Revision as of 16:23, 1 December 2021

ostree native containers / CoreOS layering

Summary

Enhance the (rpm-)ostree stack to natively support OCI/Docker containers as a transport and delivery mechanism for operating system content.

This is the basis of https://github.com/coreos/enhancements/blob/main/os/coreos-layering.md

Owner

Name: Colin Walters

Email: walters@verbum.org

Current status

Significant code has been written and is shipping - you can try this today! You need at least rpm-ostree v2021.14 and skopeo 1.5.1

Targeted release: Fedora Linux 36
Last updated: 2021-12-01
devel thread
FESCo issue: #2704
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Having the Fedora ecosystem (from users to release engineering) maintain tooling that operates on all three of "container images", RPMs, and OSTree updates is a maintenance burden.

This proposes that:

The ostree stack is enhanced to support encapsulating/unencapsulating ostree commits as OCI/Docker images (DONE)
rpm-ostree is updated to consume this, while still supporting all its current features (e.g. per-machine package layering) (DONE)
We ship e.g. quay.io/fedora/coreos:stable and quay.io/fedora/silverblue:36 etc.
We support deriving new user custom images from these images
We enhance this tooling to support chunking

For more details, please see:

Note that significant effort has been invested in ensuring compatibility between what exists in ostree today and OCI/Docker container image "encapsulation". For example, we will continue to reuse the GPG signature infrastructure on OSTree commits that exists today - the ostree tooling knows how to verify the signature *inside* the container image. In the future, we will also likely invest in container-native signatures.

Feedback

Benefit to Fedora

Stronger focus on Docker/OCI as transport for operating system and applications
New ability to easily create derived operating system images "server side"
More benefit from e.g. work on container deltas

Scope

Proposal owners:

Lots of detailed items listed in the rpm-ostree/CoreOS docs.

Other developers: The "other" here is vague, but certainly developing this so far has needed cooperation with e.g. the containers/ organization etc.

Release engineering: https://pagure.io/releng/issue/10399

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Objectives: No

Upgrade/compatibility impact

Each individual edition/spin would need to choose when and how to make a cutover to containers as a transport. The Fedora OSTree repository would continue to be maintained until that is finished.

How To Test

See the examples under https://coreos.github.io/rpm-ostree/container/

User Experience

Users of rpm-ostree systems will primarily interact with container images.

Dependencies

Release engineering.

Contingency Plan

Contingency mechanism: Continue to ship updates via baseline OSTree
Blocks release? No

Documentation

Already linked above to avoid duplicating it here.

Release Notes

@@ Line 21: / Line 21: @@
 == Current status ==
-[[Category:ChangeAnnounced]]
+[[Category:ChangeReadyForFesco]]
 Significant code has been written and is shipping - you can try this today!  You need at least [https://bodhi.fedoraproject.org/updates/FEDORA-2021-5e6a48669c rpm-ostree v2021.14] and [https://bodhi.fedoraproject.org/updates/FEDORA-2021-b8fee395ca skopeo 1.5.1]
@@ Line 43: / Line 43: @@
 -->
 * [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/KQKCFXG4CTT6IGCGWAXIX5SLHFBFCEAI/ devel thread]
-* FESCo issue: <will be assigned by the Wrangler>
+* FESCo issue: [https://pagure.io/fesco/issue/2704 #2704]
 * Tracker bug: <will be assigned by the Wrangler>
 * Release notes tracker: <will be assigned by the Wrangler>

Search

Changes/OstreeNativeContainer: Difference between revisions