This is a small CLI program which vendors the containers/image Go library and exposes a HTTP API to fetch manifests and blobs.
Eventually, this should probably be folded into containers/skopeo but for now we'll iterate here.
First, assume one is operating on a codebase that isn't Go, but wants to interact with container images - we can't just include the Go containers/image library.
The primary intended use case of this is for things like ostree-containers where we're using container images to encapsulate host operating system updates, but we don't want to involve the containers/image storage layer.
What we do want from the containers/image library is support for things like signatures and offline mirroring. More on this below.
Forgetting things like ostree exist for a second - imagine that you wanted to encapsulate a set of Debian/RPM/etc packages inside a container image to ship for package-based operating systems. You could use this to stream out the layer containing those packages and extract them directly, rather than serializing everything to disk in the containers/storage disk location, only to copy it out again and delete the first.
Another theoretical use case could be something like krustlet, which fetches WebAssembly blobs inside containers. Here again, we don't want to involve containers/storage.
There are e.g. Rust libraries like dkregistry-rs, and similar for other languages. However, the containers/image Go library has a lot of additional infrastructure that will impose a maintenance burden to replicate:
- Signatures (
man containers-auth.json) - Mirroring/renaming (
man containers-registries.conf) - Support for
~/.docker/config.jsonfor authentication as well as/run
We have a 0.1 release that works. However, in the future this will hopefully move into skopeo.
The intended production use of this is:
- Parent process creates a socketpair (e.g. Rust tokio)
- Parent passes one half of socketpair to child via e.g. fd 3 -
container-image-proxy --sockfd 3 docker://quay.io/cgwalters/exampleos:latest - Parent makes HTTP (1.1) requests on its half of the socketpair
Returns the manifest converted into OCI format, plus the original manifest digest in a
Manifest-Digest header.
At the moment, when presented with an image index AKA "manifest list", this request will choose the image matching the current operating system and processor.
Fetch a blob as is - no decompression is performed if relevant. The digest will be verified.
Gracefully shut down the server and exit the process.
See demo.py.