In a move last week that was greeted by some of the premier engineers in the containerization space as an almost royal blessing for open standards, Amazon Web Services announced on its engineering blog that its EC2 Container Registry (ECR) is adding support for the draft specifications for the OCI container format.
The move is important, AWS senior software engineer Scott Windsor told The New Stack because it’s the biggest step yet toward the first genuine registry for pushing and pulling OCI images, in the public cloud space — outside of quarantined test environments.
“There hasn’t yet been a registry that supports pulling or pushing OCI images,” wrote Windsor. “As a result, some development tools around OCI have stalled until there has been a registry.”
As Windsor told developers by way of a Google Groups list, although CoreOS’ rkt container engine does support a draft OCI container format as an option (in lieu of a finalized 1.0 standard), there is no straightforward, automated way to push OCI-format images to a container registry. At issue is the JSON image manifest, which details the container’s contents for the purposes of the registry.
Version 2, schema 2 of Docker’s image manifest format (which AWS began supporting late last month) supports five MIME-formatted media types, each of which may be entered under the mediaType field description in the JSON manifest list. This description explains the type of thing that’s contained in the image: a schema 1 component, a schema 2 component, another manifest list, a gzipped TAR file, or a JSON file.
Presently, the OCI format supports eight MIME-formatted types, including four permutations of TAR files (with or without distribution permissions), but otherwise listing .oci as a property identifier as opposed to .docker. That’s the main difference — one which really can’t be bridged for now, until OCI has an opportunity to complete its prolonged gestation phase.
And that can’t really happen, Windsor points out, until enough folks have had an opportunity to work with OCI to iron out all the kinks. Eventually, someone had to bite the bullet, and it ended up being AWS.
“Our customers primarily use Docker today (and I don’t see that changing anytime soon), and we’ll want to ensure that we are supporting those use cases,” Windsor told The New Stack. “If Docker moves to OCI or allows OCI support, we’ll ensure that we support it in the way that the Docker Engine uses it. Distribution is still out of scope today in the current OCI image spec, so we’ll have to see how the protocol is defined.”
“There is a bit of a chicken and egg with working in standards like the OCI,” wrote Polvi. “You need both sides of the standard — consumers and producers — for interoperability to happen. With the support of AWS, we can create the ecosystem around it more quickly. This is a big milestone since most products will want to be interoperable with AWS.”
Polvi noted that his company remains fully invested in the continued evolution of the OCI standard, with CoreOS Chief Technology Officer Brandon Philips continuing to serve as chair of its Technical Oversight Board.
At least one Docker contributor expressed gratitude for Amazon’s move: Stephen Day, whose project to implement a hash identity implementation for the Go language, begun at Docker, was absorbed into the OCI just last month. As Day wrote to the developers’ group, Docker Inc. has avoided the process of merging the evolved OCI format back into its own organization, mainly because a 1.0 version has yet to be finalized, and much work evidently remains.
“It’s a little early to declare registry support before the final details have been worked out,” wrote Day. “There are no guarantees that things won’t break for OCI images in ECR. [The] OCI image-spec is likely to make at least one more media type tweak around manifest lists.”
“I’m hopeful that by working with the OCI group, we’ll be able to support distribution per the spec,” stated Windsor, in his note to us. “How we support OCI today may change as that gets defined. I doubt we’d make breaking changes here, but if we had to, we would communicate it to customers and ensure a smooth transition path.”
Feature image: white and brown hen’s eggs by Linsenhejhej, licensed under Creative Commons.
The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Docker, Bit.