[Proposal] Add image-service to dragonfly project

[bergwolf]

Introduction

Dragonfly has been very good at distributing container images, and is an excellent candidate for container distribution standard in the cloud native world. In the recent months, the OCI (Open Container Initiate) community has been actively discussing the emerging of OCI image spec v2. Here we propose an image-service to be included in the dragonfly project as a subsidiary project.

The image-service project is designed and implemented by developers at Ant Financial and Alibaba Cloud. It has been put in production usage and shown vast improvements over the old OCI image format in terms of container launching speed, image space and network bandwidth efficiency, as well as data integrity. The image-service project can also serve as an example and reference implementation for the on-going OCI image spec v2 discussion. It is a good addition to the dragonfly landscape to better support container image distribution and help users to launch containers in a faster, more efficient, and more secure way.

Problems with the current OCI Image Spec

• Before starting a container, images must be pulled and decompressed to the local filesystem. While only a small fraction of an image is used by applications, runtime has to wait for an entire container image to be pulled before creating new containers.
• Deduplication at image layer level is less efficient
• Metadata only modification would cause the file data to be saved again in the new layer
• Files modified in multiple layers are downloaded multiple times while only the last modified file data is actually useable for containers
• Deleted files/directories are still downloaded when pulling an image
• Image data are not verifiable after being decompressed
• While distribution spec is general available, it is less efficient and enterprise users want to pursuit better storage backends
• The tgz format has its own drawbacks
  • There is no universal standard for tar: mainstream tar tools try to be compatible with each other at best effort
  • Tar files are not seek-able
  • No parallel untar/decompression

Image-service architecture

Image-service features

It designs and implements a user space filesystem on top of a special designed container image format that improves at all the above mentioned OCI image spec defects. Key features include:

• Container images are downloaded on demand
• Chunk level data duplication with configurable chunk size
• Flatten image metadata and data to remove all intermediate layers
• Only usable image data is saved when building a container image
• Only usable image data is downloaded when running a container
• End-to-end image data integrity
• Compatible with the OCI artifacts spec and distribution spec
• Integrated with existing CNCF project dragonfly to support image distribution in large clusters
• Except for the OCI distribution spec, other image storage backends can be supported as well

Image format

Plans after being accepted

The image-service project will continue evolving along with the discussion of OCI image spec v2. Its architecture and image format may change, but the plan as a reference implementation for the emerging OCI image spec v2 will be the same. Also the goal of helping dragonfly project to support container image distribution in a fast, efficient and secure way, will be the same.

[lowzj]

@inoc603 @zhouhaibing089 @starnop @allencloud @garfield009 @chenchaobing PTAL

• @allencloud
• @chenchaobing
• @garfield009
• @inoc603
• @lowzj
• @starnop
• @zhouhaibing089

[lowzj]

@SataQiu @yeya24 @wangforthinker PTAL

[inoc603]

Looks cool.

Does the new OCI v2 image format require changes to the registry API?

[lowzj]

Looks cool.

Does the new OCI v2 image format require changes to the registry API?

Here is an extension proposal of distribution spec to expose extended API.

[zhouhaibing089]

Nice! Do you have the link where the new spec is being discussed?

[bergwolf]

The oci-dev mailing list has several related threads. And there is a shared document to discuss OCIv2 requirements https://hackmd.io/@cyphar/ociv2-brainstorm

[allencloud]

LGTM

[starnop]

LGTM.

[SataQiu]

LGTM

[chenchaobing]

LGTM

[inoc603]

LGTM

[zhouhaibing089]

Though I didn't attend the meeting, I do think this is pretty promising!

LGTM

[bergwolf]

Thank you all dragonfly community members! We have just pushed the new image service source code to https://github.com/dragonflyoss/image-service. Look forward to helping more Dragonfly users to access container images fast, securely and easily!