NG: access image via immutable identifier

[ncdc]

In OpenShift, we would like to be able to access an image (i.e. docker pull/create/run) via an immutable identifier that uniquely identifies an image for all points in time. Here are some use cases:

1. During a deployment of a group of containers, the same image must be used when creating each container. If the image we're using is foo/bar:latest (let's call this Rev1) and someone pushes an updated foo/bar:latest manifest in the middle of the deployment (Rev2), some containers might be created using Rev1 and others with Rev2. The correct behavior is for all containers to be running based on Rev1.
2. A group of containers has been deployed (foo/bar:latest - Rev1). As development continues, foo/bar:latest is updated several times, but none of these newer image manifests has been deployed yet. The user decides to scale up the existing deployment, so OpenShift needs to create and start new containers using the same image that is currently deployed (Rev1). foo/bar:latest can't be used because that's no longer Rev1 - it's now something else (e.g. Rev17).

With the v1 registry, we created a custom extension that responds to the tag_created signal, creates a new tag whose name is the image's id (since a v1 image has an id), and then http posts a payload to OpenShift with

1. namespace
2. repository
3. tag
4. image id
5. image metadata

OpenShift users can create deployment triggers that watch for changes to foo/bar:latest and then perform new deployments. When deploying, OpenShift inspects the image to find its id and then translates foo/bar:latest to foo/bar:$image_id. This, combined with our custom v1 registry extension, allows us to pull an image by its id. It also lets us deploy a specific image by id, as our deployments don't refer to :latest but instead to the id.

@dmp42 suggested that OpenShift could pull foo/bar:latest, generate a new tag (based on commit id, date/time, etc) that is unique and consistent for all time, push the new tag, and then use that when deploying. This creates a couple of problems:

1. The tag isn't immutable, which could be problematic if someone accidentally pushed an updated image manifest for a tag that is meant to never change
2. The new manifest would be signed by OpenShift, not by the user creating the image; if a user wants to run an image that he/she signed, we lose this ability.

It would really be nice to have immutable identifiers for image manifests that are consistent all the time.

@dmp42 @stevvooe @smarterclayton @wking thoughts?

[dmp42]

Thanks for the writeup @ncdc

What you ask for (immutable "references" to tags) equals "complete history of every tag version" in the new lingo. Indeed, this is a casualty of the new design - by making clear the difference between an image (a list of layers, name and signature) and a layer (a binary blob), tags are no longer aliases of immutable layers ids.

I'm not sure I have a good solution for you yet, so, let's keep this open and give it some thinking.

[stevvooe]

@ncdc With V2, it's very likely we'll have changes to the way things must work. While we should be avoiding serious changes, I hope your team can be somewhat open to this in the hopes that we'll get some benefits.

That said, it seems like we need some sort of content-addressable digest of V2 image manifests to make this work. There are two levels that might be interesting to applications:

1. A signature-independent content-addressable digest taking into account the following fields:
   • "schemaVersion"
   • "architecture"
   • "fsLayers.blobSum"
   • "history.v2Compatibility" (maybe omitting internal fields, like "created"
2. A signature-dependent content-addressable digest that includes the fields from above and the content in "signatures". This might actually just be the sha256 hash of the content, given that the signature is dependent on name and tag.

Number 1 would provide addressability of "identical" images, whereas number 2 would provide addressability over specific builds. The main issue with this is that it makes registry garbage collection nearly impossible, because all layers will technically be referenced by all manifests.

Please note that this is just a thought exercise.

[wking]

On Tue, Dec 02, 2014 at 10:56:43AM -0800, Stephen Day wrote:

1. A signature-independent content-addressable digest taking into
   account the following fields:
   • "schemaVersion"
   • "architecture"
   • "fsLayers.blobSum"
   • "history.v2Compatibility" (maybe omitting internal fields, like "created"

I think you mean v1Compatibility, but other than that this is just the
set of fields that get signed (moby/moby#8093) excepting ‘name’
and ‘tag’. That makes sense to me.

