container_images.pdf

Transcript

1. Manifests, blobs et tags Les images de conteneurs enfin digest(es)

   Yves Brissaud DevoxxFR 2025

2. Yves Brissaud 𝕏 🦋 @_crev_ @yves.brissaud.name

3. • Nécessité • Docker Hub → Images • Pull analytics

   → Images, tags, pull • Docker Scout → Images, tags, structure interne • Curiosité • Idées Pourquoi ?

4. ✓ Build & Inspect ✓ Push & Registry ✓ Pull

   & Tags ✓ Update ✓ Etendre 𐄂 Specifications théoriques https://github.com/opencontainers/image-spec Plan

5. Build

6. Build • Image de base • Multiples architectures • SSC

   materials • Multiples tags

7. Build • Image de base • Multiples architectures • SSC

   materials • Multiples tags FROM alpine COPY <<EOF /devoxx.txt Hello Devoxx EOF

8. Build • Image de base • Multiples architectures • SSC

   materials • Multiples tags $ docker build \ --platform linux/amd64,linux/arm64 \ --attest type=sbom \ --attest type=provenance,mode=max \ --tag localhost:5001/devoxx:latest \ --tag localhost:5001/devoxx:1 \ --tag localhost:5001/devoxx:1.0 \ --tag localhost:5001/devoxx:1.0.0 \ --push \ .

9. Inspect

10. Inspect • Extraire l’image • Explorer à partir de index.json

    $ mkdir image && cd image $ docker save localhost:5001/devoxx:latest | tar x $ code .

11. Image Index application/vnd.oci.image.index.v1+json linux/amd64 manifest application/ vnd.oci.image.manifest.v1+json linux/arm64 manifest application/

    vnd.oci.image.manifest.v1+json attestation-manifest application/ vnd.oci.image.manifest.v1+json attestation-manifest application/ vnd.oci.image.manifest.v1+json

12. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … “Image" Multi-platform Image config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

13. Push

14. Push / Pourquoi une registry et pas juste des archives

    ? ✓Déduplication ✓Metadata (tags) ✓Versions

15. Registry Blobs / PUSH v2 blobs sha256 1c 5a bb

    … 1c7e35ae… 5a0523cd… bb124008…

16. Registry Tags / PUSH v2 repositories <repo/name> _manifests tags latest

    current index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 …

17. Registry Tags / PUSH v2 repositories <repo/name> _manifests tags latest

    current index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 …

18. Registry Tags / PUSH v2 repositories <repo/name> _manifests tags latest

    current index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 … my/image:latest

19. Registry Tags / PUSH v2 repositories <repo/name> _manifests tags latest

    current index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 … my/image:latest@sha256:…

20. Registry / PUSH v2 repositories <repo/name> _manifests tags latest current

    index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

21. Registry / PUSH v2 repositories <repo/name> _manifests tags latest current

    index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

22. Pull

23. Pull / pull version linux/amd64 du tag latest 1.Convertir tag

    en digest 2.Sélectionner l’image pour la plate-forme 3.Télécharger les blobs config et layer

24. Pull / Convertir tag en digest HTTP/1.1 200 OK content-type:

    application/vnc.oci.image.index.v1+json docker-content-digest: sha256:bb12408994b47cd38d2 71756538fae38211912e1fc81b5bd2c8e6c1189e55f7a docker-distribution-api-version: registry/2.0 HEAD /v2/devoxx/manifests/latest

25. Registry / PUSH v2 repositories <repo/name> _manifests tags latest current

    index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

26. Pull / Sélectionner le manifest { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.index.v1+json",

    "manifests": [{ "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": “sha256:5a9523cb0b6df3ab430767d86c0672a75c53caa…”, "size": 668, "platform": { "architecture": "amd64", "os": "linux" } }, GET /v2/devoxx/manifests/sha256:…

27. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

28. Pull / Sélectionner le manifest { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json",

    "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:74031e380ebc651f1a88ccc475cb6ba373deb99f1dd08abacf91133b02fa973e", "size": 802 }, "layers": [{ "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:f18232174bc91741fdf3da96d85011092101a032a93a388b79e99e69c2d5c870", "size": 3642247 }, { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9e7f22e90c58fde28040a694fe740d6fccf15abdd630d47484445063d21c15d4", "size": 118 } ] } GET /v2/devoxx/manifests/sha256:5a9523…

29. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

30. Pull / Télécharger les blobs config et layer $ docker

    pull --platform linux/amd64 localhost:5001/devoxx:latest latest: Pulling from devoxx 9e7f22e90c58: Pull complete Digest: sha256:bb12408994b47cd38d271756538fae38211912e1fc81b5bd2c8e6c1189e55f7a Status: Downloaded newer image for localhost:5001/devoxx:latest localhost:5001/devoxx:latest GET /v2/devoxx/blobs/sha256:… GET /v2/devoxx/blobs/sha256:… …

31. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

32. Pull / Requests HEAD /v2/devoxx/manifests/<tag name> GET /v2/devoxx/manifests/<image index digest>

    GET /v2/devoxx/manifests/<image manifest digest> GET /v2/devoxx/blobs/<config digest> GET /v2/devoxx/blobs/<layer digest> GET /v2/devoxx/blobs/<layer digest> → conversion tag vers digest → image index JSON → image manifest JSON → config blob → layer blob → layer blob

33. Pull / pull version linux/amd64 du tag latest 1 1.Convertir

    tag en digest 2.Sélectionner l’image pour la plate-forme 3.Télécharger les blobs config et layer

34. Pull / pull version linux/amd64 du tag latest 1 Identique

    Manifests déjà téléchargés Blobs déjà téléchargés 1.Convertir tag en digest 2.Sélectionner l’image pour la plate-forme 3.Télécharger les blobs config et layer

35. Pull / Requests HEAD /v2/devoxx/manifests/<tag name> GET /v2/devoxx/manifests/<image index digest>

    GET /v2/devoxx/manifests/<image manifest digest> GET /v2/devoxx/blobs/<config digest> GET /v2/devoxx/blobs/<layer digest> GET /v2/devoxx/blobs/<layer digest> → conversion tag vers digest → image index JSON → image manifest JSON → config blob → layer blob → layer blob

36. Registry / PUSH v2 repositories <repo/name> _manifests tags latest current

    index sha256 <digest> link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

37. Update

38. Update / Nouvelle image •Editer / ajouter un layer •Tags

    existant et supplémentaire $ docker build \ --platform linux/amd64,linux/arm64 \ --attest type=sbom \ --attest type=provenance,mode=max \ --tag localhost:5001/devoxx:latest \ --tag localhost:5001/devoxx:1 \ --tag localhost:5001/devoxx:1.0 \ --tag localhost:5001/devoxx:1.0.1 \ --push \ .

39. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

40. Registry / PUSH v2 repositories <repo/name> _manifests tags latest current

    index sha256 <digest> link link 1.0.0 current index sha256 <digest> link link 1 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124… <digest> link 1.0.1 current index sha256 <digest> link link

41. Etendre

42. Etendre / OCI Artifacts Everywhere

43. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

44. Etendre / OCI Artifacts Everywhere $ helm pull oci://docker.io/username/repo --version

    0.1.0 $ docker compose -f oci://docker.io/username/repo:latest up $ docker model pull ai/llama3.1:8B-Q4_K_M

45. Etendre / OCI Artifacts Everywhere { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json",

    "config": { "mediaType": "application/vnd.docker.ai.model.config.v0.1+json", "size": 445, "digest": "sha256:0a7e802a3fcd88654d0a0fc45d1f4f45fe34b2e52d39a77abb357b2ee720f9ed" }, "layers": [{ "mediaType": "application/vnd.docker.ai.gguf.v3", "size": 4920739200, "digest": "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1" }, { "mediaType": "application/vnd.docker.ai.license", "size": 7627, "digest": "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369" }, { "mediaType": "application/vnd.docker.ai.license", "size": 4691, "digest": "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859" }] } ai/llama3.1:8B-Q4_K_M

46. Etendre / OCI Artifacts Everywhere { "config": { "size": "4.58

    GiB", "architecture": "llama", "format": "gguf", "parameters": "8.03 B", "quantization": "IQ2_XXS/Q4_K_M" }, "descriptor": { "created": "2025-04-03T13:02:48.564612+02:00" }, "rootfs": { "diff_ids": [ "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1", "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369", "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859" ], "type": "rootfs" } } ai/llama3.1:8B-Q4_K_M

47. Etendre / OCI Artifacts Everywhere ==> Downloading https://ghcr.io/v2/homebrew/core/htop/manifests/3.4.1 ==> Fetching

    htop ==> Downloading https://ghcr.io/v2/homebrew/core/htop/blobs/sha256:275705a… ==> Downloading https://ghcr.io/v2/homebrew/core/golangci-lint/manifests/2.1.1 ==> Fetching golangci-lint ==> Downloading https://ghcr.io/v2/homebrew/core/golangci-lint/blobs/sha256:f76c577… Homebrew

48. Etendre / OCI Artifacts Everywhere ✓ Wasm modules ✓ Docker

    volumes ✓ Dev containers ✓ … ? Documentation ? Runbooks ? …

49. Merci 🙏 𝕏 🦋 @_crev_ @yves.brissaud.name Session Feedback Slides