config: add support for org.opencontainers.image annotations

[cyphar]

These annotations are specified as part of the official conversion process from an OCI image configuration to an OCI runtime configuration since v1.0.0-rc7 of the image-spec but they were never officially specified in

The fact these are not allowed by the current runtime-spec causes some issues with inter-spec compatibility. In order for tools like umoci to be able to do this generation properly, we need to allow this namespace to be used.

Ref: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/conversion.md Signed-off-by: Aleksa Sarai cyphar@cyphar.com

[cyphar]

This is a minimal implementation of support for the org.opencontainers.image namespace of annotations (as defined in and used by the image-spec).

However, given that the list of annotations might grow in the future, it might make far more sense to copy the current set of annotations into the runtime-spec and require any additions to the list of annotations to be co-ordinated between specifications? That way we don't need to hard-code a reference to a specific image-spec version in the runtime-spec...

[cyphar]

(One reason we need this PR is that umoci has been generating these configs for ages, but the version of oci-runtime-tool used to validate the generated config.json didn't support validating annotations. I've only just gotten around to updating the ancient version of oci-runtime-tool and it turns out this conversion causes verification failures.)

[cyphar]

I will switch to having a copy of the annotation list here, since otherwise it'll be difficult to guarantee compatibility with a specific runtime-spec version (what version of image-spec should be used?). We don't add annotations to the list very regularly so having to do updates in lock-step probably isn't too much of a hassle.

[giuseppe]

Would these annotations matter anyway for an OCI runtime?

[cyphar]

I think some runtimes might make use of them (org.opencontainers.image.stopSignal is the most obvious one that a runtime might care about).

The issue is that at the moment technically you're forbidden to use them for anything according to the runtime-spec, but the image-spec explicitly requires you to use them when generating a config.json. If we want to have proper validation in runtime-tools (rather than just allowing all of org.opencontainers.image.* without restrictions) I think we should at least have a list of the allowed annotations (and point to the image-spec for their semantics).