Manifests, blobs et tags : les images de conteneurs enfin digest(es)

by Yves Brissaud

Slide 1

Slide 1 text

SunnyTech 2025 - Yves Brissaud Les images de conteneur enfin digest(es) Manifests, Blobs et Tags

Slide 2

Slide 2 text

𝕏 🦋 @_crev_ @yves.brissaud.name Yves Brissaud

Slide 3

Slide 3 text

https://dagger.io Build your modern software factory. Work f lows a nd dev environments - For CI - For Agents By the cre a tors of Docker https://github.com/dagger/dagger https://github.com/dagger/container-use

Slide 4

Slide 4 text

Plan ✓Voc a bul a ire ✓Pourquoi ? ✓Build & Inspect ✓Push & Registry ✓Pull & T a gs ✓Upd a te ✓Au del à 𐄂 Spéci f ic a tions théoriques https://github.com/opencont a iners/im a ge-spec

Slide 5

Slide 5 text

Vocabulaire • Im a ge de conteneur ~= Im a ge docker ~= Im a ge OCI ~= OCI Artif a ct • OCI: Open Cont a iner Initi a tive https://opencont a iners.org/ • Digest / H a sh (sh a 256)

Slide 6

Slide 6 text

(s’intéresser au format des images) Pourquoi ? • Docker Hub • Registry • Pull a n a lytics • Docker Scout • CNAB / Docker App • …

Slide 7

Slide 7 text

(s’intéresser au format des images) Pourquoi ?

Slide 8

Slide 8 text

(s’intéresser au format des images) Pourquoi ? • Homebrew ? -> Im a ge • LLM a vec Docker Model Runner ? -> Im a ge • Compose ? Helm ? -> Im a ge • AWS L a mbd a ? -> Im a ge • …

Slide 9

Slide 9 text

Build

Slide 10

Slide 10 text

Build • Im a ge de b a se • Multiples a rchitectures • SSC m a teri a ls • Multiples t a gs

Slide 11

Slide 11 text

Build • Im a ge de b a se • Multiples a rchitectures • SSC m a teri a ls • Multiples t a gs FROM alpine COPY <

Slide 12

Slide 12 text

Build • Im a ge de b a se • Multiples a rchitectures • SSC m a teri a ls • Multiples t a gs $ docker build \ --platform linux/amd64,linux/arm64 \ --attest type=sbom \ --attest type=provenance,mode=max \ --tag localhost:5001/sunny:latest \ --tag localhost:5001/sunny:1 \ --tag localhost:5001/sunny:1.0 \ --tag localhost:5001/sunny:1.0.0 \ --push \ .

Slide 13

Slide 13 text

Inspect

Slide 14

Slide 14 text

Inspect • Extr a ire l’im a ge • Explorer • Depuis index.json $ mkdir image && cd image $ docker save \ localhost:5001/sunny:latest | tar x $ $EDITOR .

Slide 15

Slide 15 text

Image Index application/vnd.oci.image.index.v1+json linux/amd64 manifest application/ vnd.oci.image.manifest.v1+json linux/arm64 manifest application/ vnd.oci.image.manifest.v1+json attestation-manifest application/ vnd.oci.image.manifest.v1+json attestation-manifest application/ vnd.oci.image.manifest.v1+json

Slide 16

Slide 16 text

Image Index application/vnd.oci.image.index.v1+json linux/amd64 linux/arm64 attestation-manifest attestation-manifest config blob layer layer … config blob layer layer … config blob config blob layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json layer application/vnd.in-toto+json “Image" Multi-platform Image

Slide 17

Slide 17 text

Push

Slide 18

Slide 18 text

Pourquoi une registry et pas juste des archives ? Push ✓Déduplic a tion ✓Met a d a t a (t a gs) ✓Historique des versions

Slide 19

Slide 19 text

v2 blobs sha256 1c 5a bb … 1c7e35ae… 5a0523cd… bb124008…

Slide 20

Slide 20 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 …

Slide 21

Slide 21 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 …

Slide 22

Slide 22 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 … my/image:latest

Slide 23

Slide 23 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 … my/image:latest@sha256:…

Slide 24

Slide 24 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

Slide 25

Slide 25 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

Slide 26

Slide 26 text

Pull

Slide 27

Slide 27 text

Pull version linux/amd64 du tag latest Pull 1.Convertir t a g en digest 2.Sélectionner l’im a ge pour l a pl a teforme 3.Téléch a rger les blobs con fi g et l a yer

Slide 28

Slide 28 text

Convertir tag en digest Pull HTTP/1.1 200 OK content-type: application/vnc.oci.image.index.v1+json docker-content-digest: sha256:bb12408994b47cd38d2 71756538fae38211912e1fc81b5bd2c8e6c1189e55f7a docker-distribution-api-version: registry/2.0 HEAD /v2/sunny/manifests/latest

Slide 29

Slide 29 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

Slide 30

Slide 30 text

Sélectionner le manifest Pull { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.index.v1+json", "manifests": [{ "mediaType": "application/vnd.oci.image.manifest.v1+json", "digest": “sha256:5a9523cb0b6df3ab430767d86c0672a75c53caa…”, "size": 668, "platform": { "architecture": "amd64", "os": "linux" } }, GET /v2/sunny/manifests/sha256:…

