Add support for pulling Wasm OCI artifacts

[jsturtevant]

This adds the ability to pass OCI artifact information to the shim via annotations. This came up as part of containerd/runwasi#108 and bytecodealliance/registry#87 in Runwasi. It solves challenges for Runwasi like:

• Single artifact that is cross-platform.
• Each Wasm component is uniquely addressable, allowing for de-duplication while storing.
• avoid WASM modules and components in the root file system
• Hard to tell what files are used for the Wasm components (and how to pass that information in current image config) and which are required for the filesystem of the runtime
• work with pre-compiled wasm modules

I've shared a document with the wasm groups on an approach and other things tried. You can read more details in https://docs.google.com/document/d/11shgC3l6gplBjWF1VJCWvN_9do51otscAm0hBDGSSAc/edit

I've got a demo to view at https://1drv.ms/v/s!AgI8NTf7Sd1R-ZU5FH523s3CGiYvuQ?e=m6EZTb

additional information

I have a few questions about the best way to bring this in now and have commented on the PR it's self but looking for feedback. Thanks!

Runwasi requires some changes: containerd/runwasi#147
Sample way to build an artifact: https://github.com/containerd/runwasi/tree/main/crates/oci-tar-builder#executable-usage

Example Artifact:

regctl manifest get localhost:5000/wasi-demo-oci:module
Name:                                localhost:5000/wasi-demo-oci:module
MediaType:                           application/vnd.oci.image.manifest.v1+json
Digest:                              sha256:869fb6029e26713160d7626dce140f1275f591a694203509cb1e047e746daac8
Annotations:
  io.containerd.image.name:          localhost:5000/wasi-demo-app
  org.opencontainers.image.ref.name: 5000/wasi-demo-app
Total Size:                          2.565MB

Config:
  Digest:                            sha256:707ef07a1143cfdf20af52979d835d5cfc86acc9634edb79d28b89a1edbdc452
  MediaType:                         application/vnd.oci.image.config.v1+json
  Size:                              118B

Layers:

  Digest:                            sha256:b434ff20f62697465e24a52e3573ee9c212e3a171e18e0821bbb464b14fdbbf9
  MediaType:                         application/vnd.w3c.wasm.module.v1+wasm
  Size:                              2.565MB

[k8s-ci-robot]

Hi @jsturtevant. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jsturtevant]

This is similar to what transfer service does: https://github.com/containerd/containerd/blob/main/pkg/unpack/unpacker.go#L188

[jsturtevant]

Other options I considered was using something like WithOciArtifacts which would add the layers to annotations if not a "imagelayer" and put this behind a flag in ctr

[Iceber]

Using []v1.Descriptor directly seems a bit blatant (I'm not sure if that's the right word, so forgive me if it's not), and I'm also thinking about whether there are better function names and arguments

[jsturtevant]

I am open to suggestions

[cpuguy83]

The descriptors seems like exactly what we need here since what we want is for the shim to pull these out of the content store. The function needs a list of mediatypes+digests.

re: function name: WithAnnotateWasmObjects?

[jsturtevant]

maybe I could pass the whole manifest? Is that what you mean @Iceber?

that would also allow for usage of the artifacttype field on which maybe something that gets set in the future when oci 1.1 is released.

[jsturtevant]

/cc @cpuguy83

[AkihiroSuda]

Is this media type approved by W3C?
Otherwise “vnd.w3c” doesn’t seem correct.

[jsturtevant]

These types are not set in stone. I got the from https://hackmd.io/50rfwV6BTJWN8VZBhdAN_g and bytecodealliance/registry#87.

I needed something to test with but I need some input on long term types and best way to have a type that we can begin using in containerd and testing to prove out this work.

One option I considered was to not have any types in containerd and have the WithWasmLayers be WithOciArtifact and it would just add any layers it didn't recognize but not sure I'd adding anything at all os a good idea.

[jsturtevant]

There is a wasm type registered in https://www.iana.org/assignments/media-types/media-types.xhtml

[cpuguy83]

Maybe we should do vnd.containerd...?
I suspect this will need to converge on a more generic name soon (especially after we introduce something) but it seems wrong to create one using w3c's name here.

[jsturtevant]

Agree. vnd.containerd is interesting idea.

I would like to be in agreement with what lands in bytecodealliance/registry#87, so we don't have to there aren't to many changes on containerd side.

Any thoughts on making it more generic in the time being? Something like WithOciArtifact so it would add any layers it didn't recognize to the annotation?

[cpuguy83]

Oh maybe a vnd.bytecodealliance could work?

[cpuguy83]

Just that it could end up blocking progress.

[SteveLasker]

Hi folks. I got pinged...
For defining unique types, there documentation under: OCI/Artifacts: Defining a Unique Artifact Type that might be helpful. It explains [registration-tree].[org|company|entity].[objectType].[optional-subType].config.[version]+[optional-configFormat]

[utam0k]

Why don't you the oci-iamge-spec also be updated?
https://github.com/opencontainers/image-spec/blob/main/media-types.md

[cpuguy83]

@utam0k

Why don't you the oci-iamge-spec also be updated?

I'm not sure it makes sense to update the spec until we have settled on media types.
We need something to point at to say "hey this is working well over here".

[SteveLasker]

@utam0k
Why don't you the oci-iamge-spec also be updated?

The idea behind OCI Artifacts is artifact authors, such as the Wasm community, can create their own types without being dependent on OCI. The only reason to register with IANA.org is to assure you own the definition of that schema.
It's not to say that OCI might not more formally adopt Wasm standards, but suggest you don't need to be limited by their specs or release cadence. That was one of the primary goals of OCI Artifacts: enable an ecosystem to experiment and grow.

[utam0k]

@cpuguy83 @SteveLasker Thanks for the explanation. I understand your plans and respect it 🙏

[jsturtevant]

Quick update, we got this working e2e (https://www.youtube.com/watch?v=SEwBcEFgXUM&feature=youtu.be) with bytecodealliance/registry#146 using
application/vnd.bytecodealliance.wasm.component.layer.v0+wasm as the media type.

Still finalizing the media types and should be good to go once those are confirmed in bytecodealliance/registry#146

[jsturtevant]

after some feedback and a few iterations, I found that the only changes needed are allowing artifact layers to pull #9142. please take a look and if we are good with that approach I can close this out.