Chapter 14. Open Container Initiative support
Container registries were originally designed to support container images in the Docker image format. To promote the use of additional runtimes apart from Docker, the Open Container Initiative (OCI) was created to provide a standardization surrounding container runtimes and image formats. Most container registries support the OCI standardization as it is based on the Docker image manifest V2, Schema 2 format.
In addition to container images, a variety of artifacts have emerged that support not just individual applications, but also the Kubernetes platform as a whole. These range from Open Policy Agent (OPA) policies for security and governance to Helm charts and Operators that aid in application deployment.
Quay.io is a private container registry that not only stores container images, but also supports an entire ecosystem of tooling to aid in the management of containers. Quay.io strives to be as compatible as possible with the OCI 1.1 Image and Distribution specifications, and supports common media types like Helm charts (as long as they pushed with a version of Helm that supports OCI) and a variety of arbitrary media types within the manifest or layer components of container images. Support for OCI media types differs from previous iterations of Quay.io, when the registry was more strict about accepted media types. Because Quay.io now works with a wider array of media types, including those that were previously outside the scope of its support, it is now more versatile accommodating not only standard container image formats but also emerging or unconventional types.
In addition to its expanded support for novel media types, Quay.io ensures compatibility with Docker images, including V2_2 and V2_1 formats. This compatibility with Docker V2_2 and V2_1 images demonstrates Quay.io’s commitment to providing a seamless experience for Docker users. Moreover, Quay.io continues to extend its support for Docker V1 pulls, catering to users who might still rely on this earlier version of Docker images.
Support for OCI artifacts are enabled by default. The following examples show you how to use some some media types, which can be used as examples for using other OCI media types.
14.1. Helm and OCI prerequisites
Helm simplifies how applications are packaged and deployed. Helm uses a packaging format called Charts which contain the Kubernetes resources representing an application. Quay.io supports Helm charts so long as they are a version supported by OCI.
Use the following procedures to pre-configure your system to use Helm and other OCI media types.
The most recent version of Helm can be downloaded from the Helm releases page.
14.2. Using Helm charts
Use the following example to download and push an etherpad chart from the Red Hat Community of Practice (CoP) repository.
Prerequisites
- You have logged into Quay.io.
Procedure
Add a chart repository by entering the following command:
$ helm repo add redhat-cop https://redhat-cop.github.io/helm-charts
Enter the following command to update the information of available charts locally from the chart repository:
$ helm repo update
Enter the following command to pull a chart from a repository:
$ helm pull redhat-cop/etherpad --version=0.0.4 --untar
Enter the following command to package the chart into a chart archive:
$ helm package ./etherpad
Example output
Successfully packaged chart and saved it to: /home/user/linux-amd64/etherpad-0.0.4.tgz
Log in to Quay.io using
helm registry login
:$ helm registry login quay.io
Push the chart to your repository using the
helm push
command:helm push etherpad-0.0.4.tgz oci://quay.io/<organization_name>/helm
Example output:
Pushed: quay370.apps.quayperf370.perfscale.devcluster.openshift.com/etherpad:0.0.4 Digest: sha256:a6667ff2a0e2bd7aa4813db9ac854b5124ff1c458d170b70c2d2375325f2451b
Ensure that the push worked by deleting the local copy, and then pulling the chart from the repository:
$ rm -rf etherpad-0.0.4.tgz
$ helm pull oci://quay.io/<organization_name>/helm/etherpad --version 0.0.4
Example output:
Pulled: quay370.apps.quayperf370.perfscale.devcluster.openshift.com/etherpad:0.0.4 Digest: sha256:4f627399685880daf30cf77b6026dc129034d68c7676c7e07020b70cf7130902
14.3. Cosign OCI support
Cosign is a tool that can be used to sign and verify container images. It uses the ECDSA-P256
signature algorithm and Red Hat’s Simple Signing payload format to create public keys that are stored in PKIX files. Private keys are stored as encrypted PEM files.
Cosign currently supports the following:
- Hardware and KMS Signing
- Bring-your-own PKI
- OIDC PKI
- Built-in binary transparency and timestamping service
Use the following procedure to directly install Cosign.
Prerequisites
- You have installed Go version 1.16 or later.
Procedure
Enter the following
go
command to directly install Cosign:$ go install github.com/sigstore/cosign/cmd/cosign@v1.0.0
Example output
go: downloading github.com/sigstore/cosign v1.0.0 go: downloading github.com/peterbourgon/ff/v3 v3.1.0
Generate a key-value pair for Cosign by entering the following command:
$ cosign generate-key-pair
Example output
Enter password for private key: Enter again: Private key written to cosign.key Public key written to cosign.pub
Sign the key-value pair by entering the following command:
$ cosign sign -key cosign.key quay.io/user1/busybox:test
Example output
Enter password for private key: Pushing signature to: quay-server.example.com/user1/busybox:sha256-ff13b8f6f289b92ec2913fa57c5dd0a874c3a7f8f149aabee50e3d01546473e3.sig
If you experience the
error: signing quay-server.example.com/user1/busybox:test: getting remote image: GET https://quay-server.example.com/v2/user1/busybox/manifests/test: UNAUTHORIZED: access to the requested resource is not authorized; map[]
error, which occurs because Cosign relies on~./docker/config.json
for authorization, you might need to execute the following command:$ podman login --authfile ~/.docker/config.json quay.io
Example output
Username: Password: Login Succeeded!
Enter the following command to see the updated authorization configuration:
$ cat ~/.docker/config.json { "auths": { "quay-server.example.com": { "auth": "cXVheWFkbWluOnBhc3N3b3Jk" } }
14.4. Installing and using Cosign
Use the following procedure to directly install Cosign.
Prerequisites
- You have installed Go version 1.16 or later.
-
You have set
FEATURE_GENERAL_OCI_SUPPORT
totrue
in yourconfig.yaml
file.
Procedure
Enter the following
go
command to directly install Cosign:$ go install github.com/sigstore/cosign/cmd/cosign@v1.0.0
Example output
go: downloading github.com/sigstore/cosign v1.0.0 go: downloading github.com/peterbourgon/ff/v3 v3.1.0
Generate a key-value pair for Cosign by entering the following command:
$ cosign generate-key-pair
Example output
Enter password for private key: Enter again: Private key written to cosign.key Public key written to cosign.pub
Sign the key-value pair by entering the following command:
$ cosign sign -key cosign.key quay.io/user1/busybox:test
Example output
Enter password for private key: Pushing signature to: quay-server.example.com/user1/busybox:sha256-ff13b8f6f289b92ec2913fa57c5dd0a874c3a7f8f149aabee50e3d01546473e3.sig
If you experience the
error: signing quay-server.example.com/user1/busybox:test: getting remote image: GET https://quay-server.example.com/v2/user1/busybox/manifests/test: UNAUTHORIZED: access to the requested resource is not authorized; map[]
error, which occurs because Cosign relies on~./docker/config.json
for authorization, you might need to execute the following command:$ podman login --authfile ~/.docker/config.json quay.io
Example output
Username: Password: Login Succeeded!
Enter the following command to see the updated authorization configuration:
$ cat ~/.docker/config.json { "auths": { "quay-server.example.com": { "auth": "cXVheWFkbWluOnBhc3N3b3Jk" } }