Add support for erofs and squashfs layer media types #1191
Conversation
rchincha
requested review from
jonjohnsonjr,
stevvooe,
sudo-bmitch,
sajayantony,
tianon and
cyphar
as code owners
OCI artifacts support has landed in various OCI specs v1.1.0 which allows for arbitrary artifact types, small and large. Large artifacts (even existing container images) pose a particular challenge that: 1. it takes too long to download 2. it takes too long to unpack This PR **begins** to address 2. above. squashfs (an older read-only) and erofs (newer) filesystems are already compressed full filesystems, and overlayfs compatible. The downsides are this change becomes very Linux-specific? Signed-off-by: Ramkumar Chinchani <[email protected]>
|
opencontainers/distribution-spec#537 |
This PR just represents possibilities. Needs a discussion if OCI wants to "adopt" this a recommended option. Almost all known solutions end up being a clever fuse or remotefs wrapper around a layer - so why not make the layer a filesystem itself! No further machinery needed. |
JFYI, EROFS already has a IANA-registered media type "vnd.erofs" if some format is referred. |
|
Could also be Open question, whiteout handling |
|
The problems I see with large binary files (eg AI models) is that they don't tend well to compression. I would like to see if we can improve the distribution spec to allow parallel chunked upload/download. Right now we can only upload/download sequentially |
I get the impression that most registries allow this already and we're just formalizing it. |
|
https://stackerbuild.io/ |
In this context ^ |
|
Honestly not in favor or non-oci types here. |
Just to clarify further - the image is still OCI; this is about the layers. If they are complete filesystems (squashfs, erofs), then they can just be mounted directly. This is an alternative approach to what the recently added containerd erofs snapshotter does today - convert tgz into erofs and cache. The only implication wrt this PR is that if squashfs, erofs are made "official" layer types (not a MUST btw, image still OCI), then the negotiation with containerd community becomes easier. Else maybe they will accept a tunable/config to allow such types. If squashfs,erofs+verity are produced and signed at source, then integrity is maintained end-to-end and becomes a much simpler deployment model - no tgz mutation gimmickry. |
@rchincha One thing I might need to mention here is |
|
...
Also I try to enable EROFS metadata compression in the kernel 6.16 cycle: Compressed metadata is just placed in a special on-disk inode, so the metadata compress algorithm can be different from data algorithms, which could be useful to maximize runtime performance for metadata (lz4, zstd, or uncompressed) and leave high compression ratios for data (zstd, lzma, deflate, etc.) |
|
Pushed two test multi-layer OCI images with erofs layers (with and without dm-verity) https://hub.docker.com/repository/docker/ramchi879/test-erofs-verity/tags To download them, |
There was a problem hiding this comment.
I'm a NACK on this:
- Defining the variables in specs-go is not adding it to the list of supported layer media types in the spec. I don't believe this does anything for the underlying goal.
- We defined the OCI layer media types because they have a content defined in layer.md and are more than a tar+gzip (if they were, we could have delegated to IANA).
- These media types are / should be registered with IANA and have their contents specified there.
- Whether implementations must/should/may support these media types would be specified in manifest.md.
Of course not. This was only meant to start a discussion about possibilities.
Wondering if there a circular argument here? Firstly, only the following appears to be registered with IANA. So to add a new layer type, a PR modifying layer.md? But to accept that it must first be registered with IANA? But that can only be done by OCI (since vnd.oci)? which must first be ready to accept the PR to layer.md? |
|
https://github.com/awslabs/soci-snapshotter/blob/main/docs/index.md "mediaType": "application/vnd.amazon.soci.index.v1+json" (image "config", but still) However, only the following registered with IANA and above not in layer.md. Perhaps this ^ pattern? |
Lets start with a question, what is OCI specific about the new OCI media types you'd like to define? Currently with the tar layers, there is ordering, white out files, limitations on hard links, and other requirements that apply when extracting multiple tar files as layer diffs, so we aren't using If they aren't different, then we defer to upstream specs. If they are different, then to start defining that we'd need to go from the other direction, not from adding a new Go variable, but creating a working group, getting projects to buy in with some implementations to work out the various edge cases and compatibility issues, and then submitting the new OCI media type as an entry in something like If we want to document that implementations support a specific set of externally defined layer media types, we can work on changes to |
|
https://www.cyphar.com/blog/post/20190121-ociv2-images-i-tar ... without any massive overhaul |
OCI artifacts support has landed in various OCI specs v1.1.0 which allows for arbitrary artifact types, small and large.
Large artifacts (even existing container images) pose a particular challenge that:
This PR begins to address 2. above.
squashfs (an older read-only) and erofs (newer) filesystems are already compressed full filesystems, and overlayfs compatible.