[opensuse-factory] Naming policy for containers inside the distro
Hi, as you might already be aware of, it's possible to build containers as part of Tumbleweed and Leap 15.1+ for some time now. (If you aren't, read https://en.opensuse.org/Building_derived_containers) All images part of the distro are made available at the top level of the openSUSE registry at registry.opensuse.org, e.g. registry.opensuse.org/opensuse/leap. That's unlike containers published from anywhere else - those always have the project + repository name as prefix to prevent any collisions. Additionally, if registry.opensuse.org is configured as default registry in docker/podman/whatever, the image name is all that's visible when referencing a container, so "kubic/pause" instead of "registry.opensuse.org/kubic/pause". So the name itself without the registry should be meaningful enough. This means there have to be certain rules for naming containers to avoid issues like conflicts and also to enforce uniformity and consistency. Use of tags should not need to be restricted or specified in any way as no collisions with other images are possible. So tags are managed entirely by image maintainers. The names of the base containers ("opensuse/tumbleweed", etc.) are just unchanged from its heritage on Docker Hub and recently some images for Kubic got added, those have "kubic/" as prefix (e.g. "kubic/kured", "kubic/pause"). Now we've got a request to add a new base container using busybox on Tumbleweed and it currently uses "tumbleweed/busybox" as name. Question is now what to do about that - call the base containers using opensuse as prefix an exception and allow tumbleweed/* and leap/* containers explicitly or enforce an opensuse/ prefix on all image? That would be consistent with kubic/* images we already have, but might not be as descriptive for some. Thanks, Fabian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Apr 10, Fabian Vogt wrote:
"would be consistent": I don't see that as consistent. Currently we have: opensuse/leap -> opensuse leap base container opensuse/tumbleweed -> opensuse tumbleweed base container kubic/flannel -> opensuse kubic flannel container, derived from what? It would be consistent, if we would use: opensuse/kubic-flannel We can everything prefix with "opensuse" for the case, that somebody uses registry.opensuse.org as default. But I don't see this necessary, as in this case, images from docker hub, the normally standard registry, would get a docker hub prefix. I would like to see for derived containers: tumbleweed/apache leap/apache kubic/flannel ... Either they are prefixed with registry.opensuse.org (for not default registry), or the user knows that they are from opensuse, since he changed the default. I really hate: registry.opensuse.org/opensuse/tumbleweed/apache That's a really long name, and duplicates "opensuse". Different thing are the base containers. Currently they are called: opensuse/tumbleweed opensuse/leap On docker hub and registry.opensuse.org. So for consistency and ease of use, I wouldn't change that. Would also solve the problem to differentiate, if tumbleweed or leap are name spaces or container names. So: tumbleweed -> base container tumbleweed/apache -> derived container docker hub does not seem to have a problem with this, as we have: alpine -> base container alpine/git -> derived container Next question: for tumbleweed, we don't have only one base container: opensuse/tumbleweed -> base container with standard tools ??? busybox -> base container only with busybox Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, as we see a similar problem for the SUSE business products: we discussed this shortly and it looks like we will have two different policies, one for base container, one for derived container: /suse/sle12sp3 /suse/sle12sp4 /suse/sle15 /suse/... But: /sles12sp4/apache /sles15/mariadb /caaspX/... ... So if I map this to opensuse: /opensuse/tumbleweed /opensuse/tumbleweed-busybox /opensuse/leap /tumbleweed/apache /leap/apache /kubic/flannel ... Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am Mittwoch, 10. April 2019, 16:55:54 CEST schrieb Thorsten Kukuk:
That was not clear, I referred to the first part here: opensuse/ as exception.
As "leap/apache" I'd expect a container containing Leap + its Apache and "tumbleweed/apache" would be the same just based on TW. As you wrote above already, "kubic/foo" however doesn't mean "kubic + foo", it means "foo for Kubic" or "foo container made by the Kubic project". So that would need to be clarified and documented.
registry.opensuse.org has that overlay for opensuse/leap and opensuse/leap/15.1/images/... already as well and it works fine. If at some point we wanted to push images to Docker Hub as well (which OBS supports already, just not enabled), only images matching "opensuse/foo" could be uploaded, not "kubic/foo" or "opensuse/foo/bar".
