Updated
about 2 years
ago.
3 hacker ♥️.
3 followers.
Project Description
This is a continuation of last year project: trying to move more components from MicroOS Desktop from the hostOS to container.
Goal for this Hackweek
- investigate issues in gdm container ( https://github.com/fcrozat/gdm-container ) when installed on bare system
- test flatpak builds on OBS
- test flatpak shipped as OCI container
- continue my quest to move more "desktop like" workload into containers, such as rclone / restic ( https://github.com/fcrozat/rclone-container )
Looking for hackers with the skills:
This project is part of:
Hack Week 21
Activity
Comments
-
about 2 years ago by fcrozat | Reply
State of the Art regarding Flatpak and OCI containers:
- Flatpak can be distributed two ways:
- as ostree directly
- as ostree but bundled into OCI containers
- For building flatpak as OCI:
- you need a local build stored as ostree (usually done using flatpak build)
- local ostree is bundled as OCI tarball using "flatpak build-bundle --oci" (option --runtime to create runtime flatpak)
- Fedora has created some tooling around this https://pagure.io/flatpak-module-tools but they are relying on Fedora Modularity
- additional Fedora documentation: https://docs.fedoraproject.org/en-US/flatpak/tutorial/
- caveat of using OCI for flatpak:
- download size when upgrading: https://groups.google.com/a/opencontainers.org/g/dev/c/daBUKI3KkRk/m/Gb2tFXMGAQAJ
- GPG signature not implemented for containers: https://github.com/flatpak/flatpak/blob/4247e61fbe8ffc9f6b095240159f53f73568378c/app/flatpak-builtins-remote-add.c#L348-L351
- cosign not implemented
- currently, distributing flatpak using OCI registry requiring additional http(s) server to provide index of all flatpak available on the repository:
- this is why the uri used for those is oci+http or oci+https
- this customization doesn't make easy to publish flatpak on any random OCI registry
- this customization is badly documented (or at least, difficult to find online):
- some discussions were done at opencontainer level : https://groups.google.com/a/opencontainers.org/g/dev/c/ehjHDL4uPJE?pli=1
- there is a blog post at https://opencontainers.org/posts/blog/2018-11-07-bringing-oci-images-to-the-desktop-with-flatpak/
- the protocol is https://github.com/owtaylor/flagstate/blob/master/docs/protocol.md
- initial implementation at https://github.com/owtaylor/flagstate/
- production implementation for the indexer is https://github.com/owtaylor/flatpak-indexer but is RH infrastructure specific
- End results is visible at https://registry.fedoraproject.org/static/ (corresponding to oci+https://registry.fedoraproject.org/ )
- some people were able to "duplicate" this using github workflow : https://github.com/TheEvilSkeleton/flatpak-remote
- the static page part is at https://github.com/TheEvilSkeleton/flatpak-remote/blob/main/.github/workflows/flatpak.yml#L148=
- As this requires custom development to get this working with our infrastructure, it makes no sense to invest supporting oci+https
- upstream has a issue opened to switch to "pure" OCI registry:
- https://github.com/flatpak/flatpak/issues/4744
- this is a new feature request upstream and it still at discussion phase. We should participate actively (contribute ideas or even code) if we want to switch to Flatpak over OCI
- On OCI front, there is not support for a search api (see https://github.com/distribution/distribution/issues/206 and https://github.com/opencontainers/distribution-spec/issues/71 ) but I might have missed some upstream discussions. We should ask our OCI specialists at SUSE. There was a proposal for a _catalog api but it was dropped https://github.com/opencontainers/distribution-spec/issues/22
- Flatpak can be distributed two ways:
-
Similar Projects
This project is one of its kind!