Open Container Initiative Creates a Distribution Specification for Registries

This week, the Open Container Initiative initialized its third open endeavor, the Distribution Specification Project. The goal of this initiative is to offer a shared set of requirements for registries designed to host container images. Based on the Docker Registry version 2, the new project has no set time frame for completion.
Heading up this, the third project from the OCI, will be Derek McGowan and Stephen Day of Docker, and Vincent Batts from Red Hat. Currently, the project exists as a set of goals for the platform overall coupled with the lessons learned in the Docker Registry.
“OCI has been around for 2.5 years. When we first started, the whole thing was initiated to create standards around container technology as they emerged,” said Chris Aniszczyk, chief operating officer of the Cloud Native Computing Foundation. “First, we started with the runtime specification, then it was around image layout, and finally the community came around recently and decided distribution was a good thing to standardize, given most of the market is adopting Docker’s registry API for image distribution.”
A lot of the registries have implemented Docker’s registry API through the big cloud providers, though some small issues have popped up where some providers haven’t fully implemented the specification, or don’t do multi-architecture images properly,” said Aniszczyk. “This is a good opportunity to standardize on something widely used in the industry already.”
This specification will allow third parties to build out distribution layers on top of compliant registries, ensuring vendors can compete on value adds, rather than simply on implementation, said Day, who is a senior software engineer at Docker and maintainer on the OCI Distribution Specification Project.
“We’re not building a new format. We’re taking an existing format and bringing it into the OCI as it is,” Day said. “We’ve already started this process with the first big pull request which imports the existing Docker Registry HTTPv2 API specification into that, and then we’ll start from there. This means existing stuff that implements that protocol will be in a good position to implement OCI capabilities as well,” said Day.
He went on to say that the specification, “Leaves a lot of the details out for the different systems integrators. You can build secure distribution models on top of that. It defines a really good subset of the distribution model for images such that people using similar technology can interoperate to the direct level, and competition can happen around signing and verification or other distribution models can be built on top of this,” said Day.
One of the main requirements within the project is that of ensuring security around images. As registries offer a single location from whence an entire organization might be grabbing its container images, they’re a perfect target for hackers. Traditional package management systems like Yum and apt-get aren’t quite up to the task of ensuring enterprise-grade security across images.
To this end, Day said that the Distribution Specification Project takes a cue from git: the project uses a cryptographic hash of a file as that file’s unique identifier. This also allows multiple registries to share files via this same unique ID, and to verify that images haven’t been tampered with along the way. If they have, the hash that identifies the image would be different from the one shared by the registries.
The Cloud Native Computing Foundation and Red Hat are sponsors of The New Stack.
Feature image via Pixabay.