DOCIR - Dynamic OCI Registry

@ahachete Dynamic OCI Registry Container Days 2025 - Hamburg Alvaro
Hernandez @ahachete

@ahachete ` whoami ` Alvaro Hernandez <[email protected]> aht.es • Founder
& CEO, OnGres • 20+ years Postgres user and DBA • Mostly doing R&D to create new, innovative software on Postgres • More than 140 tech talks, most about Postgres • Founder and President of the NPO Fundación PostgreSQL • AWS Data Hero

@ahachete Container image customization, variants… you name it

@ahachete Container (images) are immutable Torsten Bätge, Hamburg, CC BY-SA
3.0 via Wikimedia Commons

@ahachete Customization (image augmentation)

@ahachete Combinatorial explosion of image variants https://forums.rockylinux.org/t/on-the-container-images-what-do-the-different-variants-mean/16458/2

@ahachete Combinatorial explosion of image variants https://hub.docker.com/_/postgres

@ahachete Combinatorial explosion of image variants https://hub.docker.com/_/wordpress

@ahachete Combinatorial explosion of image variants https://learn.microsoft.com/en-us/dotnet/core/docker/container-images

@ahachete A little story about Postgres container images

@ahachete Postgres extensions pigsty.io/about/ext/

@ahachete Postgres extensions • Postgres extensions come from arbitrary, third-party
repositories. • Users typically use several per instance. • It’s rare that no extensions are used at all. • There’s a long tail of what extensions do users use. • Some repos host 200-400 extensions. Total est: 1,000.

@ahachete How to pack Postgres extensions in container images?

@ahachete Option 1: the “fatty” container • Size • Security
• Restarts (downtime) commons.wikimedia.org/wiki/File:Overloaded_Truck_%28105 22133955%29.jpg

@ahachete Option 2: dynamically inject into container (runtime) • Security
• Startup time • Approach followed in StackGres See https://aht.es/#talks-postgres_extensions_in_kubernetes

@ahachete Formula to compute all possible number of images, considering
n extensions to choose from Option 3: generate all possible container images

@ahachete Formula to compute all possible number of images, considering
n extensions to choose from is bigger than Option 3: generate all possible container images

@ahachete n=10 → 252 n=200 → 9.05485146561032811654E+58 Option 3: generate
all possible container images

@ahachete Option 4: dynamically generate container images

@ahachete D ynamic OCI R egistry

@ahachete First step: pack extensions as OCI images Why Postgres
Extensions should be packaged and distributed as OCI images

@ahachete DOCIR: Dynamic OCI Registry • A new, from scratch,
OCI Registry following the official specs. • Composes dynamic images on the ﬂy: ◦ Adding (pre-existing) layers on-demand ◦ Generating dynamic manifests (index, image manifest, runtime conﬁg) • Dynamic business logic is custom: you decide how to compose layers • Similar to nixery.dev, but more general purpose

@ahachete How does it work? https://github.com /sudo-bmitch/pres entations/blob/mai n/oci-refers/img/o ci-image.png

@ahachete How does it work? Dynamic runtime conﬁg

@ahachete How does it work? Dynamic manifest generation

@ahachete How to encode components in the image name? <name>:<reference>
name [a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)* reference: [a-zA-Z0-9_][a-zA-Z0-9._-]{0,127} https://github.com/opencontainers/distribution-spec/blob/main/spec.md

@ahachete • It’s part of the “business logic” (i.e. custom)
• Example: use an URL-like name ◦ Name: postgres/e/ext1/ext2/ext3 ◦ Reference: ignored ◦ With explicit versioning: postgres--16.3/e/ext1--v1/ext2--v2 • Potential limits to “URL” length! (e.g. Docker) The image “URL”

@ahachete DEMO !!

@ahachete Demo: pick some extension(s) randomly!

@ahachete DOCIR Today & Next steps

@ahachete DOCIR today • Written in modern Java (21) +
Quarkus. • Dynamic generation is “custom business logic”, to be implemented. • Map from name:reference to array of layers and a runtime conﬁg. • Supports multi-arch dynamic container images, authentication token, S3 backend storage.

@ahachete DOCIR today: automatic metadata collection • Mapping name:reference to
a list of layers is trivial for simple cases; but may otherwise require layer metadata. • DOCIR provides an interface for OCI metadata extraction. • And an implementation for storing metadata on a Postgres database. • Mapping business logic can talk to the database to determine the layers to add to the image.

@ahachete DOCIR: metadata name | pga/extension/cube-16.4 reference | 10-linux-amd64 id
| 6179 digest | sha256:fe19652abbbe1fb4a1d87d668657ef3758a96441403dad43fd002c8bd3267d48 arch | amd64 arch_variant | os | linux title | cube 16.4 description | cube v16.4 for PostgreSQL 16.4 ... custom_labels | {"sh.pga.containers.type": "extension", "sh.pga.containers.homeURL": "https://postgresql.org", "sh.pga.containers.component.name": "cube", "sh.pga.containers.repository.tag": "REL_16_4", "sh.pga.containers.repository.url": "https://git.postgresql.org/git/postgresql.git", "sh.pga.containers.metadataVersion": "v1beta1", "sh.pga.containers.description.long": "Extension cube v16.4 for PostgreSQL 16.4", "sh.pga.containers.extension.flavor": "postgres", "sh.pga.containers.extensions.cube.tags": "contrib", "sh.pga.containers.extension.flavorVersion": "16.4", "sh.pga.containers.extensions.cube.install": "true", "sh.pga.containers.extensions.cube.trusted": "true", "sh.pga.containers.repository.commitDigest": "REL_16_4", "sh.pga.containers.extension.flavor.version": "16.4", "sh.pga.containers.extensions.cube.categories": "extension"}

@ahachete DOCIR tomorrow (next steps) • Upcoming v1.0 (Q3-Q4 2025).
• Will be published as fully OSS under AGPLv3. • TODO: OCI distribution full compliance. • Open discussion to propose more ﬂexibility for name:reference. • Bindings for custom logic in non Java languages?

@ahachete Dynamic OCI Registry Alvaro Hernandez @ahachete

DOCIR - Dynamic OCI Registry

DOCIR - Dynamic OCI Registry

More Decks by OnGres

Featured

Transcript