New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OCI images in API #7203
Comments
We have to decide whether the API should reflect the choice of runtime at It's a kubernetic ideal that the dame pod spec should run on a docker On Wed, Apr 22, 2015 at 5:20 PM, Victor Marmol notifications@github.com
|
Other example runtimes / formats:
Eventually we'll need some kind of plugin API in the pod spec. Ideally, when running in a cloud, the system would eventually be able to instantiate VMs capable of running whatever image/spec was provided, as necessary. I agree that differences in semantics should not be implicit based on implementation choices, and the pod spec should not need to be changed in the case that the same semantics are desired on different runtimes. |
By way of example, I would be very against a solution that required
on docker runtimes but required
on rkt On Wed, Apr 22, 2015 at 10:03 PM, Brian Grant notifications@github.com
|
Agree, though requiring a prefix for all images would be a breaking change. We could do that in v1 and add a format field in the older APIs. However, with respect to images, there are multiple issues:
I haven't had time to think about which we want to explicitly represent. In enterprise environments, admins generally want control over the latter 2. |
In the short term, ACI-based images do natively support Docker images so no changes would need to be made to express Docker images. For others we would have to identify and know where to schedule them. Initially it'd be an explicit choice on the user's part I imagine. If we did have to schedule only on nodes that supported format X, parsing the image string is probably not the best way. |
"ACI-based images" -> "ACI-based runtimes"? Even so, not strictly correct; rkt natively supports Docker images (by transparently converting them to ACIs using docker2aci), but this isn't a provision of the spec (i.e. other implementations might not have this support). |
A little more detail on the ACI side: It is definitely a different beast to Docker in that there's no shorthand way to deterministically [1] reference remote images (in part since there's no registry API). Instead, the appc spec currently defines two processes (strategies) for discovering image locations [2], where "location" is an HTTP endpoint, torrent, HDFS URI, etc; but these strategies are not necessarily deterministic, depending on their implementation (essentially this is the "mutable" identity bgrant0607 refers to above). The only canonical image reference is instead the image ID (the immutable, content-based identity). Taking rkt as an example again, it currently supports three image reference types: [1] For some definition of deterministic; obviously Docker repositories can still be mutated behind the scenes. But there is a general assumption in the ecosystem today that "nginx:14.04" or "foo.com/bar:baz" refer to a consistent image over time. (I know Docker have just added content-based tags to provide this) |
I think where we need to end up on this is having the API be very explicit about the users intended image. This is something like how the volume API is explicit about the type of volume and its arguments:
So if we take this same approach and change the image we get something like: docker images
ACIs
Possible problems and points of research:
|
On @bgrant0607 point of letting the user control where things are fetched from this feels like a configuration problem that is orthogonal to this problem. If the user wants to configure their container runtime to fetch from an NFS share, local store, etc we need to have a cluster-wide or namespace wide API for this sort of thing. |
@philips Presumably there will be a validation to ensure that each container in a pod has the same image type, correct? |
@pmorie I don't know if there is a technical reason for this restriction; rkt, for example, can run both docker and ACI images in the same pod. |
@philips That is a really good point -- I guess if rocket is available there shouldn't be any problem with letting the rocket pod handle the docker image pull. That said my gut says there may be some issues to work through -- for example making sure that rkt and docker can pull using the same secret. |
On Tue, Apr 28, 2015 at 1:30 PM, Paul Morie notifications@github.com
It should be easily possible: I think @yifan-gu is hooking up the k8s secret auth configuration to this Brandon |
@philips Yep, we've been communicating about that. |
@philips The fields you propose match the ACI pod manifest schema? What structure would you propose for Docker images? |
@bgrant0607 The first one is for docker images, here it is again:
This is based on the docker image json and the new Docker 1.6 |
Note, the digest format for Docker 1.6 is |
There is not a one-to-one mapping between container runtime and image pull. Rocket supports running docker images, and so it makes sense that you could run a pod that has a docker image spec with a rocket container runtime with no changes. In the future, the ACI format might be supported by docker, in which case the opposite would be possible: run a pod with an ACI image spec with the rkt container runtime. |
Let me offer the following api skeleton for discussion: type Container struct {
// other fields omitted
Image ImageSpec
}
type ImageSpec struct {
DockerV1 *DockerV1RegistryImageSpec
ACI *ACISpec
// FUTURE: other formats (fabric8, lxc, etc)
} The image spec ought to be orthogonal from the container runtime. That said, eventually I think the node should inform the cluster of which image specs it can support and the scheduler will have to ensure that pods get scheduled onto a node that supports the image format. |
