Proposal: Component Discovery for OCI Registries

phoban01 commented 1 year ago

Problem

Currently it is not possible to list, and therefore discover, OCM components that are stored in an OCI Repository. This is a property of the OCI specification, which does not support listing images stored repository.

Proposal

I propose that we introduce the concept of a component-index. The component-index is a repository with a "well-known" name which can be used to describe all components housed in the registry. For example, the component index might be as follwos: ghcr.io/open-component-model/component-index.

Within this repository there is a manifest acting as the index, for example: ghcr.io/component-index/v1:index.ocm. This is an OCI image (likely without any layers) that exists purely as a reference point for other images.

When a new component version is pushed to the registry we also push a corresponding artifact to the component-index repository. This artifact should specify the digest of component-index as the subject. The "Subject" field is part of the OCI 1.1 spec and will require updating github.com/opencontainers/image-spec to version v1.1.0-rc2.

Listing components can then be performed by querying the referrers API for the v1:index.ocm:

GET /v2/component-index/referrers/<digest for v1:index.ocm>

This will return an `ImageIndex which can be used to display the available components in a particular registry.

Furthermore, if we specify metadata about the particular component as an annotation on the artifact (such as the provider) we could filter the list of components based on particular metadata fields.

OCI Referrers API Context

The OCI Distribution Spec v1.0.1 introduces support for the Referrers API. In tandem with the Artifact Manifest's subject field (part of the OCI Image Spec) it is possible to indicate relationships between OCI artifacts.

For example, the following manifest is an SBOM that references an image:

{
  "mediaType": "application/vnd.oci.artifact.manifest.v1+json",
  "artifactType": "application/vnd.example.sbom.v1",
  "blobs": [
    {
      "mediaType": "application/gzip",
      "size": 123,
      "digest": "sha256:87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630"
    }
  ],
  "subject": {
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "size": 1234,
    "digest": "sha256:cc06a2839488b8bd2a2b99dcdc03d5cfd818eed72ad08ef3cc197aac64c0d0a0"
  },
  "annotations": {
    "org.opencontainers.artifact.created": "2022-01-01T14:42:55Z",
    "org.example.sbom.format": "json"
  }
}

Using the referrers API which can list all references to the subject which returns an image index containing a list of descriptors:

GET /v2/<name>/referrers/<digest>

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "size": 1234,
      "digest": "sha256:a1a1a1...",
      "artifactType": "application/vnd.example.sbom.v1",
      "annotations": {
        "org.opencontainers.artifact.created": "2022-01-01T14:42:55Z",
        "org.example.sbom.format": "json"
      }
    },
    {
      "mediaType": "application/vnd.oci.artifact.manifest.v1+json",
      "size": 1234,
      "digest": "sha256:a2a2a2...",
      "artifactType": "application/vnd.example.signature.v1",
      "annotations": {
        "org.opencontainers.artifact.created": "2022-01-01T07:21:33Z",
        "org.example.signature.fingerprint": "abcd"
      }
    }
  ]
}

morri-son commented 8 months ago

@mandelsoft and @hilmarf , what do you think about this? Querying an OCI registry to get all versions of a dedicated component already can take a while. Such a feature would also be beneficial for the "Component UI" that we wanted to provide for MPAS for end users to search for available products (modelled as OCM components).

github-actions[bot] commented 1 week ago

This issue was marked as stale because it has not had recent activity.

open-component-model / ocm-project