Adds Docker Image v1 Spec Documention

[jlhawn]

Docker-DCO-1.1-Signed-off-by: Josh Hawn josh.hawn@docker.com (github: jlhawn)

[jlhawn]

From issue #9538:

If you were to complain that Docker's image format and runtime specification, as massively adopted as it is, is not appropriately documented, and it could be made easier to produce alternate implementations - then I would completely agree with you. In response, I would encourage the project maintainers to improve the specs documentation based on your suggestions.

Well, here it is 🐋

@SvenDowideit @fredlf Please review and give feedback.

[jessfraz]

😍

[jlhawn]

also @vbatts @dmp42 @crosbymichael @tianon @jfrazelle @unclejack @docker/distribution-trust @nathanleclaire @cpuguy83 @huslage and anyone else in the community that comes across this - please read through it and comment on anything that isn't clear or anything that requires more explanation, keeping in mind that this is not a new specification but is only documentation of how images are currently create/formatted in Docker.

I was thinking we could also generate a list of 'issues' with this specification to include in the bottom - something that could help us drive design of the next major version of the specification. Here are a few things I can think of for example:

- image IDs are an implementation detail of storage drivers in Docker and shouldn't be part of the specification.
- there is extraneous or useless info in some of the fields:
    - container id?
    - config *and* containerConfig? containerConfig seems to be only useful for the build system and nothing else.
- why is OnBuild in the runConfig and not top-level in the image JSON?
- is every field of the `runconfig.Config` struct necessary or useful?
- etc...

[jlhawn]

also @metalivedev ;-)

[icecrime]

This container config has been a strong point of confusion for me and several others. As far as I can tell:

• This provide defaults values for settings if not specified at run time (e.g: CpuShares)
• Some of these settings are completely ignored (e.g.: Tty, Attach*, ...)
• As far as I understand, this whole idea of "default container config" is out of v2 image format so although this is a purely v1 documentation, don't you think it might be relevant to add a "deprecation warning"?

[jlhawn]

good points @icecrime

I mentioned above:

• is every field of the runconfig.Config struct necessary or useful?

I can update this document to clarify this - only I'm not entirely sure which fields are ignored. I guess I can dig up the code to find out exactly what's going on: https://github.com/docker/docker/blob/58ce0146e16e2e63b7a94d34a48722a9c7400c18/daemon/daemon.go#L418

Do you happen to know which fields are used? @erikh I think you have some expertise with runconfig, could you shed any light on this?

[icecrime]

I think it's all in runconfig.Merge. Fields used:

• Cmd
• CpuShares
• Entrypoint
• Env
• ExposedPorts (and its legacy counterpart PortSpecs)
• Memory
• MemorySwap
• User
• Volumes
• WorkingDir

[metalivedev]

Suggested: "The filenames prefixed with .wh. are known as "whiteout" files."

Is the name the only indication of the special nature of these files? That is, if I had a file named .wh.somename actually in my tree, would the file be unpacked to the layer? I'm kind of hoping there is some permissions bit or something set that together with the name means it is a special file.

[jamescarr]

👍 this is great to see!

[jlhawn]

I've just pushed a major update to the draft spec. Please review again if you already have!

[tiborvass]

I find this pretty hard to understand.

[jlhawn]

Do you think it'd be okay to just delete the second sentence of this paragraph? I realize I probably went a little crazy in the second sentence... we really should agree on some common terminology though. It's a bit confusing to have a single term used loosely to refer to multiple things :(

[tiborvass]

Do you think we could force a definition and make sure we use that everywhere?

[jlhawn]

I'm okay with the first sentence definition if everyone else is.

[nathanleclaire]

I would phrase it something like this:

Images are composed of "layers". "Image layer" is a general term which may be used to refer to one or both of the following:

1. The metadata for the layer, described in the JSON format
2. The filesystem changes described by a layer

To refer to the former specifically, the terms "Layer JSON" or "Layer Metadata" are frequently used.

To refer to the latter, the terms "Image Filesystem Changeset" or "Image Diff" are frequently used.

WDYT?

[jlhawn]

sounds good to me, @nathanleclaire I'll update it.

[mmdriley]

"image or image layer" -- this seems odd. Do images and image layers have IDs in different namespaces?

Need the image ID necessarily be random, or is the assertion simply that it need not have semantic meaning?

If random, must the ID be from a CSPRNG?

[nathanleclaire]

cc @jamtur01 would be great to get your input on this

[mmdriley]

It seems like any description of whiteout files and their semantics is going to #include the implementation details of a specific version of aufs, with specific config/compilation flags, along with the flags Docker invokes it with. For example, this paragraph from the aufs documentation:

The whiteout is for hiding files on lower branches. Also it is applied to stop readdir going lower branches. The latter case is called ’opaque directory.’ Any whiteout is an empty file, it means whiteout is just an mark. In the case of hiding lower files, the name of whiteout is ’.wh..’ And in the case of stopping readdir, the name is ’.wh..wh..opq’ or ’.wh.__dir_opaque.’ The name depends upon your compile configuration CONFIG_AUFS_COMPAT. All whiteouts are hardlinked, including ’/.wh..wh.aufs.’

[nathanleclaire]

I'd rm the bit about whiteout files (cover it later) and phrase like:

An archive of the files which have been added, changed, or deleted in an image layer. Using a layer-based or union filesystem such as AUFS, or by computing the diff from filesystem snapshots, the filesystem changeset can be used to present a series of image layers as if it were one cohesive filesystem.

[mmdriley]

Are these double-quotes normative?

[jlhawn]

I probably shouldn't have included the quotes in this example. I believe the way this value should be interpreted is that the substring before the first = is the variable name and everything after is the value. In Docker, I think this is passed directly to the execution driver in this format. @crosbymichael could you clarify this for us please?

[tianon]

All the following are valid:

• user
• uid
• user:group
• uid:gid
• uid:group
• user:gid

If group/gid is not specified, the default group and supplementary groups of the given user/uid in /etc/passwd from the container are applied.

[jlhawn]

thanks @tianon !

[mmdriley]

lgtm. No doubt there are still nits to be picked, but this is a great step forward in unambiguously-described behavior. Thanks for your time and effort in compiling it.

[crosbymichael]

@jlhawn Any more edits remaining?

There is no reason for shykes to look at this if you are just documenting the reality of the current system.

[shykes]

Correct, if we're documenting today's design don't feel obligated to wait for my +1

[jlhawn]

@crosbymichael I think I just need to add in the User field description from @tianon and we're set!

[bfirsh]

This is brilliant. Thanks @jlhawn. I'm really glad we're taking steps towards specifying how Docker works.

Perhaps we could this in for Docker 1.5 and shout about it a bit. ^_^

[jessfraz]

I don't know what we are waiting on @jlhawn

[jessfraz]

Maybe just a squash of commits?

[jlhawn]

@jfrazelle All squashed!

[jessfraz]

awesome!

[thaJeztah]

Thanks @jlhawn!

[odino]

I was talking to @shykes about this at the dockercon in amsterdam...great job guys!