1. A signature-dependent content-addressable digest that includes
   the fields from above and the content in "signatures". This might
   actually just be the sha256 hash of the content, given that the
   signature is dependent on name and tag.

You don't want to add ‘name’ and ‘tag’ back here? And can you explain
why you want to embed the signature-independent content here instead
of referencing it with a content-addressable hash of the
signature-independent content (giving us back thin tags). Or is this
an either/or proposal and not a both/and? In that case, why not take
a both/and approach?

The main issue with this is that it makes registry garbage
collection nearly impossible, because all layers will technically be
referenced by all manifests.

Can you elaborate on this? Manifests should only reference the layers
in their history, and I see no problem if many tags share references
to common layers. In fact, I think shared references like that are a
good thing for quota allocation [1,2].

[ncdc]

The main issue with this is that it makes registry garbage collection nearly impossible, because all layers will technically be referenced by all manifests.

If pruning is pluggable, you could have a default implementation that prunes layers and manifests as soon as they become stale (i.e. no longer actively referenced by a tag). This would require thin tags I would imagine. Other pluggable implementations could defer to an external system (e.g. OpenShift) for quota enforcement and pruning decisions, or support simple caps such as keeping at most n revisions of a manifest for namespace/repo:tag.

[wking]

On Tue, Dec 02, 2014 at 11:52:05AM -0800, Andy Goldstein wrote:

… keeping at most n revisions of a manifest for
namespace/repo:tag.

How would you access these older manifests? Are you imagining new API
endpoints to get manifests by their content-addressable hash? I don't
see why you can't just prune immediately, and have folks interested in
maintaining references create their own thin tags to the material they
care about.

[ncdc]

I was thinking about accessing via the content-addressable hash, yes. Although if we can have thin tags back, I think that would likely be sufficient for our needs. We'd either migrate our v1 extension to v2, where the registry extension automatically adds a thin tag on every push, or we'd have our deployment code create the thin tag on the fly and then use that as the image name when deploying.

[stevvooe]

@ncdc It sounds like the real problem is creating a consistent identifier to a
manifest, such that it doesn't change when a deployment is kicked off. I'm
going to go over some stuff about garbage collection and then we'll address
that root issue.

The issue with permanently exporting references becomes apparent when one
looks at the garbage collection implementation. Let's say we have the
following list of pushes for the image tagged with a (in the same repo), each
image version identifed by "revision":

tag revision  layers
--- --------- ------
a   a1        layer(0), layer(2)
a   a0        layer(0), layer(1)

The above table would represent two pushes. One relying on layer(0) and
layer(1) and one replacing layer(1) with layer(2). The accessible roots
(or "image ids") are a, a0, and a1. The target of a is temporally
dependent on whether a1 has been pushed or not.

We can use some diagrams to understand how these references develop with each
push. Before the push of a1, all known layers are referenced:

         [a]
          |
         [a0]
         / \ 
        /   \
[layer(1)] [layer(0)]

After the push, we can see that all of the layers are still referenced, and
therefore not safe for delete, but a0 is technically orphaned:

                   [a]
                    |
         [a0]      [a1]
         / \       / \
        /   \     /   \
[layer(1)] [layer(0)] [layer(2)] 

In the approach where no references are ever removed, such as this content-
addressable proposal, all layers must remain forever, unless you allow
deletion by id (a0, a1, etc.).

Under the current V2 registry scheme, a0 and a1 don't exist, so layer(1)
becomes unreferenced after the push of a1 and can be "safely" deleted. We
can see that layer(1) is trivially identified for deletion in this approach:

                    [a]
                    / \
                   /   \
[layer(1)] [layer(0)] [layer(2)]

The proposed content-addressable scheme can be mimicked by pushing manifests
that link different versions of a (where / represents the same manifest
pushed with different tags):

       [a0]        [a/a1]
       /  \         / \
      /    \       /   \
[layer(1)] [layer(0)] [layer(2)]

I'm not saying that we should never implemented content-addressable manifest
storage, but its a lot of bookkeeping for a system should be simplified. The
current approach allows the users to control the deletion pattern while still
allowing one to keep multiple versions of the same image around without a lot
of work on either side.

