rc3 format but skopeo recently upgraded to version rc5 of the spec. This means that you currently cannot use the latest skopeo to push OCIs generated with acbuild. There is already an issue tracking this for acbuild: #292

If you want to use skopeo with acbuild right now, be sure to use version 80b751a225e433afac16b4b681888de31b3e7381 or earlier. I documented the behavior in my integration test: https://github.com/mwuertinger/acbuild-oci-integration-test/commit/1010749475e5a5e936c3bb70336ed2a53746c926

[lucab]

Yeah, -rc5 support for skopeo was merged two days ago. Our strategy at the time of #292 was to just wait for 1.0 final to avoid other breaking surprises (also because neither me nor @dgonyeo have spare cycles to update this right now). @mwuertinger however if you need this earlier and want to spend some time hammering acbuild code I'll be happy to review and merge earlier than that.

[mwuertinger]

Sounds good, @lucab! Do you have any insights on the roadmap for OCI 1.0? If there are no more substantial changes expected I could already start with the modifications (time permitting). Otherwise I agree that it's best to wait.

[lucab]

Ah, that's a question for @runcom and @vbatts :smile: ^^^

My understanding is that there well be still a -rc6 in the meanwhile, hopefully without (too many) breaking changes.

[vbatts]

Like @lucab said. Another RC but nothing breaking expected. Updates to the OCI format here are welcome!

On Fri, May 12, 2017, 05:57 Luca Bruno notifications@github.com wrote:

Ah, that's a question for @runcom https://github.com/runcom and @vbatts https://github.com/vbatts 😄 ^^^

My understanding is that there well be still a -rc6 https://github.com/opencontainers/image-spec/milestone/13 in the meanwhile, hopefully without (too many) breaking changes.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/containers/build/issues/304#issuecomment-301035954, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEF6ZVNvdvG0yS1qA0Qi0pkaNS5sfrAks5r5CztgaJpZM4NMHx_ .