This is another place where a discriminated overlayed one-of type would "image": {
"kind": "aci",
"name": "example.com/foobar-worker",
"id": "afe264840302"
} vs "image": {
"kind": "docker",
"name": "gcr.io/google_containers/foobar-worker:1.2"
} On Wed, May 6, 2015 at 11:01 AM, Paul Morie notifications@github.com
|
I agree with @thockin's suggestion here. |
Sadly, we do not have currently Go infrastructure for decoding JSON this On Fri, May 8, 2015 at 10:49 AM, Brandon Philips notifications@github.com
|
any movement on this one? is there a consensus to have a I'm asking because the Container Runtime Interface (#17048) just receives an anonymous But in https://github.com/containers/image, we developed a Transport type which identifies an image and how it should be fetched/pushed. Currently we support:
It basically consists of a a
Plus an URI like string which is reference dependent (i.e. docker follows its own, OCI and dir their own as well and they're just paths I've been thinking it would be great to have a discriminant at least ( |
@runcom step 1 is to get a proposal for the API change. There is an old proposal that could be used, see the feature for the old proposal link: kubernetes/enhancements#63 |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
/remove-lifecycle rotten |
This patch fixes a regression introduced by kubernetes#51751 in the CRI interface. That commit actually changed a unit test where we were previously *not* assuming anything about an image name. Before that commit, if you send the image "busybox" through the CRI, the container runtime receives "busybox". After that patch the container runtime gets "docker.io/library/busybox". While that may be correct for the internal kube dockershim, in the CRI we must not assume anything about image names. The ImageSpec is not providing any spec around the image so the container runtime should just get the raw image name from the pod spec. Every container runtime can handle image names the way it wants. The "docker.io" namespace is not at all "standard", CRI-O is not following what the docker UI say since that's the docker UI. We should not focus the CRI on wrong UI design, especially around a default namespace. ImageSpec is not standardized yet: kubernetes#46255 and kubernetes#7203 This is something which should land in 1.9 as well since the regression is from 1.8. Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Automatic merge from submit-queue (batch tested with PRs 58955, 58968, 58971, 58963, 58298). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. pkg: kubelet: do not assume anything about images names This patch fixes a regression introduced by #51751 in the CRI interface. That commit actually changed a unit test where we were previously *not* assuming anything about an image name. Before that commit, if you send the image "busybox" through the CRI, the container runtime receives "busybox". After that patch the container runtime gets "docker.io/library/busybox". While that may be correct for the internal kube dockershim, in the CRI we must not assume anything about image names. The ImageSpec is not providing any spec around the image so the container runtime should just get the raw image name from the pod spec. Every container runtime can handle image names the way it wants. The "docker.io" namespace is not at all "standard", CRI-O is not following what the docker UI say since that's the docker UI. We should not focus the CRI on wrong UI design, especially around a default namespace. Image name normalization is a Docker implementation detail around short images names, not the CRI. ImageSpec is not standardized yet: #46255 and #7203 This is something which should land in 1.9 as well since the regression is from 1.8. Signed-off-by: Antonio Murdaca <runcom@redhat.com> **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note Fix regression in the CRI: do not add a default hostname on short image names ```
This patch fixes a regression introduced by kubernetes#51751 in the CRI interface. That commit actually changed a unit test where we were previously *not* assuming anything about an image name. Before that commit, if you send the image "busybox" through the CRI, the container runtime receives "busybox". After that patch the container runtime gets "docker.io/library/busybox". While that may be correct for the internal kube dockershim, in the CRI we must not assume anything about image names. The ImageSpec is not providing any spec around the image so the container runtime should just get the raw image name from the pod spec. Every container runtime can handle image names the way it wants. The "docker.io" namespace is not at all "standard", CRI-O is not following what the docker UI say since that's the docker UI. We should not focus the CRI on wrong UI design, especially around a default namespace. ImageSpec is not standardized yet: kubernetes#46255 and kubernetes#7203 This is something which should land in 1.9 as well since the regression is from 1.8. Signed-off-by: Antonio Murdaca <runcom@redhat.com>
any progress on this? |
long-term-issue (note to self) |
This is obsolete, but I'll leave a ref to #1697 |
@bgrant0607: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Today the API assumes Docker images, but we'd like to be able to support other images in the future. This issue specifically targets the ACI standard (which is used by Rkt)
Arguably having the flexibility to have a different image type in the API is for v1.0, although actually supporting a different image type is not.
/cc @dchen1107 @bgrant0607 @yifan-gu @jonboulle
The text was updated successfully, but these errors were encountered: