Umoci Versions Save

• hack/release.sh automates the process of generating all of the published artefacts for releases. The new script also generates signed source code archives. openSUSE/umoci#116
• umoci now outputs configurations that are compliant with v1.0.0-rc5 of the OCI runtime-spec. This means that now you can use runc v1.0.0-rc3 with umoci (and rootless containers should work out of the box if you use a development build of runc). openSUSE/umoci#114
• umoci unpack no longer adds a dummy linux.seccomp entry, and instead just sets it to null. openSUSE/umoci#114

Signed-off-by: Aleksa Sarai [email protected]

• umoci now has some automated scripts for generated RPMs that are used in openSUSE to automatically submit packages to OBS. openSUSE/umoci#101
• --clear=config.{cmd,entrypoint} is now supported. While this interface is a bit weird (cmd and entrypoint aren't treated atomically) this makes the UX more consistent while we come up with a better cmd and entrypoint UX. openSUSE/umoci#107
• New subcommand: umoci raw runtime-config. It generates the runtime-spec config.json for a particular image without also unpacking the root filesystem, allowing for users of umoci that are regularly parsing config.json without caring about the root filesystem to be more efficient. However, a downside of this approach is that some image-spec fields (Config.User) require a root filesystem in order to make sense, which is why this command is hidden under the umoci-raw(1) subcommand (to make sure only users that understand what they're doing use it). openSUSE/umoci#110
• umoci's oci/cas and oci/config libraries have been massively refactored and rewritten, to allow for third-parties to use the OCI libraries. The plan is for these to eventually become part of an OCI project. openSUSE/umoci#90
• The oci/cas interface has been modifed to switch from *ispec.Descriptor to ispec.Descriptor. This is a breaking, but fairly insignificant, change. openSUSE/umoci#89
• umoci now uses an updated version of go-mtree, which has a complete rewrite of Vis and Unvis. The rewrite ensures that unicode handling is handled in a far more consistent and sane way. openSUSE/umoci#88
• umoci used to set process.user.additionalGids to the "normal value" when unpacking an image in rootless mode, causing issues when trying to actually run said bundle with runC. openSUSE/umoci#109

Thanks to all of the contributors that helped make this release happen:

• Aleksa Sarai [email protected]
• Erik Hollensbe [email protected]
• Vincent Batts [email protected]
• Maximilian Meister [email protected]
• Antonio Murdaca [email protected]

Signed-off-by: Aleksa Sarai [email protected]

• CHANGELOG.md has now been added. openSUSE/umoci#76
• umoci now supports v1.0.0-rc4 images, which has made fairly minimal changes to the schema (mainly related to mediaTypes). While this change is backwards compatible (several fields were removed from the schema, but the specification allows for "additional fields"), tools using older versions of the specification may fail to operate on newer OCI images. There was no UX change associated with this update.
• umoci tag would fail to clobber existing tags, which was in contrast to how the rest of the tag clobbering commands operated. This has been fixed and is now consistent with the other commands. openSUSE/umoci#78
• umoci repack now can correctly handle unicode-encoded filenames, allowing the creation of containers that have oddly named files. This required fixes to go-mtree (where the issue was). openSUSE/umoci#80

Signed-off-by: Aleksa Sarai [email protected]

This is the first beta release of umoci, and it includes very few changes from v0.0.0-rc3. However, at this point the UX is effectively stable and umoci is properly tested. The (small) list of changes in this release from -rc3 is:

• Static compilation now works properly. openSUSE/umoci#64
• 32-bit builds have been fixed, and now umoci works on 32-bit architectures. openSUSE/umoci#70
• The unit tests can now be run inside the %check section of an rpmbuild script, allowing for proper testing of packages when they are built on openSUSE (and Fedora). openSUSE/umoci#65
• Unit tests have been massively expanded, as have the integration tests. In addition, full coverage profiles (both unit and integration) are generated to fully understand how much of the code is properly tested. Currently it is at ~80%. openSUSE/umoci#68 openSUSE/umoci#69
• The logging output has been cleaned up to be much better for end-users to read. It's also a lot less chatty now. openSUSE/umoci#73
• This project has now been moved to become an openSUSE project. openSUSE/umoci#75

Signed-off-by: Aleksa Sarai [email protected]

umoci has now gone a large amount of cleanup, and included the addition of a few previously missing features. The main thing blocking a full release is that manifest lists are still unsupported, and there are some upstream PRs that define some of umoci's operations that need to be merged before umoci can be considered a compliant implementation. In addition, the logging library needs to be swapped (and the amount of output reduced).

Here's a short list of features added:

• xattr support for both packing and unpacking was added, in particular this code also handles the issue of security.selinux. More policy decisions need to be added, but those are being discussed upstream. cyphar/umoci#52 cyphar/umoci#49
• Ensure that environment variables have no duplicates. This ensures that umoci won't duplicate environment variables in either Config.Env or the extracted process.env. cyphar/umoci#30
• Add support for read-only CAS operations with a read-only filesystem. Previously, attempting to open an OCI image on a read-only filesystem would fail miserably, now you can do read-only operations without issue. cyphar/umoci#47
• Garbage collection now also garbage collects old tmpdirs, and other garbage from inside an image layout. cyphar/umoci#17
• Output a helpful comment about --rootless if you're getting EPERMs.
• Enable stack traces from an error if the --debug flag was applied to umoci. This is a feature that hopefully will be added to pkg/errors upstream.
• Cleanups to vendoring of go-mtree so that it's much more upstream-friendly.

Signed-off-by: Aleksa Sarai [email protected]

umoci now has a stable UX, as well as proper documentation for the UX in the form of generated man pages. Here's the full list of cool features:

• umoci v0.0.0-rc2 has support for rootless unpacking and repacking! cyphar/umoci#26
• It also has support for regular UID and GID mapping! cyphar/umoci#26
• Symlinks and other similarly tricky unpacking problems have been resolved. All symlink path components are resolved inside the root filesystem of the container during unpacking. cyphar/umoci#27
• Tag modification commands (such as umoci-tag(1), umoci-rm(1), umoci-ls(1)) have been implemented. cyphar/umoci#6 cyphar/umoci#40
• umoci-stat(1) has been implemented. Currently it only outputs history information, but this will change in the future. It has stable JSON output. cyphar/umoci#38
• umoci-init(1) and umoci-new(1) have been implemented, allowing for the creation of entirely new images from scratch. cyphar/umoci#5 cyphar/umoci#42
• umoci-repack(1) and umoci-config(1) now automatically generate history entries (since the history is actually used by tooling like skopeo). In addition, the history mutation from umoci-config(1) has been removed because it was just unsafe. In order for users to be able to configure history entries' values, --history.* flags have been introduced. cyphar/umoci#
• umoci-unpack(1) now saves all of the important argument metadata provided to it inside the generated bundle. These saved arguments are loaded by umoci-repack(1) to make the workflow much more sane.
• --image and --from arguments have been combined into skopeo-style [:] arguments to --image. cyphar/umoci#39
• Errors encountered during generation of a delta layer now are correctly propagated. cyphar/umoci#33
• Hardlinks are now correctly unpacked as bone-fide hardlinks. cyphar/umoci#25
• Support for unpacking and configuring annotations (which is a v1.0.0-rc3 feature of the OCI image specification). There's still some work to be done upstream in making the unpacking procedure specified but this is as good as you're going to get for a while. cyphar/umoci#43
• umoci has full integration and unit testing. cyphar/umoci#12
• umoci now has validation integration tests to ensure that at every stage of a test we could stop and still have a completely valid OCI image and that every extracted bundle is a valid OCI runtime bundle.

This code is still being reworked (though much more slowly than before). Hold off on using it anywhere until we hit the proper 0.0.0 release!

Signed-off-by: Aleksa Sarai [email protected]

At this point, umoci implements enough functionality to be able to extract, repack and modify OCI images. It is still missing major functionality (such as the ability to create an entirely new image or just create tags for images), but should be enough for a demo.

Please don't use this anywhere important. There are known security issues with this release (which will be fixed before 0.0.0).

Signed-off-by: Aleksa Sarai [email protected]