I'd say that applying the generic scheme for derived containers would work here, as there's no real point in adding busybox on top of the TW base container. So tumbleweed/busybox would be fine when using the scheme above. Cheers, Fabian
Thorsten
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2019-04-10, Thorsten Kukuk <kukuk@suse.de> wrote:
Docker doesn't support changing the default registry, so you will always see registry.opensuse.org/ anyway. I also think the "opensuse/" is quite redundant since it's our own registry.
I think this is reasonable -- though I'm not sure if this (which is the logical next step for having base containers):
tumbleweed -> base container tumbleweed/apache -> derived container
is actually possible to do with stock Docker Distribution -- because the "tumbleweed/" somewhat acts as a directory and I'm not sure if you can publish an image with the same name as a repo. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On 2019-04-11, Aleksa Sarai <asarai@suse.de> wrote:
Though, there is an argument that if we want to publish home-project containers on the same registry we should have an official namespace (like we do with openSUSE:... on the OBS side of things). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On Thu, Apr 11, Aleksa Sarai wrote:
Alpine is doing that on docker hub as far as I could see, but I also would not do that to get people not confused. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2019-04-11, Thorsten Kukuk <kukuk@suse.de> wrote:
"docker pull alpine" translates to "docker pull docker.io/library/alpine". So while it looks the same, internally it gets translated long before it hits the registry. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On Thu, 11 Apr 2019 at 11:19, Aleksa Sarai <asarai@suse.de> wrote:
We're shipping podman by default in our container focused openSUSE offerings There we do not have dockers limitations, and can have multiple registries, which podman will use, in order Therefore I want a situation where "podman pull tumbleweed" translates to registry.opensuse.org/tumbleweed and pulls the Tumbleweed base conatiner "podman pull leap" should pull registry.opensuse.org/leap, pulling the Leap base container "podman pull kubic" should pull registry.opensuse.org, the "Kubic base container" (aka the Tumbleweed base container under a different name) Derived containers should be $base/$containername eg. tumbleweed/busybox leap/whatever kubic/pause For synergy with docker (where we do not have that luxury of being able to practically use a trusted registry by default, nor do docker have the support for reflecting how our distributions are delivered) I ALSO want the following to work "podman pull opensuse/tumbleweed" or "docker pull opensuse/tumbleweed" should pull the Tumbleweed base container, from registry.opensuse.org in podman or docker hub in docker "podman|docker pull opensuse/leap" for leap I think the way we've done mapping with registry.opensuse.org should work fine with that already. Putting my suggestions all together and in other words; I do not think there should be an 'opensuse' container, because there is no 'opensuse' distribution I think derivatives should reference their base container (eg tumbleweed/$foo) For Kubic specific containers the "kubic base container" should just be an alias/rebuild of the tumbleweed one under that different name. Does all of this make sense and answer your question Fabian? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am Donnerstag, 11. April 2019, 15:25:24 CEST schrieb Richard Brown:
Yes, but the images offered are (hopefully!) not only used on openSUSE systems. In this case Alexa has a valid concern about namespace/repo name overlap, which is something we can't just ignore because "it works on openSUSE". Containers are meant to work outside of a single environment after all. registry.opensuse.org doesn't really validate names or anything else for that matter, so we would need to be careful here. You can just create an image called "föo:latest:latest" if you wanted to, but it just wouldn't work with every client.
That's debatable - do we actually need a Kubic base container? The current kubic-* containers are all using plain Tumbleweed as content, so they would perfectly fit the "tumbleweed/$containername" description. I'd say we would need it if we can answer this question appropriately: What would be the difference between e.g. tumbleweed/cilium and kubic/cilium? If so, the answer could be the base for a definition on what "kubic/" means.
Technically doable, just not supported by kiwi currently - multiple tags are allowed (additonaltags="latest,%OS_VERSION_ID%"), but not multiple namespace/repository names.
I think the way we've done mapping with registry.opensuse.org should work fine with that already.
Yes.
opensuse/ is just a namespace - there isn't a home base container either just because you can pull registry.opensuse.org/home/foo/bar/baz. I'd say as long as there is a clear definition what each namespace means, it doesn't necessarily have to be uniform to "$base/$containername".
