skopeo VS crun

I decided to go searching for an alternative means to pull a docker image. In my search I discovered Skopeo, an alternative method to download Docker images that proved to be surprisingly effective. It not only downloaded the image faster, it also allowed me to save my image in a tar file, which means you can pull an image on one system and share that image to another system, loading it easily to docker instance on that system. This can be very beneficial if you have multiple systems and don't want to download an image multiple times.

But I'd suggest looking into if it's solved by other tools already, like regclient/regclient and their regsync features or something like containers/skopeo.

Have a use case where we have a CLI (built with cobra) for our dev teams which can execute common tasks. One of those tasks we want to implement is to copy docker images from the internet to our internal registry. A tool such as skopeo can do this and much more. Instead of essentially re-writing the functionality directly into our CLI we'd like to embed it. This would also negate the need for the dev teams to manage multiple CLI tools.

Self hoisting here, I put this together to make it easier to generate single (extra) layer docker images without needing a docker agent, capabilities, chroot, etc: https://github.com/andrewbaxter/dinker

Caveat: it doesn't work on Fly.io. They seem to be having some issue with OCI manifests: https://github.com/containers/skopeo/issues/1881 . They're also having issues with new docker versions pushing from CI: https://community.fly.io/t/deploying-to-fly-via-github-actio... ... the timing of this post seems weird.

FWIW the article says

> create a Docker image, also known as an OCI image

I don't think this is quite right. From my investigation, Docker and OCI images are basically content addressed trees, starting with a root manifest that points to other files and their hashes (root -> images -> layers -> layer configs + files). The OCI manifests and configs are separate to Docker manifests and configs and basically Docker will support both side by side.

skopeo is another tool worth looking into. we've started deploying amd and arm nodes into our k8s clusters, and this tool was incredibly easy to build around for getting multi-arch images into our container registry.

I would use skopeo, the tool is quite handy for working with remote images. https://github.com/containers/skopeo

Using distroless images not only reduces the size of the container image it also reduces the surface attack. The need for container image signing is because even with the distroless images there is a chance of facing some security threats such as receiving a malicious image. We can use cosign or skopeo for container signing and verifying. You can read more about securing containers with Cosign and Distroless Images in this blog.

Look at using tools like skopeo or crane

You could try some commandline tool like skopeo to fetch the image tags regularly and do some shell magic to notify you on any change you want

This is what Podman, an open-source daemonless and rootless container engine, was developed with in mind. Podman runs using the runC container runtime process, directly on the Linux kernel, and launches containers and pods as child processes. In addition, it was developed for the Docker developer, with most commands and syntax seamlessly mirroring Docker's. Buildah, an image builder, and Skopeo, the image utility tool, are both complimentary to Podman as well, and extend the range of operations able to be performed.

Yep pretty much.

The executables bundle crun (a container runtime)[0], and a fuse implementation of squashfs and overlayfs. Appended to that is a squashfs of the image.

At runtime the squashfs and overlayfs are mounted and the container is started.

[0]: https://github.com/containers/crun

cpu: 4 disk: 60 memory: 12 arch: host hostname: colima autoActivate: true forwardAgent: false # I only tested this with 'docker', not 'containerd': runtime: docker kubernetes: enabled: false version: v1.24.3+k3s1 k3sArgs: [] network: address: true dns: [] dnsHosts: host.docker.internal: host.lima.internal # Added: # - containerd-snapshotter: true (meaning containerd will be used for pulling images) # - default-runtime / runtimes: crun (instead of the default 'runc') docker: default-runtime: crun features: buildkit: true containerd-snapshotter: true runtimes: crun: path: /usr/local/bin/crun vmType: vz rosetta: true mountType: virtiofs mountInotify: false cpuType: host # This provisioning script installs WasmEdge and builds crun with wasmedge support: provision: - mode: system script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Install system updates:" apt-get update -y apt-get upgrade -y echo "Install WasmEdge and crun dependencies:" # NOTE: packages curl git python3 already installed: apt-get install -y make gcc build-essential pkgconf libtool libsystemd-dev libprotobuf-c-dev libcap-dev libseccomp-dev libyajl-dev libgcrypt20-dev go-md2man autoconf automake criu apt-get clean -y - mode: user script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Installing WasmEdge:" curl -sSf https://raw.githubusercontent.com/WasmEdge/WasmEdge/master/utils/install.sh | sudo bash -s -- -p /usr/local echo echo "`wasmedge -v` installed!" # NOTE: I failed to Configure Wasmtime properly - turned off for now: #echo "Installing Wasmtime:" #curl -sSf https://wasmtime.dev/install.sh | bash #sudo cp .wasmtime/bin/* /usr/local/bin/ #rm -rf .wasmtime #echo "`wasmtime -V` installed!" echo "Install crun:" git clone https://github.com/containers/crun cd crun ./autogen.sh #./configure --with-wasmedge --with-wasmtime ./configure --with-wasmedge make sudo make install crun -v echo "crun installed! Replacing runc with crun:" # NOTE: replacing runc with runc is to simplify containerd config TRC=`which runc` sudo rm -rf $TRC sudo cp `which crun` $TRC echo "Configuring containerd:" sudo mkdir -p /etc/containerd/ containerd config default | sudo tee /etc/containerd/config.toml >/dev/null echo "Restarting/reloading docker/containerd services:" sudo systemctl daemon-reload sudo systemctl restart containerd # As soon as Colima writes its /etc/docker/daemon.json file (right after this provisioning script), # it will also start the Docker daemon. If we stop Docker here, the changes will actually take effect: sudo systemctl stop docker sshConfig: true mounts: [] env: {}

On this note, I was really surprised to find Red Hat's OCI runtime is written in C: https://github.com/containers/crun

Is anyone working on a Rust version?

It's interesting that, in light of things like this, you still see large software companies adding support for new components written in non-memory safe languages (e.g. C)

As an example Red Hat OpenShift added support for crun(https://github.com/containers/crun) this year(https://cloud.redhat.com/blog/whats-new-in-red-hat-openshift...), which is written in C as an alternative to runc, which is written in Go(https://github.com/opencontainers/runc)...

Kubernetes needs an OCI runtime to run containers with. Crun is one implementation it can use.

Docker also appears to be able to use crun for it's engine as well. https://github.com/containers/crun/issues/37

crun

Looks like https://github.com/containers/crun/issues/255 - start there.