-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: add support for pull/create/run by immutable identifier #10740
Comments
I'd suggest adding As for the image specification, if we already request a particular digest, is there a need to specify tag as well? IMHO tag part could be optional the same way as a digest part ( |
TL; DR Let's support @miminar @ncdc The original compromise of distribution/distribution#46 required that immutable references includes a "tag" and "digest", hence why these proposals have this requirement. This was due to the fact that the new manifests have a "tag" field. I doubt we'll ever drop the requirement for specifying the namespace. With distribution/distribution#62 and distribution/distribution#173, we intend to remove the requirement for a "tag" in the manifests. It would no longer be required when pulling manifests by digest. For upcoming proposals in immutable manifest references, we should consider the following:
This can be implemented by defining a "image object reference" (working on the nomenclature) to always have three components:
The goal of the parser would be to identify whatever is required for the level of support specified at implementation time. If initial implementation (proposed above) requires all three, then it will error out when a tag is missing. If we decide we want to support item 2, then it not longer errors out when tag is missing and we proceed. We may also want to define the minimum level of specification for a reference. Under certain cases, only name is required but for other cases, a digest-qualified reference is necessary. |
@stevvooe I'm definitely in favor of |
@stevvooe what do you think we should be targeting for 1.6? Only name + tag + digest? |
@ncdc I think we should target name + digest. We may need to adjust the proposed routes in distribution/distribution#46 to overload the tag routes to support manifest digest, but that is more than reasonable. |
@stevvooe that makes sense to me. It should be easier to implement than name + tag + digest, I would assume. |
@ncdc @stevvooe Will we support shortened digests (7 characters and more) - similar to git? If we can get all available manifest digests from registry, it should be possible. Currently I don't see a way to obtain it with recent API specification though. IMHO this would greatly benefit to usability. 64 mandatory characters on command line is way too much:
If, by a chance, two or more digests matched given short version, user could be asked to specify full digest. |
This feature is most likely to be used as part of an automated system I would think, like Kubernetes, where a user says "I want to deploy foo/bar:latest" and the system resolves that to the digest for that tag at that point in time. Subsequent deployments would use the resolved digest. Having said that, I don't have any problem supporting shortened digests. Also, just to note, the id you have in your example below is a v1 image id; v2 digests include the algorithm as a prefix. Sent from my iPhone
|
Oh, I see, thanks for the correction. So the command would actually look like this:
even more scary... |
Right, but again, this probably isn't something a human would regularly invoke. |
@miminar The goal of this proposal is to provide a secure, reproducible way of fetching an image by its manifest digest. Syntactic sugar is outside the scope of this proposal. That said, I agree long id strings are indeed unwieldy. I've filed distribution/distribution#194 in response so we can find secure, consistent and simple way of accomplishing this. |
+1 This would be awesome for Swarm. /cc @vieux |
@icecrime @jfrazelle @crosbymichael Could you take a peak at this? |
SGTM overall, with a few questions. I agree that supporting
Does it mean that I can have multiple entries for |
So I guess this adds even more weight to my "don't even try to show a tag in |
@icecrime here's what I was thinking with
And that gives you back image id And I guess more generally: if we have images that aren't currently assigned to a tag, either from the above case, or just from pulling by digest, how/where should we display them? |
With v2 seeming to have 256 char limit - will that apply to "name" or "name@digest"? The SHA sum would take up a number of chars. |
@sghosh151 The limit applies only to the name. |
@stevvooe wrote in #10740 (comment) about having a parser that can return an "image object reference". Right now,
type ImageReference struct {
repository string // or possibly registry.RepositoryInfo instead of string
tag string
digest string
} This @icecrime @jfrazelle @crosbymichael what are your thoughts? |
I'm in favor of a new type - parsing will be done just once for every request. Loads of checks for presence of |
@ncdc Option 3 above is the best approach, even if |
@stevvooe I'll do whatever you guys think makes the most sense. Do you want a Repository() string
Tag() string
Digest() string or does making it an actual struct make more sense? Should |
Moving discussion of image reference to the PR here #11109 (comment) |
Was this solved by #11109? |
yep should be @ncdc let me know if you disagree |
All good, thanks! Sent from my iPhone
|
Summary
We'd like to add support for using immutable image identifiers when pulling images from a v2 registry, creating containers, and running containers.
Background
Use case
When I create a container, I may specify an image such as
mysql:latest
. When the image is pulled,latest
is resolved to a particular image at that point in time. If I later want to add more containers (e.g. possible read slaves in the MySQL case), ideally all the new containers would use the exact same image as my first container. Using a tag isn't sufficient as the tag is mutable.V2 registry support
As part of distribution/distribution#46, the v2 registry will be adding support for retrieving an image manifest for a particular digest. This feature gives us what we need, as long as the Docker CLI and Engine support it too.
Proposed CLI/Engine changes
We'll need to provide a means to reference an image by its digest. One possible example might be
We'll need to make sure the following commands continue to work as they currently do, as well as with an optional digest:
docker pull
docker create
docker run
When listing images via
docker images
, we could default to displaying only the "current" values for each image and tag. An optional flag could enable displaying all values for each image and tag; namely, this would show 1 entry for each image/tag/digest combination.Questions
What about v1 registry support?
It's not likely we'll be able to support this
If I create an image locally via
docker tag
ordocker commit
, can I refer to it by tag + digest?As proposed in distribution/distribution#46, the registry is responsible for determining an image's digest and assigning it to the image. For an image that has not yet been pushed to a v2 registry, it may not be possible to refer to it by tag + digest. This is unlikely to be a significant issue, as the use case for tag + digest is consistent deployments using images pulled from registries. Or, if the community thinks this should be supported, we can revisit what component(s) are responsible for calculating digests.
The text was updated successfully, but these errors were encountered: