Re: OSTree and OCI images

From: Alexander Larsson <alexl redhat com>
To: Colin Walters <walters verbum org>, Giuseppe Scrivano <gscrivan redhat com>
Cc: ostree-list gnome org
Subject: Re: OSTree and OCI images
Date: Wed, 30 Nov 2016 18:29:29 +0100

On Wed, 2016-11-30 at 12:12 -0500, Colin Walters wrote:


On Thu, Nov 24, 2016, at 03:52 AM, Alexander Larsson wrote:


For flatpak, these are the OCI operations we currently support:

 * Export a (non-layered) branch (flatpak app) as an OCI image in
an
   OCI directory layout. This is "flatpak build-bundle --oci" in
the
   current code. In addition to just dumping the ostree content
   as a tarball layer this adds enough ostree specific commit
metadata
   to the image that the ostree commit can be reconstructed with
the
   same commit id at a later point.


Okay, so at a high level, we're exporting to a tarball, and relying
on importing-via-ostree to result in the same "contents"
(dirtree/dirmeta),
in git this would be just a "tree" object.


Yes, the idea is that you built a flatpak via some flatpak:y way such
as flatpak-builder, but then you want to distribute it via an OCI
registry.

Honestly, I hadn't even thought of doing that - I'd been envisioning
archive-repo-in-tar, or delta-in-tar.

The advantages of "tar translation" is that tools will show you
something
reasonable when looking at the archive.

The downsides are that we have to re-checksum everything on
import.  But eh.


Even if the tarfile had an ostree repo in it i think we would want to
re-checksum on import. I mean, yes, the thing you import is perhaps
signed so that you trust it at some level, but if for whatever reason
it lies about the checksum of an object it could affect another ref in
the same repo which could come from a different remote (with a
different gpg key). This seems very dangerous to me.

To have a shorthand, let's call this format "ostree-exported-
oci".  Or
maybe "ocitreear"? =)

*  Import an OCI image from an local directory into a (non-
   layered) ostree branch, merging multiple layers in the
   source image, and also applying any optional ostree specific 
   metadata in the image. This is "flatpak build-import-bundle --
oci"
   in the current code.


Do you have any use case in flatpak for importing OCI images
that aren't ostree-exported-oci?

You seem to imply below you do, but can you be specific?  Is
this something like being able to auto-import a desktop app
someone did in Docker/OCI into flatpak?


I don't think you can ever import an image that was designed to be a
docker image into flatpak. However, you may have built an OCI image
that targets flatpak without ever being in an ostree repo. For
instance, your organization may have a build system that combines
artifacts like pre-built rpms into an OCI image (and adds a metadata
file). Then we import this into ostree for the first time locally on
the clients machine during "flatpak install".

Such an image may even be layered, for instance if it was created using
a Dockerfile.

Follow-Ups:
- Re: OSTree and OCI images
  - From: Colin Walters

References:
- OSTree and OCI images
  - From: Alexander Larsson
- Re: OSTree and OCI images
  - From: Colin Walters
- Re: OSTree and OCI images
  - From: Alexander Larsson
- Re: OSTree and OCI images
  - From: Colin Walters
- Re: OSTree and OCI images
  - From: Giuseppe Scrivano
- Re: OSTree and OCI images
  - From: Alexander Larsson
- Re: OSTree and OCI images
  - From: Giuseppe Scrivano
- Re: OSTree and OCI images
  - From: Alexander Larsson
- Re: OSTree and OCI images
  - From: Colin Walters
- Re: OSTree and OCI images
  - From: Alexander Larsson
- Re: OSTree and OCI images
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]