Presented by

  • Aleksa Sarai

    Aleksa Sarai
    @lordcyphar
    https://www.cyphar.com/

    Aleksa Sarai is a core developer and maintainer of runc and umoci, contributor and maintainer of Open Container Initiative specifications, and a Linux kernel contributor. He works on the containers team at SUSE, maintaining various core parts of the lower levels of the containers stack and related software for both SUSE Linux Enterprise and openSUSE; he is also committed to working in the open, and is a strong proponent of Free Software.

Abstract

Most modern container image formats use tar-based linear archives to represent root filesystems, which results in many issues when using modern container images. In this talk, we will demonstrate a solution to this problem that we plan to propose for standardisation within the Open Container Initiative (code-named "OCIv2 images"). This talk is specific to the Open Container Initiative's image specification, but the same techniques could be applied to other systems (though we'd obviously recommend using OCI). In order to avoid the [numerous issues with tar archives](https://www.cyphar.com/blog/post/20190121-ociv2-images-i-tar) it is necessary to come up with a different format. In addition, layer representations result in needless wasted space for storage of files which are no longer relevant to running containers. Massive amounts of duplication are also rampant within OCI images because tar archives are completely opaque to OCI's content-addressable store. Luckily the problem of representing a container root filesystem for distribution is very similar to existing problems within backup systems, and we can take advantage of prior art such as [restic](https://restic.net/) to show us how we can get significant space-savings and possibly efficiency savings. However, we also must ensure that the runtime cost of using this new system is equivalent to existing container images. Container images are efficient at runtime because they map directly to how overlay filesystems represent change-sets as layers, but with some tricks it is possible for us to obtain most of the improvements we also gained in distribution with de-duplication. Our proposed solution to all of these problems will be laid out, with opportunities for feedback and discussion. Linux Australia: http://mirror.linux.org.au/pub/linux.conf.au/2020/room_7/Tuesday/OCIv2_Container_Images_Considered_Harmful.webm YouTube: https://www.youtube.com/watch?v=nhO2A6rr5lE