-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Note an exception to the platform.os recommendation for wasi #964
Conversation
Signed-off-by: Jason Hall <jason@chainguard.dev>
Overall I'm in favor. Before putting my own LGTM on this one, I'm looking for:
|
Isn't the WASI another great example of a new |
I've seen other examples with unikernels where overloading the OS makes sense. It is a runable image (with the right runtime) and can be listed in an index of images, so I see a lot of value to setting the platform on an image. Is there more on |
What's interesting here is wasm may use a config, whereas many other artifact types don't. I think we want to make it super obvious to the various runtimes that this is NOT a container image, so don't try to load it. It's not a Helm chart, so don't try and process it as helm. Only runtimes that know how to load a wasm should move forward attempting to process it. And, scanners should know how to scan it, uniquely as a WASM, as opposed to all the other artifact types. So, aligning with the new OCI Artifact work, I'd suggest: EDIT: |
golang/go#31105 is the closest I've been able to find here.
You're in luck! I've been hacking on a tool today to build these according to this proposed spec change: https://github.com/imjasonh/wasimg
+1 |
Re: artifacts I'll mostly defer to Wasm folks about how they want to package and distribute their applications. If they'd prefer to package in OCI Image manifests with a config that says If they'd prefer to package in an OCI Artifact manifest, we should try to help give guidance about how best to do that -- it won't work in all registries today, but perhaps that community is comfortable with that limitation. This does leave the open question of how they specify any variants (e.g., We do agree that the current state of packaging in a Docker-media-typed image that reports as |
Thanks @imjasonh, just a clarification, I wasn't suggesting using the new Artifact manifest, for the exact points you mentioned. I was referring to the OCI Artifact (non manifest) for differentiating the type. I thought we made an addition to image manifest to also support The real point I was making was differentiating a WASM from a container image. Using a different |
Here is where I'd like Wasm folks to tell us what they want, instead of just dictating it from OCI-land. Today they're packaging using In any case, it's worth noting that the benefits of the reference types work should be able to help them attach SBOMs, signatures, ice cream flavors, whatever, to their Images-or-Artifacts, which is TBH really the part I'm most interested in exploring personally. |
OH yes. we're already figuring out how that projection happens -- turns out it's a default docker build effect, but we can specify this platform using buildx so we're already repushing with As a result, here's my take:
Does this help? I'm fine with ensuring there's a useful exception for this case in the shorter term while this area fleshes itself out. So I'm good with that aspect of the platform exception note. |
just background information: something like what https://github.com/engineerd/wasm-to-oci#how-does-this-work does is what is the sweet spot here. |
That sounds good. Just to clarify, there's nothing about packaging the Wasm module in an OCI Image (not Artifact) that precludes it from being a member of a DAG of things. Artifacts (and Images) can point to Images using
+1 Drafting off of Go's conventions was convenient, but this example highlights the shortcomings. |
@imjasonh yes, we can do the dag that way in the future, too, and yes the images can be a part of the dag as well in different ways. And thanks about the go stuff; that makes total sense. |
+1 to this PR, as of now FWIW I also think that |
I think extending these fields is a good idea. Should in the WebAssembly case be |
Rereading that issue a few times, I'm not sure that wasi/wasm is diverging from GOOS/GOARCH, so much as getting a step ahead of the Go development. If that's the case, I wouldn't even call this an exception, but just a note on the forward-looking usage of that field. Regardless of how we phrase it, I hope the WASM devs have enough direction in this issue to continue their work with OCI images.
My concern is less current uses and more future compatibility. A sizeable chunk of containers are built using Go. There is a lot of code already out there that splits the platform string and assumes it is GOOS/GOARCH, sets the variables, and runs a Go cross compile to generate binaries for other platforms. My goal is to avoid breaking code like that. In the short term I think we are safe from that since I don't think many people are using Go for wasm containers. And in the long term it looks like Go will use these values. |
sounds fine to me, @sudo-bmitch. My point is that I don't care about any particular language, so it is just an irrelevant point to me. But if the platform value we choose here is good for any or all of them, that's a good thing. :-) |
Docker announced support for wasm in technical preview: https://www.docker.com/blog/docker-wasm-technical-preview/ Relevant to this discussion:
edit to clarify: I think we should see if we can get Docker to change this to Of course, now that it's out there, it may be hard to change, and it'll get harder the longer it's out there. |
cc @chris-crone I saw your talk at Cloud Native Wasm Day about building and distributing Wasm applications using Docker's tooling: https://www.youtube.com/watch?v=3j915xoDovs -- how hard would it be at this point to change tooling for wasm images to use the Even if it's too late and we decide to stick with |
@imjasonh chatting internally at Docker with @justincormack, @tianon, @tonistiigi, @milosgajdos we think that The argument that we don't append 32 for other 32-bit architectures resonates with us. I had chosen wasm32 for the demo as that was what Rust did for its target and I didn't see a reason not to be precise. |
