...

...

• Convert OCI images generated by the Firebolt SDK into a lightweight, minimal OCI bundle specific to a device that can be run by Dobby on the STB
  • In traditional container solutions (Docker, Podman), this stage is performed by the container runtime itself.
• Parse the OCI Image Manifest/Configuration files to build the final bundle
• Expected to be used both in a cloud environment and on a development machine
  • Unlikely to be used on a STB
• Generated bundles must be able to run on a local machine/STB for use during application development
• Allow creating configuration files per DAC compatible device.
  • This will allow BundleGenerator to generate bundles that will work on a device without having access to that device's hardware/build environment
    

• Allow creating operator configurations to apply business logic to a container image file across all platforms.

• Support hardware variants/revisions of the same platform (e.g. Xi6-A and Xi6-T)

• Process an extended "application capabilities" section to add/remove/change specific sections of the generated bundle according to application requirements

• Prevent creating a bundle for an incompatible device.

  • If the device does not support the required RDK release, then the image cannot be run on that device.

  • However, aim to ensure broad compatibility of applications. The goal of running containerised apps is to allow applications to not be concerned about the platform they are running on

• Allow processing stages to be extended as necessary

• Output should be deterministic - for a given set of inputs, the output should always be identical (ignoring timestamps)
• Should generate the bundle in under 30 seconds to allow on-demand generation if a STB requests a bundle that is not in an operator's cache

Inputs

OCI Image

Description

...

Umoci is an official opencontainers (formally OpenSUSE) tool that can manipulate downloaded OCI images and convert them to OCI bundles. Written in Go unfortunately, so would not be suitable for running on an STB, but should be fine for use in a cloud environment. 

Umoci is also designed to be a secure mechanism for unpacking images - see here for more info on umoci's security: https://github.com/opencontainers/umoci/blob/master/doc/site/reference/security.md

Example:

% skopeo copy docker://opensuse/amd64:42.2 oci:opensuse:42.2 # Obtain the image from the docker hub using Skopeo
% sudo umoci unpack --image opensuse:42.2 bundle
% ls -l bundle
total 720
-rw-r--r-- 1 root root   3247 Jul  3 17:58 config.json
drwxr-xr-x 1 root root    128 Jan  1  1970 rootfs
-rw-r--r-- 1 root root 725320 Jul  3 17:58 sha256_8eac95fae2d9d0144607ffde0248b2eb46556318dcce7a9e4cc92edcd2100b67.mtree
-rw-r--r-- 1 root root    270 Jul  3 17:58 umoci.json

Here the opensuse image with tag 42.2 has been unpacked to produce a rootfs directory and config.json. As per the documentation:

SYNOPSIS

umoci unpack--image=image[:tag] [--rootless] [--uid-map=value] [--uid-map=value] [--keep-dirlinks] bundle

DESCRIPTION

Extracts all of the layers (deterministically) to an OCI runtime bundle at the path bundle, as well as generating an OCI runtime configuration that corresponds to the image's configuration. In addition, an mtree(8) specification is generated at the time of unpacking to allow filesystem deltas to be generated by umoci-repack(1) and thus allowing for the creation of layered OCI images.

...