OCI Initial Delivery

[Vincinator]

Epic: OCI Initial Delivery

Scope

As Garden Linux adopter, I want to be able to pull my image of choice via Open Container Initiative (OCI)[1] Image Specification (image-spec) container layers, served for me from public registry.

[1] See https://opencontainers.org/about/overview/

High Level Architecture

The Architecture Diagram above shows the existing Garden Linux pipeline state, and the OCI extensions for the pipelines.
Architectural decisions are:

• OCI pipelines are not blocking
• OCI Images are incrementally extended. (build artifacts, test artifacts, audit artifacts, arbitrary artifacts)
• OCI tool is a CLI that can be invoked from local workstation or from pipeline, and is independent of CI/CD syntax

Requirements

Architectural alignments and discussions

Before the initial implementation, a request for discussion was prepared. Summary of discussion is included in the RFD linked above.

Definition of done

• Tool to package Garden Linux release artefacts into OCI images, and upload them to a target OCI registry
  • https://github.com/gardenlinux/gl-oci
• Integration of tooling into release build pipelines of Garden Linux, so that Garden Linux release artefacts can be incrementally be attached to an OCI-image until it reaches a defined state of "final" including cryptographic signatures

Tasks

September

Bugs

Enhancements

• [OCI] Feature to upload container images #36
• Filter get_oci_metadata by architecture #38
• add the expanded feature list as annotation (can be found in the .release) #42
• check signing process (some typo found "versio") #43
• Set org.opencontainers.image.description  #35
• How to handle "nested" artifacts (PXE needs one deeper layer of extraction (kernel,...)) #44
• image title is wrong - full path used, should be just the basename #46
• finalize list of media types #47
• do we have to include this? “application/vnd.gardenlinux.image.checksum.sha256” #48
• review the subject field #49
• Integration of OCI delivery in gardenlinux build pipelines #15
• Use extracted contents of release tarball as artifacts python-gardenlinux-cli#3

August

Bugs

• Manifest updates do not overwrite existing entries in index, but append new ones #23
• ghcr.io requires mediatype of manifest when uploading an oci index with mediatype of oci index #22
• ghcr.io token authentication does not grant access #21
• get manifest by digest does not work for GHCR #20

Enhancements

• oci multi image support #29
• Implement status flag in oci-image that defines state (incomplete, complete) #28
• Implement OCI-registry authentication, so that oci images can be pushed to a non-local oci registry #27
• Update Garden Linux features/*/info.yaml files, so that layers, their mediatypes and annotations are defined #16
• Implement method to parse all features/*/info.yaml, where input (media types, layers, annotations) is defined for gl-oci #26
• Integration of OCI delivery in gardenlinux build pipelines #15
• Implement signing #25
• manifest size calculation #24
• Separate log messages from stdout #14
• Split out parse_features logic into an importable library #19
• Query function: build artifact metadata #1
• Add pytests #18
• Deduce image and archive filetypes for Garden Linux features #4
• Developer Documentation Setup #17
• Documentation Automation Setup  #10
• [OCI] Remove requirement for central merged info.yaml  #30

July

• Topic has been handled with lower priority due to on-site workshop, urgent release work, sick leave.

June

• https://github.com/gardenlinux/process/issues/53
• ✅ Design and document how to integrate OCM with OCI
• ✅ Setup Development Environment (poetry, zot, makefile)
• ✅ Create OCI Image manifest and push it to a registry
• ✅ Extend an existing OCI Image manifest with additional layer

[mxmxchere]

The program logic has moved to here https://github.com/gardenlinux/python-gardenlinux-lib, the CLI wrapper can be found here: https://github.com/gardenlinux/python-gardenlinux-cli