-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add clarifaction for WASM OCI artifact use case #1137
Conversation
It's always felt wrong to call wasi/wasm images an "artifact". They are runnable images, with a different platform, and which use a different runtime. Is there a reason to call them an artifact instead of a runnable image? |
In Runwasi, the current approach is to package the WASM modules/components into a container using docker but we've been working on ways to avoid this to help with deduplication when pulling modules/components and other efforts (some more outlined in https://docs.google.com/document/d/11shgC3l6gplBjWF1VJCWvN_9do51otscAm0hBDGSSAc):
The current approach looks this for a WASM OCI Artifact:
|
Given the custom layers in these images, would it make sense to use a custom config media type too? E.g. changing |
As of today, We haven't come across anything specific for WASM in the image config that isn't met by image media config type of One of the goals was to create an Artifact type that could be used in contianerd today with out major changes. We could give it a different name and keep the format the same but I feel like that would just cause confusion. Could there be specifics that are needed for WASM? Maybe, though we are really early in the adaption and implementation phase (WASI preview2 support hasn't landed yet). Since we've got this working without major hiccups across a wide set of runtimes (wasmer, wasmtime, spin, wasmedge, ...) it seems right to use what is working today and gather feedback. Maybe in the future we would want to extend/change the format or change runtimes to know more about WASM artifacts but as of now we don't have any specific requirements. I also believe any changes can be handed in a backwards compatible way. By using the
This was an example and output wasn't updated after feedback. There was an update to address the feedback using
|
Probably the reason I'm struggling with this, and it feels like a square peg / round hole scenario, is that artifacts should not be executed by a runtime. So by using the artifactType for WASM content, we're blurring a line that runtimes may want to keep well defined. Would an annotation to select a runtime make sense? |
Why not? Is there a definition of artifact that excludes this? I was poking around around and found that sigularity handles both OCI image formats and their own artifact type.
We are already executing WASM with runwasi. The wasm modules are packaged into a container image but we had to teach the shims how to read these packages specifically. Right now all the wasm files are assumed to be in the root of the container. With the OCI artifacts, trying to make this more explicit, reduce duplication of the modules and make them usable in various settings. For instance Spin/slight can't directly run the images we publish in runwasi and runwasi can't use the OCI Artifacts produced by them. We also don't want every different runtime to need to create there own artifact type.
Could you explain? Maybe another alternative is to specify our own |
For what it's worth, I'm also confused by the distinction; in the data model this repository describes today, "image" is the traditional tar based layered container image, and "artifact" is a generic wrapper for anything else (I've actually been considering setting |
Another benefit to the |
I'm trying to look at this from the runtime side without fully understanding their implementations. Is there anything they need or want from the image spec to know when to attempt to run a container image? If downstream runtimes don't have any requirements from us, then I have no objection to relaxing the spec. (By runtimes, I'm including older versions of containerd+runc, podman, and other traditional runtimes, not just upgraded installs with the wasm support.)
