Manifests, blobs et tags : les images de conteneurs enfin digest(es)

Transcript

1. SunnyTech 2025 - Yves Brissaud Les images de conteneur enfin

   digest(es) Manifests, Blobs et Tags

2. 𝕏 🦋 @_crev_ @yves.brissaud.name Yves Brissaud

3. https://dagger.io Build your modern software factory. Work f lows a

   nd dev environments - For CI - For Agents By the cre a tors of Docker https://github.com/dagger/dagger https://github.com/dagger/container-use

4. Plan ✓Voc a bul a ire ✓Pourquoi ? ✓Build &

   Inspect ✓Push & Registry ✓Pull & T a gs ✓Upd a te ✓Au del à 𐄂 Spéci f ic a tions théoriques https://github.com/opencont a iners/im a ge-spec

5. Vocabulaire • Im a ge de conteneur ~= Im a

   ge docker ~= Im a ge OCI ~= OCI Artif a ct • OCI: Open Cont a iner Initi a tive https://opencont a iners.org/ • Digest / H a sh (sh a 256)

6. (s’intéresser au format des images) Pourquoi ? • Docker Hub

   • Registry • Pull a n a lytics • Docker Scout • CNAB / Docker App • …

7. (s’intéresser au format des images) Pourquoi ?

8. (s’intéresser au format des images) Pourquoi ? • Homebrew ?

   -> Im a ge • LLM a vec Docker Model Runner ? -> Im a ge • Compose ? Helm ? -> Im a ge • AWS L a mbd a ? -> Im a ge • …

9. Build

10. Build • Im a ge de b a se •

    Multiples a rchitectures • SSC m a teri a ls • Multiples t a gs

11. Build • Im a ge de b a se •

    Multiples a rchitectures • SSC m a teri a ls • Multiples t a gs FROM alpine COPY <<EOF /sunnytech.txt Hello Sunny Tech EOF

12. Build • Im a ge de b a se •

    Multiples a rchitectures • SSC m a teri a ls • Multiples t a gs $ docker build \ --platform linux/amd64,linux/arm64 \ --attest type=sbom \ --attest type=provenance,mode=max \ --tag localhost:5001/sunny:latest \ --tag localhost:5001/sunny:1 \ --tag localhost:5001/sunny:1.0 \ --tag localhost:5001/sunny:1.0.0 \ --push \ .

13. Inspect

14. Inspect • Extr a ire l’im a ge • Explorer

    • Depuis index.json $ mkdir image && cd image $ docker save \ localhost:5001/sunny:latest | tar x $ $EDITOR .

15. Image Index application/vnd.oci.image.index.v1+json linux/amd64 manifest application/ vnd.oci.image.manifest.v1+json linux/arm64 manifest application/

    vnd.oci.image.manifest.v1+json attestation-manifest application/ vnd.oci.image.manifest.v1+json attestation-manifest application/ vnd.oci.image.manifest.v1+json

16. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json “Image" Multi-platform Image

17. Push

18. Pourquoi une registry et pas juste des archives ? Push

    ✓Déduplic a tion ✓Met a d a t a (t a gs) ✓Historique des versions

19. v2 blobs sha256 1c 5a bb … 1c7e35ae… 5a0523cd… bb124008…

20. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 …

21. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 …

22. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 … my/image:latest

23. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 … my/image:latest@sha256:…

24. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

25. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

26. Pull

27. Pull version linux/amd64 du tag latest Pull 1.Convertir t a

    g en digest 2.Sélectionner l’im a ge pour l a pl a teforme 3.Téléch a rger les blobs con fi g et l a yer

28. Convertir tag en digest Pull HTTP/1.1 200 OK content-type: application/vnc.oci.image.index.v1+json

    docker-content-digest: sha256:bb12408994b47cd38d2 71756538fae38211912e1fc81b5bd2c8e6c1189e55f7a docker-distribution-api-version: registry/2.0 HEAD /v2/sunny/manifests/latest

29. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

30. Sélectionner le manifest Pull { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.index.v1+json", "manifests":

    [{ "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": “sha256:5a9523cb0b6df3ab430767d86c0672a75c53caa…”, "size": 668, "platform": { "architecture": "amd64", "os": "linux" } }, GET /v2/sunny/manifests/sha256:…

31. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

32. Sélectionner le manifest Pull GET /v2/sunny/manifests/sha256:5a9523… { "schemaVersion": 2, "mediaType":

    "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:74031e380ebc651f1a88ccc475cb6ba373deb99f1dd08abacf91133b02fa973e", "size": 802 }, "layers": [{ "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:f18232174bc91741fdf3da96d85011092101a032a93a388b79e99e69c2d5c870", "size": 3642247 }, { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9e7f22e90c58fde28040a694fe740d6fccf15abdd630d47484445063d21c15d4", "size": 118 } ] }

33. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

34. Télécharger les blobs con fi g et layer Pull GET

    /v2/sunny/blobs/sha256:… GET /v2/sunny/blobs/sha256:… … $ docker pull --platform linux/amd64 localhost:5001/sunny:latest latest: Pulling from sunny 74031e380ebc: Pull complete 9e7f22e90c58: Pull complete Digest: sha256:bb12408994b47cd38d271756538fae38211912e1fc81b5bd2c8e6c1189e55f7a Status: Downloaded newer image for localhost:5001/sunny:latest localhost:5001/sunny:latest

35. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

36. Requests Pull HEAD /v2/devoxx/manifests/<tag name> GET /v2/devoxx/manifests/<image index digest> GET

    /v2/devoxx/manifests/<image manifest digest> GET /v2/devoxx/blobs/<config digest> GET /v2/devoxx/blobs/<layer digest> GET /v2/devoxx/blobs/<layer digest> → conversion tag vers digest → image index JSON → image manifest JSON → config blob → layer blob → layer blob

37. Pull version linux/amd64 du tag latest 1 Pull 1.Convertir t

    a g en digest 2.Sélectionner l’im a ge pour l a pl a teforme 3.Téléch a rger les blobs con fi g et l a yer

38. Pull version linux/amd64 du tag latest 1 Pull 1.Convertir t

    a g en digest 2.Sélectionner l’im a ge pour l a pl a teforme 3.Téléch a rger les blobs con fi g et l a yer Identique M a nifest déj à téléch a rgé Blobs déj à téléch a rgés

39. Requests Pull HEAD /v2/devoxx/manifests/<tag name> GET /v2/devoxx/manifests/<image index digest> GET

    /v2/devoxx/manifests/<image manifest digest> GET /v2/devoxx/blobs/<config digest> GET /v2/devoxx/blobs/<layer digest> GET /v2/devoxx/blobs/<layer digest> → conversion tag vers digest → image index JSON → image manifest JSON → config blob → layer blob → layer blob

40. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1 current index sha256 <digest> link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

41. Update

42. Nouvelle image Update • Editer / a jouter un l

    a yer • Mettre à jour des t a gs exist a nt • Ajouter des t a gs $ docker build \ --platform linux/amd64,linux/arm64 \ --attest type=sbom \ --attest type=provenance,mode=max \ --tag localhost:5001/sunny:latest \ --tag localhost:5001/sunny:1 \ --tag localhost:5001/sunny:1.0 \ --tag localhost:5001/sunny:1.0.1 \ --push \ .

43. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

44. v2 repositories <repo/name> _manifests tags latest current index sha256 <digest>

    link link 1.0.0 current index sha256 <digest> link link 1 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124… <digest> link 1.0.1 current index sha256 <digest> link link …

45. Etendre

46. OCI Artifacts Everywhere Au delà des images

47. OCI Artifacts Everywhere Au delà des images Étendre les im

    a ges Stocker… tout

48. Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer

    layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json

49. OCI Artifacts Everywhere Au delà des images $ helm pull

    oci://docker.io/username/repo --version 0.1.0 $ docker compose -f oci://docker.io/username/repo:latest up $ docker model pull ai/llama3.1:8B-Q4_K_M $ brew install cowsay

50. OCI Artifacts Everywhere Au delà des images { "schemaVersion": 2,

    "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.docker.ai.model.config.v0.1+json", "size": 445, "digest": "sha256:0a7e802a3fcd88654d0a0fc45d1f4f45fe34b2e52d39a77abb357b2ee720f9ed" }, "layers": [{ "mediaType": "application/vnd.docker.ai.gguf.v3", "size": 4920739200, "digest": "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1" }, { "mediaType": "application/vnd.docker.ai.license", "size": 7627, "digest": "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369" }, { "mediaType": "application/vnd.docker.ai.license", "size": 4691, "digest": "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859" }] } ai/llama3.1:8B-Q4_K_M

51. OCI Artifacts Everywhere Au delà des images ai/llama3.1:8B-Q4_K_M { "config":

    { "size": "4.58 GiB", "architecture": "llama", "format": "gguf", "parameters": "8.03 B", "quantization": "IQ2_XXS/Q4_K_M" }, "descriptor": { "created": "2025-04-03T13:02:48.564612+02:00" }, "rootfs": { "diff_ids": [ "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1", "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369", "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859" ], "type": "rootfs" } }

52. OCI Artifacts Everywhere Au delà des images ✓WASM modules ✓Docker

    volumes ✓Dev cont a iners ✓… ? Document a tion ? Runbooks ? …

53. Merci 🙏 𝕏 🦋 @_crev_ @yves.brissaud.name