Thanks @chris-crone that's great to hear! I think with that detail sorted we should proceed with locking this into the spec. Can I get a vote @sajayantony @sudo-bmitch @vbatts @jonjohnsonjr |
@vbatts would be good to get your eyes on this. If there are no concerns then we can get this merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The OCI has decided that we should use wasi/wasm instead of wasi/wasm32 See: opencontainers/image-spec#964 Signed-off-by: Chris Crone <christopher.crone@docker.com>
FYI there is a new proposal to support WASI as a Go compilation target, where If this proposal is accepted and implemented with |
Well, that's kinda nice. :-) |
I'm certainly excited about the Go proposal! |
An update on golang/go#58141 for those not following: it now sounds like they'll have I don't know if there's anything we need to do on this image-spec issue. As written today, all of those would roll up into the OCI platform I don't know enough about how the wasm community plans to use OCI to know whether this will be disruptive -- is detecting this hard? Do we expect multi-platform images to contain variants for |
Hi @imjasonh , I'm of course watching that work with anticipation. Hard to see the variants as a registry issue, off the top of my head, and hence a spec issue: they're all wasi, just versions of pre-1.0. I'd expect to be able to push and pull but blow on execution with the proper exception. Should we be treating this the same way as, for example, aarch64/armv7/armv8 and so on? I could see that after 1.0, but hey, there it is. I like what go is doing, but I fail to see this as anything but a oci dist registry implementation detail. I'm surely overlooking something. |
The discussion on the Go issue makes it sound like p1 and p2 will be very incompatible at runtime; would there be a publisher use case for compiling and publishing software for both? (Thus needing an image index to somehow be able to differentiate them and letting the runtimes pick the one they can run?) If so, one option (besides adjusting the (No strong opinions and not officially an image spec maintainer, just throwing out an idea to try to help clarify 😇) |
(The variants of arm and the handling of OS version are defined by this spec, not the registry, so definitely relevant here 👍) |
From my perspective, they ARE incompatible at runtime, yes, but are semantically the same thing and I would expect runtimes to handle this difference as there are no major versions yet. I would not expect registries to treat them differently until major versions. Like, for example, armv7/armv8 and so on.
Yup, but my take -- also not an OCI maintainer, just a constant user :-) and an Azure Container Registry feature PM on the side -- is that I wouldn't be implementing a service feature or a client tool feature based on the versions specified this early in the game. I'd expect the users of preview modules to understand that blowups are part of the work. Starting with 1.0, I'd DEFINITELY be into versioning here, including os.version. If I understand things correctly, always in doubt. |
omg y'all open a new issue and don't converse on a closed/merged issue/PR |
I like that you think I have some idea what I'm doing. :-) |
by the way, rust and v8 are beginning to enforce a wasi version similar, if not exactly the same as the Go discussion. I think we shouldn't really keep "wasi" knowing this, especially as the whole thing is new might as well do it right. e.g. wasip1 like go (previously discussed here), or wasi-preview1 en route in rust. |
opened an issue to help this important discussion along to some action of some kind #1053 |
As discussed in today's call.
Wasm (WebAssembly) is an exciting new space, and the Wasm community has smartly chosen to adopt OCI as a packaging and distribution format for Wasm applications.
Unfortunately, today, they mainly build applications using
docker build
and Dockerfiles where.wasm
files areCOPY
ed ontoscratch
base images, resulting in images whose configs report them aslinux/amd64
images by default.If Wasm applications want to be distributed alongside images for other platforms, especially alongside actual
linux/amd64
images, this may be problematic.Unfortunately, OCI's guidance around selecting a platform to report is lacking for this use case. Repurposing Go's set of supported
GOOS
andGOARCH
values is insufficient here, since Go currently doesn't have good support for Wasm outside of JS-adjacent use cases. In the years since Go added support for JS/Wasm, Wasm has "escaped" the browser, and is now used directly on some platforms, aided by WASI, the WebAssembly System Interface. Regular Go tooling has no support for Wasi today -- see discussion here: golang/go#31105 -- though a separate project, TinyGo, does support Wasm and WASI in constrained scenarios.This PR proposes defining an exception to the recommendation to use an appropriate
GOOS
value, when the Wasm application relies on WASI.Diverging from Go here provides some small opportunity for trouble for us down the road:
GOOS
value that isn'twasi
-- this would confuse our guidance more, since there'd be a validGOOS
for WASI that isn't our recommended.platform.os
value.GOOS
valuewasi
-- this would confuse our guidance sincewasi
in OCI-land would mean one thing, andwasi
in Go-land would mean something else.Either of these scenarios seem unlikely, and we'd have some options in either case to avoid confusion. Trying to plan for infinite scary futures is hard.
Having this expected behavior defined would help Wasm image builders and platforms agree on shared values to interoperate better.
Alternatively, we could just do nothing for now, and recommend the Wasm community build using
os=wasi
"off the record", gathering feedback and watching the community until their behavior settles. Maybe Go will have WASI support by then, alleviating some potential risks above.cc @squillace @devigned