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Sélectionner le manifest Pull GET /v2/sunny/manifests/sha256:5a9523… { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "digest": "sha256:74031e380ebc651f1a88ccc475cb6ba373deb99f1dd08abacf91133b02fa973e", "size": 802 }, "layers": [{ "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:f18232174bc91741fdf3da96d85011092101a032a93a388b79e99e69c2d5c870", "size": 3642247 }, { "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", "digest": "sha256:9e7f22e90c58fde28040a694fe740d6fccf15abdd630d47484445063d21c15d4", "size": 118 } ] }

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Télécharger les blobs con fi g et layer Pull GET /v2/sunny/blobs/sha256:… GET /v2/sunny/blobs/sha256:… … $ docker pull --platform linux/amd64 localhost:5001/sunny:latest latest: Pulling from sunny 74031e380ebc: Pull complete 9e7f22e90c58: Pull complete Digest: sha256:bb12408994b47cd38d271756538fae38211912e1fc81b5bd2c8e6c1189e55f7a Status: Downloaded newer image for localhost:5001/sunny:latest localhost:5001/sunny:latest

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Requests Pull HEAD /v2/devoxx/manifests/ GET /v2/devoxx/manifests/ GET /v2/devoxx/manifests/ GET /v2/devoxx/blobs/ GET /v2/devoxx/blobs/ GET /v2/devoxx/blobs/ → conversion tag vers digest → image index JSON → image manifest JSON → config blob → layer blob → layer blob

Slide 37

Slide 37 text

Pull version linux/amd64 du tag latest 1 Pull 1.Convertir t a g en digest 2.Sélectionner l’im a ge pour l a pl a teforme 3.Téléch a rger les blobs con fi g et l a yer

Slide 38

Slide 38 text

Pull version linux/amd64 du tag latest 1 Pull 1.Convertir t a g en digest 2.Sélectionner l’im a ge pour l a pl a teforme 3.Téléch a rger les blobs con fi g et l a yer Identique M a nifest déj à téléch a rgé Blobs déj à téléch a rgés

Slide 39

Slide 39 text

Slide 40

Slide 40 text

v2 repositories _manifests tags latest current index sha256 link link 1 current index sha256 link link 1.0 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124…

Slide 41

Slide 41 text

Update

Slide 42

Slide 42 text

Nouvelle image Update • Editer / a jouter un l a yer • Mettre à jour des t a gs exist a nt • Ajouter des t a gs $ docker build \ --platform linux/amd64,linux/arm64 \ --attest type=sbom \ --attest type=provenance,mode=max \ --tag localhost:5001/sunny:latest \ --tag localhost:5001/sunny:1 \ --tag localhost:5001/sunny:1.0 \ --tag localhost:5001/sunny:1.0.1 \ --push \ .

Slide 43

Slide 43 text

Slide 44

Slide 44 text

v2 repositories _manifests tags latest current index sha256 link link 1.0.0 current index sha256 link link 1 … blobs sha256 1c 5a bb … 1c7e3… 5a052… bb124… link 1.0.1 current index sha256 link link …

Slide 45

Slide 45 text

Etendre

Slide 46

Slide 46 text

OCI Artifacts Everywhere Au delà des images

Slide 47

Slide 47 text

OCI Artifacts Everywhere Au delà des images Étendre les im a ges Stocker… tout

Slide 48

Slide 48 text

Slide 49

Slide 49 text

OCI Artifacts Everywhere Au delà des images $ helm pull oci://docker.io/username/repo --version 0.1.0 $ docker compose -f oci://docker.io/username/repo:latest up $ docker model pull ai/llama3.1:8B-Q4_K_M $ brew install cowsay

Slide 50

Slide 50 text

OCI Artifacts Everywhere Au delà des images { "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.docker.ai.model.config.v0.1+json", "size": 445, "digest": "sha256:0a7e802a3fcd88654d0a0fc45d1f4f45fe34b2e52d39a77abb357b2ee720f9ed" }, "layers": [{ "mediaType": "application/vnd.docker.ai.gguf.v3", "size": 4920739200, "digest": "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1" }, { "mediaType": "application/vnd.docker.ai.license", "size": 7627, "digest": "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369" }, { "mediaType": "application/vnd.docker.ai.license", "size": 4691, "digest": "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859" }] } ai/llama3.1:8B-Q4_K_M

Slide 51

Slide 51 text

OCI Artifacts Everywhere Au delà des images ai/llama3.1:8B-Q4_K_M { "config": { "size": "4.58 GiB", "architecture": "llama", "format": "gguf", "parameters": "8.03 B", "quantization": "IQ2_XXS/Q4_K_M" }, "descriptor": { "created": "2025-04-03T13:02:48.564612+02:00" }, "rootfs": { "diff_ids": [ "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1", "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369", "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859" ], "type": "rootfs" } }

Slide 52

Slide 52 text

OCI Artifacts Everywhere Au delà des images ✓WASM modules ✓Docker volumes ✓Dev cont a iners ✓… ? Document a tion ? Runbooks ? …

Slide 53

Slide 53 text

Merci 🙏 𝕏 🦋 @_crev_ @yves.brissaud.name