oras
oras copied to clipboard
oras-project
Output the descriptor of pushed artifact by `oras push`
The oras push command should have an option like --export-manifest-descriptor to write the descriptor of pushed artifact to a file so that the descriptor can be used for other processes like signing.
This can also be done by --export-manifest but more simplified.
@FeynmanZhou @yizha1 Any comments?
Could we consider aligning this with commands like manifest fetch ?
Could you also describe what is the advantage of outputting these to a file instead of stdout and maybe just applying jq on top.
For e.g. docker manifest inspect has a --verbose option that outputs a different format with more fields -
$ docker manifest inspect --verbose docker.io/library/nginx@sha256:...
{
"Ref": "docker.io/library/nginx@sha256:....",
"Descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:5c134d3a19dc5fb01f4e7df9c36e3c054153e661b4bd3472858940894569d829",
"size": 1570,
"platform": {
"architecture": "mips64le",
"os": "linux"
}
},
this would just enable scripts to easily compose
docker manifest inspect --verbose {ref} | jq '.Descriptor'
That's a different thing. The idea was to export the manifest or the manifest descriptor without fetching anything from the remote registry, which may not be trusted.
This also can be resolved by resolving #378 and then oras manfiest fetch --descriptor. However, doing --export-manifest or --export-manifest-descriptor is more efficient.
By running the following commands, we will get a metadata.json file.
docker buildx create --use
docker buildx build --load --metadata-file metadata.json https://github.com/oras-project/oras.git#main
The content of metadata.json is
{
"containerimage.buildinfo": {
"frontend": "dockerfile.v0",
"attrs": {
"context": "https://github.com/oras-project/oras.git#main",
"filename": "Dockerfile"
},
"sources": [
{
"type": "docker-image",
"ref": "docker.io/library/alpine:3.15.4",
"pin": "sha256:4edbd2beb5f78b1014028f4fbb99f3237d9561100b6881aabbf5acce2c4f9454"
},
{
"type": "docker-image",
"ref": "docker.io/library/golang:1.19.0-alpine",
"pin": "sha256:0eb08c89ab1b0c638a9fe2780f7ae3ab18f6ecda2c76b908e09eb8073912045d"
},
{
"type": "git",
"ref": "https://github.com/oras-project/oras.git#main",
"pin": "ee74ae205421c1183e7fb3fb90842a9cbf1ed625"
}
]
},
"containerimage.config.digest": "sha256:e38d4a0954edda42d8d0a78c7e683385939384e8a2295103f79228b9a13704aa",
"containerimage.descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:1fad23b0f5bc32605ccc952263c6ecfa6dbca0398347cda7c5b50beed7abeca8",
"size": 1363,
"annotations": {
"org.opencontainers.image.created": "2022-08-16T08:41:47Z"
}
},
"containerimage.digest": "sha256:1fad23b0f5bc32605ccc952263c6ecfa6dbca0398347cda7c5b50beed7abeca8"
}
Hi @shizhMSFT @sajayantony ,
From my understanding, this feature is intended to export the descriptor of an artifact to a file instead of fetching something from a remote registry. ORAS has a flag of --export-manifest so using --export-manifest-descriptor looks more specific and intuitive to me.
Users can also use this feature to simplify the offline signing process for Notation since they can sign the descriptor from a local file instead of interacting with an OCI registry.
The user requirement needs to be verified by the local signing functionality of notation (Notary V2).
Closing this issue as the original requirement is achievable by the OCI-layout support. Precisely,
-
oras push --oci-layoutto push artifacts to an OCI Layout folder. -
oras manifest fetch --descriptor --oci-layoutto inspect the manifest. - Make changes to the content of the OCI Layout folder if needed.
-
oras copy --from-oci-layoutto copy the artifacts to the remote.