daemon: allow setting OCI annotations on containers

[corhere]

• Relates to Support alternative runtimes with cri-dockerd #45030
• Closes Pass container labels as annotations in OCI spec #39142
• Closes Add flag annotation  #37289
• Closes Pass the label of docker container to the annotation of OCI runtime spec #36181
• Relates to Pass through specific annotation to OCI runtime spec #37262

- What I did

Allow API clients to set and retrieve OCI annotations on a container.

- How I did it

Added a field to HostConfig and plumbed it into the OCI spec generation code.

- How to verify it
Create a container with annotations and start it. Inspect the running container using ctr and verify that the annotations are listed in the container spec.

A new integration test verifies that annotations can be round-tripped through the Engine API.

- Description for the changelog

• Annotations—arbitrary non-identifying metadata—can now be attached to containers on creation which will be passed to the runtime when the container is started.

- A picture of a cute animal (not mandatory but encouraged)

[AkihiroSuda]

And does this mean that an image containing these labels will set them at runtime on the container?

Yes. This could arguably be a feature.

This looks like an attack vector.

Specifying annotations should require a new API/CLI like
docker run --annotation=com.example.foo=bar.
(similar to podman run --annotation)

[cpuguy83]

SGTM

But need to update the API history doc and openapi yaml.

[corhere]

I'm following past precedent by ignoring the field on create for older API versions but unconditionally including it in the /containers/{}/json response for all API versions.

[thaJeztah]

("requesting changes" just to have a quick check per my comment - changes otherwise look good to me)

[thaJeztah]

Before we merge; quick check on the naming. Wondering if OCI prefix is needed in our API here. I get where we're coming from; mostly thinking along the lines of "(almost) every option we have in our API leads to <something> OCI spec.

So wondering if we should keep the abstraction - call it Annotations, and keep the fact that that (currently) gets passed on to the OCI to the description only.

[corhere]

I'm coming around to dropping the OCI prefix and adopting essentially the same semantics as Kubernetes Annotations. And by that I mean documenting that Engine API clients can also leverage annotations to attach and consume metadata on containers for their own purposes. Perhaps we should also follow their lead and enforce a particular syntax for annotation keys so that the namespace of an annotation is unambiguous. We could always loosen validation later but can't make it more restrictive.

[thaJeztah]

Let's discuss / brainstorm in the call later Today (I also need to get my head around all of that). Quick comment;

• Yes, I think Annotations could be useful for "our side" as well
• I like namespaces / prefixes as they can definitely help prevent ambiguity (I think I may actually have been the one originally getting them into the "labels" definition 🤔 )
• ^^^ w.r.t. namespaces: I always keep in the back of my mind that API !== UX; namespaces are awkward to use, but are (in most cases) not meant for humans. So if we decide to use namespaces, we can still make the UX "different" (docker run --foo=bar doing docker run --annotation=awkwardly-long-namespace.option=bar behind the scenes)

[corhere]

What I like about how K8s goes about namespacing annotations is that it makes namespace prefixes optional and reserves the no-namespace "namespace" for users.

[thaJeztah]

Yup, that was part of my original suggestion for labels; no-namespace is for users; don't use them for automation as they can easily conflict. For automation / tools, always use a prefix

[thaJeztah]

For those interested; here's the PR with all the fun (well, there's been multiple before that, but that's the one that made it, and that one is already 200+ comments 🤣)

• Proposal: One Meta Data to Rule Them All => Labels #9882

[corhere]

Decisions from today's maintainer call:

• Drop the OCI prefix from the field name
• Any annotation which is valid per the OCI Runtime spec is permitted
  • Keys can be any JSON string except for the empty string
  • Values can be any JSON string, including the empty string
  • Keys and values can be arbitrarily long

[thaJeztah]

LGTM, thanks!

[thaJeztah]

I had a look if we should be using an errdefs.InvalidParameter() here (and noticed other errors didn't), but it looks like we wrap any errors returned here on the call sites, such as

moby/daemon/create.go

Lines 65 to 68 in 2f0e308

	warnings, err := daemon.verifyContainerSettings(opts.params.HostConfig, opts.params.Config, false)
	if err != nil {
	return containertypes.CreateResponse{Warnings: warnings}, errdefs.InvalidParameter(err)
	}

So in either case; it's good (currently) to not use an errdefs, but we could (should?) look at these at some points to assign error-types in these locations.

[thaJeztah]

@cpuguy83 LGTY? (I see there's a "change requested" from you, and didn't want to dismiss it)

[AkihiroSuda]

@corhere Do you have a PR for the CLI?

[corhere]

@AkihiroSuda no, I am not working on a CLI PR as my motivation is unblocking support for alternative runtimes in cri-dockerd.

[AkihiroSuda]

Opened a PR for the CLI:

• cli/command/container: implement docker run --annotation docker/cli#4156