Yes and yes - but let's wait for some more opinions on this topic. Cheers, Fabian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 11 Apr 2019 at 15:56, Fabian Vogt <fvogt@suse.de> wrote:
Yes, but we shouldn't just cater to the lowest common denominator of one less-than-ideal runtime. My proposals work for any other distribution using any saner OCI runtime, such as podman on Fedora, who may have registry.opensuse.org interleaved between a Fedora registry and dockerhub in their registry config for example. In that case their "podman pull fedora" would pull a fedora image from a fedora registry, "podman pull tumbleweed" would pull TW from our registry, and "podman pull alpine" from the docker hub.
I'd be fine without a kubic/ base container or namespace, and having all Kubic configurations/manifests referencing tumbleweed/$foo instead.
I'm confused - you say kiwi doesn't support it, then agree with my suggestion that we have it working already. If registry.opensuse.org maps the /opensuse namespace as it's default for the purposes of people pulling from registry.opensuse.org, I don't care how ;)
True, but in the opensuse/ namespace, aka the default registry.opensuse.org namespace, aka the "official openSUSE containers" namespace, I think the $base/$containername approach is the only reasonable one available. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am Donnerstag, 11. April 2019, 16:14:43 CEST schrieb Richard Brown:
I would say that we need to - the majority of users use docker. Granted, I don't have any numbers to prove that, but I've seen much more "docker pull" or "docker build" in the wild than anything else.
I meant that the pull commands you wrote there ("podman pull opensuse/tumbleweed"/"podman|docker pull opensuse/leap") already work, not the aliasing to their counterpart without opensuse/.
That's a misunderstanding: registry.opensuse.org does not map anything. The containers itself contain "opensuse/tumbleweed" as name. Every container published below the openSUSE:Containers project is published at the registry "root", registry.opensuse.org/ as-is.
There is no such thing as a "default registry namespace" - it's a flat map and official containers can place themselves anywhere they want to. If we need aliases, those should be part of the container images themselves.
I think the $base/$containername approach is the only reasonable one available.
Cheers, Fabian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 11 Apr 2019 at 16:37, Fabian Vogt <fvogt@suse.de> wrote:
Let's agree to disagree there. I will not be referencing docker (or to refer to it as the only way Docker Inc supports "the docker container runtime") in any examples or documentation I ever write, nor will I be contributing to any solution that only benefits docker (aka "the docker container runtime"). But I won't be taking any actions that purposefully inconvenience docker (aka "the docker container runtime").
okay then, so no "podman pull tumbleweed" or "podman pull tumbleweed/$foo" ever? instead "podman pull opensuse/tumbleweed" for the Tumbleweed base container and "podman pull opensuse/tumbleweed/$foo" for official containers derived from Tumbleweed. I'm okay with that. I recognise that will work comfortably with the default registry of that other container runtime also ;) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am Donnerstag, 11. April 2019, 16:52:33 CEST schrieb Richard Brown:
Which means that if it doesn't work with docker, doing it despite that would fall in the "purposeful inconvenience" category, wouldn't it? The conversion from intention to action is quite lossy.
If you're referencing the "Hub of that other container runtime", nope, it only supports a single layer of namespace/repository. So opensuse/tumbleweed is ok, opensuse/tumbleweed/foo isn't. "$othertool pull registry.opensuse.org/opensuse/tumbleweed/foo" should, though, if the overlap isn't an issue. Cheers, Fabian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Apr 11, Richard Brown wrote:
I don't like that, for most people this would be podman pull registry.opensuse.org/opensuse/tumbleweed/$foo Why to long, complicated and with duplicate informations? I like the: Base containers: opensuse/tumbleweed opensuse/leap derived containers/product containers: tumbleweed/foo leap/bla kubic/flannel ... much more. No duplicate informations, no problem if "/tumbleweed" is a base container or a namespace. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2019-04-11, Richard Brown <RBrownCCB@opensuse.org> wrote:
It's great that you feel free enough to act in that way, but it doesn't change whether Docker is still incredibly widely used (which it is, regardless of anyone's opinion on the project).
I think that "podman pull tumbleweed" would be totally fine -- this would be "docker pull registry.opensuse.org/tumbleweed". This actually makes more sense if you have the full registry name -- see my other mail for my concerns about having registry.opensuse.org/ as a default. But ultimately having it as a default isn't the end of the world (though I don't really agree it's as much of an improvement as you might think). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On Fri, 12 Apr 2019 at 16:28, Aleksa Sarai <asarai@suse.de> wrote:
Parking this part of the conversation - I get where you're coming from, and I think our difference in viewpoint is best discussed in a more casual venue. I will say, I think something is very wrong if you don't realise that as an openSUSE contributor you are also free enough to act in that way. (At work, sure, different story..you have my sympathy there).