For @ncdc's use case, referring to most recent diagram, a0 would be version
0 and a1 would be version 1 of the pushed manifest but the latest would be
referenced via a. The real problem is programmatically associating a with
a1 (or "latest" version) when a notification activates a deployment. In corollary, given an image tag a, what are its equivalent images and how can a permanent reference be retained?.
This use case is what we really need to focus on.

[wking]

On Tue, Dec 02, 2014 at 06:44:54PM -0800, Stephen Day wrote:

After the push, we can see that all of the layers are still
referenced, and therefore not safe for delete, but a0 is
technically orphaned:

Ah, I'd delete a0 and layer(1) once a1 had been pushed, since I don't
see a point to referencing untagged manifests 1. Then you don't
have this garbage-collection issue. Pushing and a deleting thin tags
allows anyone to mark out existing manifests that they want to
preserve access to (at the cost of sharing the quota load for that
manifest and its referenced layers 2). There's also no need to
access a manifest by its ID over the client↔registry API, you just use
the ID when you create your thin tag, and push/get/delete that tag
using the existing API.

I'm not saying that we should never implemented content-addressable
manifest storage, but its a lot of bookkeeping for a system should
be simplified. The current approach allows the users to control the
deletion pattern while still allowing one to keep multiple versions
of the same image around without a lot of work on either side.

I don't see the additional bookkeeping cost to my proposal, except for
a separation between the content-addressable parts of the manifest and
the name/tag/signature parts. That can happen purely inside the
registry, with no need to adjust the client's API calls or the storage
driver API.

The real problem is programmatically associating a with a1 (or
"latest" version) when a notification activates a deployment.

In my scheme, the lightweight tag body would embed the
content-addressable manifest ID directly 3. So going from a tag (a)
to a content-addressable manifest ID (a1) is trivial. If you don't
want to expose this to clients over the client↔registry API, you can
always inline the content-addressable manifest before returning the
tag (but clients would still need to be able to calculate the
content-addressable ID if they wanted to create new tags).

corollary, given an image tag a, what are its equivalent images…

This is where refcount arrays come in 4, and I think that's handled
by the layerindex/ stuff that landed with #729.

… and how can a permanent reference be retained?

Just add a lightweight tag pointing to any content-addressable
manifest you want to preserve, and remove your tag when you no longer
need access to that manifest.

[titanous]

A similar issue is moby/moby#4106, and I added a comment here: moby/moby#9015 (comment)

[stevvooe]

Another problem with a content-addressable manifest ids is that it muddies the role of a name/tag reference. If name and tag are omitted from the calculation of such an id and multiple manifests with different names and tags have identical ids, which manifest should be returned?

It would stand to reason that the id reference would have to be namespaced by the repository, rather than by pure id. And, at the same time, if an image could be referenced by both name+id and name+tag, it would break the guarantee that the url /v2/<name>/manifests/<tag> always returns a manifest with name and tag. Does the registry change the manifest? If so, who signs the updated manifest?

[wking]

On Thu, Dec 18, 2014 at 02:48:06PM -0800, Stephen Day wrote:

Another problem with a content-addressable manifest ids is that it
muddies the role of a name/tag reference. If name and tag are
omitted from the calculation of such an id and multiple manifests
with different names and tags have identical ids, which manifest
should be returned?

Can't we just return the content-addressable manifest without a
name/tag? Why does the Docker engine need a name? Currently we get
along fine with arbitrarily generated names like
511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158.

… who signs the updated manifest?

One reason I like thin tags and detached signatures, which you can
pass back to the client so it knows:

• Docker thinks that image is scratch:latest
• Trevor thinks that image is wking/empty:5
• …