Use skopeo to pull container images #948

rnjudge · 2021-04-13T21:35:41Z

Background
Reference: https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/

TL;DR - Kubernetes currently uses Dockershim to access containerd container runtime. Dockershim is being removed from Kubelet which removes support for Docker as a container runtime in favor of other runtimes that use Container Runtime Interface created for K8s.

We would like Tern to run in Kubernetes. This means that we cannot use Docker commands to pull images from the registry with the-i command line option if we want Tern to run in Kubernetes after v1.2.0.

Proposal
Let's try to use subprocess + ORAS instead of the Docker python library to pull container images from a registry when running with the -i option. This will mean that we need to include the go module as a dependency of Tern.

Create an OCI image class and implement the load_image() method for it in accordance with how ORAS pulls images.
We may need an additional tool on top of ORAS. ORAS will send all the bytes of the downloaded image to stdout and we need to figure out how we store these results to analyze.

Use Cases

Deploying Tern as a k8s cluster on a CRD

The text was updated successfully, but these errors were encountered:

rnjudge · 2021-04-28T22:45:39Z

It does not appear that ORAS supports anonymous pulling of container images from Dockerhub at this time. Skopeo does support this behavior and therefore, we should explore using skopeo instead. A previous PR (#712) started to work on this and we may want to revive parts of this.

falcorocks · 2021-05-27T07:15:25Z

+1 on skopeo, I have used it to successfully achieve something similar to what you are trying to do here.
Abandoning docker in favour of something like skopeo would also make it much better for CI, where docker in docker is still a nogo for security reasons!

rnjudge · 2021-07-08T17:32:40Z

@mukultaneja is working on this. @falcorocks if you have any tips or pointers, feel free to drop them here :)

mukultaneja · 2021-07-15T19:43:29Z

@rnjudge @nishakm, how are we going to make skopeo as a requirement to tern moving onwards?

This is work towards tern-tools#948 OCI images on disk may be represented in different ways. As such the layer tarballs may exist at the root of the working directory rather than in their own path. This change allows alternative directory paths to be used based on the image layout. - Added a new property: image_layout to the ImageLayer class. The image_layout property will contain either "docker" or "oci" with the default being "oci" - Moved get_untar_dir from rootfs.py to be a method in the ImageLayer class. get_untar_dir will now return a directory path to the expected path where the layer's contents are untarred based on the image layout. Removed an unnecessary function in rootfs.py as a result. - Modified the mount_diff_layers to accept untarred directory paths instead of tar files. - Modified the function mount_overlay_fs in multi_layer.py to collect the directory paths instead of the tar file to pass to the mount_diff_layers function. - Added a new get_untar_dir test to the ImageLayer test suite. Signed-off-by: Nisha K <[email protected]>

This is work towards tern-tools#948 This change adds a new class - OCIImage which represents the OCI image schema version 2 available on disk when downloaded by skopeo. This change also adds a skopeo.py script to the list of loading methods. Skopeo.py adds functions to check if the skopeo binary exists on disk and a function to pull images using skopeo. A test suite for the OCIImage class is also added. This test suit is similar to the test_class_docker_image.py test suit. Additionally, we have changed the DockerImage class and associated tests to set the layer's image_layout property to "docker". We've switched the test for changes to the oci class to use a container image and the changes to the docker class to use the dockerfile, as we need the docker daemon to test Dockerfile builds. Signed-off-by: Mukul Taneja <[email protected]> Signed-off-by: Nisha K <[email protected]>

This is work towards tern-tools#948 This commit replaces all instances of the old rootfs get_untar_dir function with the ImageLayer method get_untar_dir. We also remove an unused function in passthrough.py that uses layer tar files. Signed-off-by: Nisha K <[email protected]>

This is work towards tern-tools#948 This commit makes changes to hook up the CLI option for container image to use the OCIImage class rather than the DockerImage class. The argument for the -i option is now --image. - If the raw_image option is given, we assume that this is the output of "docker save" rather than some other tool. - In the load_full_image function, we provide an "image_type" string which should either be "oci" or "docker", "oci" being the default. Based on this string, we either return an instance of OCIImage or DockerImage. - For the Dockerfile or Lock features, we explicitly create DockerImage objects. Signed-off-by: Nisha K <[email protected]>

This is work towards tern-tools#948 Now that skopeo has become the de-facto tool to download container images, we will switch our instructions to install skopeo and use it in our build and development environments. At this time, skopeo is available on Ubuntu 20.04 through the Kubic project, hence there may need to be some additional changes in the future as the upstream package creators improve. Signed-off-by: Nisha K <[email protected]>

This is work towards tern-tools#948 The html formatting of lists allows for an expansion UI under the title of the layer object. The title is the layer tarball's digest. In the Docker image layout, this can be directly taken from the "tar_file" key. But in the OCI layout, this value is taken from the "digest" key. This commit allows for that difference and defaults to the layer's index if neither one of those keys exist. Signed-off-by: Nisha K <[email protected]>