It feels like artifactType is being used as a signal to wasm runtimes to know if/how the content should be executed. If we just need a text field, a well know annotation set on the manifest can also do that. There's also the platform |
Currently, |
In other words, I'm in favor of the intent of this PR (although haven't yet reviewed the contents). Having WASM use the image config media type seems fine if it fits their needs as defined, as long as they also specify an appropriate artifact type for higher level runtimes to handle their layers and actual runtime correctly. |
Older containerd would probably balk appropriately at the custom layer media type (since it wouldn't know how to extract them into the snapshotters). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor typo fix
It sounds like there are a few options:
I had been going down the path of 4, but it doesn't sound like others agree. I'm not a fan of 1, there's really no value to users of the spec to see guidance full of open ended exceptions. So I think it's a choice between 2 or all the way to 3 unless there are other options I've missed. |
@sudo-bmitch perhaps for 2 it could be restated that runtimes should be able to run images that have an image config and no |
Hopefully this is some helpful context from another voice in the wasm space (wasmCloud in particular). So for me personally I don't care too much about the content type as we can make whatever we need work, but I will say that limiting it to be Second, and more important, is that in context of the component model a web assembly component (what could also be called a module) is both an executable unit that could be run inside of a runtime, but it is also an artifact in that it can be glued together with other components. With that in mind, I honestly don't know what to recommend here, but I think it is important context to have in this discussion. tl;dr
|
No major changes where required to get this working in the containerd versions supported. I've merged to backport PR's to containerd for this support (containerd/containerd#9149 and containerd/containerd#9150). |
Tagging @opencontainers/runtime-tools-maintainers for any inputs. |
@jsturtevant can you help DCO to pass? |
I've iterated on this a few times so I've gotten it working with/without Side note is that, Containerd lets you pass in standard layers and other media types, so you could technically include specific Image layer types in the the WASM artifact and get a root file system that looks they way you want it and use the other artifact layers as the runtime (eg. containerd shim) sees fit. I don't think this is appropriate for WASM but I think there are some really interesting things you could potentially do with running images that also contain additional media types. I don't see a reason to restrict that type of potential. The end goal is to be able to be able to publish WASM components/modules to OCI backend and then be able to consume them from a runtime (eg, containerd) and outside (eg, spin/wasm/cloud) as @thomastaylor312 points out. Setting the |
Signed-off-by: James Sturtevant <jstur@microsoft.com>
07c6280
to
327c837
Compare
@sajayantony Sorry about that, should be ok now. |
re: @tianon, but also to the manifest shown above as a whole.
I'd like to define an "image" as anything a runtime-spec based runtime might want to interpret, and an artifact as anything that should be opaque. From a data-model standpoint that is Under the definition of an image, you can have your own layer types only a specialized runtime can interpret, and you can have custom annotations (in the descriptors) or even fields in the manifest, the config, etc. I would like to add code to existing runtimes to ignore anything with an |
Functionally, that doesn't sound much different from "artifact type of image manifest, implied or explicit, is a container image" except that there can only be one "it isn't set" case vs any number of artifact types that might warrant special behavior in the future |
That's not the example above -- the example above is a custom I'm working on a PR clarifying the high-level/semantic meaning of 'artifact' and 'image'; and I hope to make a stronger clarification of "artifact" being detectable in code by checking the presence of |
Under this definition, if we remove the artifact type field from the manifest, this manifest would be acceptable? We don't really need the
The semantics seem generally ok but seems like What about existing implementations that point to the fact that OCI artifacts with |
synced with @neersighted off-line and the conclusion is that we should remove the In the future we may still create a WASM specific artifact but this would require changes to runtimes and we unclear on the exact config format that would meet all the various runtime needs until WASI compontents stabalize. Summary of the conversation is in CNCF wg-wasm chat: https://cloud-native.slack.com/archives/C056EDRH4PJ/p1697491155258889 |
I've opened #1141 to add what I believe to be the missing clarity the spec needs around these points. To briefly summarize what I attempted to relay to @jsturtevant, I believe that the difference between "image" and "artifact" hinges on interpretation of the config blob. When you use the well-known OCI mediaType/format for the config (as in config.md), you have an image. If you do something else, you have an artifact. Given the desire to use the existing config (such that existing code in containerd can understand it), I believe that the manifest the WASM folks have created is very much an image, and the only change they need to make (as shown) is to drop the |
It's also worth noting that the above PR is not the end of the work in the image-spec to enable @jsturtevant and co; they are mixing OCI rootfs layers and non-rootfs layers in an image. This seems like a pragmatic thing to support in the face of a real use-case, and I think we should codify something like containerd/containerd#9142 (or a variant) in the spec, such that we can define semantics for reconciling rootfs to layers (similar to the history object) and agree how to determine which layers should not be considered for rootfs/diffids validation. |
I think we've come to a reasonable solution with a few followups in progress. I am going to close this now as discussion has moved to #1141 |
I would like to propose a small change to the wording of for OCI artifacts. This comes up from the use case from WASM where we run the wasm components in a runtime like containerd and using the
application/vnd.oci.image.config.v1+json
is required. We are using theartifactType
to distinguish between a standard image and wasm OCI artifact.Some details are on how this works in containerd is in https://docs.google.com/document/d/11shgC3l6gplBjWF1VJCWvN_9do51otscAm0hBDGSSAc and a sample using containerd/runwasi#147