Fair view, but thinking as a 'lazy user', it sure is a lot of finger work typing "registry.opensuse.org" all the darn time Any suggestions for a nice snazzy short URL like Google have with gcr.io? - Rich -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op vrijdag 12 april 2019 18:10:30 CEST schreef Richard Brown:
Eh, bash_history? AFAIK I typed docker pull collabora/code only once. After that docker p[PgUp] made retyping this unnecessary.
Any suggestions for a nice snazzy short URL like Google have with gcr.io?
- Rich
Eh, roo.io ?? -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2019-04-12, Richard Brown <RBrownCCB@opensuse.org> wrote:
Does anyone own su.se? Or opensu.se? -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On 2019-04-11, Richard Brown <RBrownCCB@opensuse.org> wrote:
That "one less-than-ideal runtime" is the most commonly used runtime. This means that not interoperating with it defeats the point of having our own registry (which, by the way is a *Docker* registry). (In fact, the only runtime which supports this is libpod family, so I would argue that they are the "odd ones out" as it were.) But, we're getting side-tracked here. This is a discussion about naming conventions *not* what the default registry config is going to be for one runtime we ship (that is a separate conversation -- because regardless of that decision we need to make sure it makes sense for non-openSUSE users).
Do you know if they're willing to make such a change? This is just going to cause headaches when users copy-paste scripts between distros... (Personally I think the solution to all of these headaches should've been to make all images require the registry name -- the default registry has caused a bunch of other unrelated headaches as well.) -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On Fri, Apr 12, 2019 at 10:22 AM Aleksa Sarai <asarai@suse.de> wrote:
Has anyone actually reached out? I can honestly say no one has asked about this before. I personally don't see a reason why the Fedora Container SIG[1] would have a problem working with openSUSE and having both registries configured for Fedora's container tools, as long as it was reciprocated in kind. Someone just has to ask. And no, it won't be me, because I want someone who maintains the container tooling in openSUSE to reach out to the folks on the Fedora side. I've got enough on my plate. :) We're all friends, stop pretending we're not. :) [1]: https://fedoraproject.org/wiki/Container_SIG -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2019-04-13, Neal Gompa <ngompa13@gmail.com> wrote:
No-one has reached out, I was mostly thinking out loud -- we haven't decided what's going to happen with the naming yet.
We're all friends, stop pretending we're not. :)
Of course we are, though as I mentioned my main worry with this is that image names will become non-portable between distros -- unless we have an inter-distro agreement that Debian/Ubuntu/Arch/Fedora/openSUSE/... will all have their registries listed. Another potential issue is that you're now by-default shipping binaries (containers) from another distribution which might result in some interesting security policy questions. Obviously this is something that could be resolved. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On Thu, Apr 11, Fabian Vogt wrote:
That's debatable - do we actually need a Kubic base container?
No, this doesn't make any sense.
The "tumbleweed/cilium" would be a generic tumbleweed container containing cilium for generic usage. The "kubic/cilium" container would be designed for openSUSE Kubic and makes only sense for a kubernetes cluster, but not on a plain Tumbleweed or other distribution.
If so, the answer could be the base for a definition on what "kubic/" means.
tmbleweed/* -> generic useable containers on any Container Host OS kubic/* -> "system" containers specially designed for kubernetes on openSUSE Kubic, running them standalone on any Container Host OS will not make sense or wouldn't even work. I see a differentiator between tumbleweed/* and kubic/* Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, not that people think this discussion stopped without decission ;) We had some more personal discussions, and it looks like we will do the same approach for openSUSE as we did already for SUSE: we will have two registries. The current one, which contains all containers falling out of OBS, and a new one, which contains the official openSUSE images. This should solve most problems we currently face, especially the problem, which container images are from a devel project, and which are official ones. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Aleksa Sarai
-
Fabian Vogt
-
Knurpht-openSUSE
-
Neal Gompa
-
Richard Brown
-
Thorsten Kukuk