Comments

• 

  11 months ago by fcrozat | Reply

  State of the Art regarding Flatpak and OCI containers:

  • Flatpak can be distributed two ways:
    • as ostree directly
    • as ostree but bundled into OCI containers
  • For building flatpak as OCI:
    • you need a local build stored as ostree (usually done using flatpak build)
    • local ostree is bundled as OCI tarball using "flatpak build-bundle --oci" (option --runtime to create runtime flatpak)
    • Fedora has created some tooling around this https://pagure.io/flatpak-module-tools but they are relying on Fedora Modularity
    • additional Fedora documentation: https://docs.fedoraproject.org/en-US/flatpak/tutorial/
    • caveat of using OCI for flatpak:
      • download size when upgrading: https://groups.google.com/a/opencontainers.org/g/dev/c/daBUKI3KkRk/m/Gb2tFXMGAQAJ
      • GPG signature not implemented for containers: https://github.com/flatpak/flatpak/blob/4247e61fbe8ffc9f6b095240159f53f73568378c/app/flatpak-builtins-remote-add.c#L348-L351
      • cosign not implemented
  • currently, distributing flatpak using OCI registry requiring additional http(s) server to provide index of all flatpak available on the repository:
    • this is why the uri used for those is oci+http or oci+https
    • this customization doesn't make easy to publish flatpak on any random OCI registry
    • this customization is badly documented (or at least, difficult to find online):
      
      • some discussions were done at opencontainer level : https://groups.google.com/a/opencontainers.org/g/dev/c/ehjHDL4uPJE?pli=1 
      • there is a blog post at https://opencontainers.org/posts/blog/2018-11-07-bringing-oci-images-to-the-desktop-with-flatpak/
      • the protocol is https://github.com/owtaylor/flagstate/blob/master/docs/protocol.md
      • initial implementation at https://github.com/owtaylor/flagstate/
      • production implementation for the indexer is https://github.com/owtaylor/flatpak-indexer but is RH infrastructure specific
      • End results is visible at https://registry.fedoraproject.org/static/ (corresponding to oci+https://registry.fedoraproject.org/ )
      • some people were able to "duplicate" this using github workflow : https://github.com/TheEvilSkeleton/flatpak-remote
        • the static page part is at https://github.com/TheEvilSkeleton/flatpak-remote/blob/main/.github/workflows/flatpak.yml#L148=
    • As  this requires custom development to get this working with our infrastructure, it makes no sense to invest supporting oci+https
  • upstream has a issue opened to switch to "pure" OCI registry:
    • https://github.com/flatpak/flatpak/issues/4744
    • this is a new feature request upstream and it still at discussion phase. We should participate actively (contribute ideas or even code) if we want to switch to Flatpak over OCI
    • On OCI front, there is not support for a search api (see https://github.com/distribution/distribution/issues/206 and https://github.com/opencontainers/distribution-spec/issues/71 ) but I might have missed some upstream discussions. We should ask our OCI specialists at SUSE. There was a proposal for a _catalog api but it was dropped https://github.com/opencontainers/distribution-spec/issues/22

×
Edit Comment 6152
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
State of the Art regarding Flatpak and OCI containers: * Flatpak can be distributed two ways: * as ostree directly * as ostree but bundled into OCI containers * For building flatpak as OCI: * you need a local build stored as ostree (usually done using flatpak build) * local ostree is bundled as OCI tarball using "flatpak build-bundle --oci" (option --runtime to create runtime flatpak) * Fedora has created some tooling around this [https://pagure.io/flatpak-module-tools](https://pagure.io/flatpak-module-tools) but they are relying on Fedora Modularity * additional Fedora documentation: [https://docs.fedoraproject.org/en-US/flatpak/tutorial/](https://docs.fedoraproject.org/en-US/flatpak/tutorial/) * caveat of using OCI for flatpak: * download size when upgrading: [https://groups.google.com/a/opencontainers.org/g/dev/c/daBUKI3KkRk/m/Gb2tFXMGAQAJ](https://groups.google.com/a/opencontainers.org/g/dev/c/daBUKI3KkRk/m/Gb2tFXMGAQAJ) * GPG signature not implemented for containers: [https://github.com/flatpak/flatpak/blob/4247e61fbe8ffc9f6b095240159f53f73568378c/app/flatpak-builtins-remote-add.c#L348-L351](https://github.com/flatpak/flatpak/blob/4247e61fbe8ffc9f6b095240159f53f73568378c/app/flatpak-builtins-remote-add.c#L348-L351) * cosign not implemented * currently, distributing flatpak using OCI registry requiring additional http(s) server to provide index of all flatpak available on the repository: * this is why the uri used for those is oci+http or oci+https * this customization doesn't make easy to publish flatpak on any random OCI registry * this customization is badly documented (or at least, difficult to find online): * some discussions were done at opencontainer level : [https://groups.google.com/a/opencontainers.org/g/dev/c/ehjHDL4uPJE?pli=1](https://groups.google.com/a/opencontainers.org/g/dev/c/ehjHDL4uPJE?pli=1)  * there is a blog post at [https://opencontainers.org/posts/blog/2018-11-07-bringing-oci-images-to-the-desktop-with-flatpak/](https://opencontainers.org/posts/blog/2018-11-07-bringing-oci-images-to-the-desktop-with-flatpak/) * the protocol is [https://github.com/owtaylor/flagstate/blob/master/docs/protocol.md](https://github.com/owtaylor/flagstate/blob/master/docs/protocol.md) * initial implementation at [https://github.com/owtaylor/flagstate/](https://github.com/owtaylor/flagstate/) * production implementation for the indexer is [https://github.com/owtaylor/flatpak-indexer](https://github.com/owtaylor/flatpak-indexer) but is RH infrastructure specific * End results is visible at [https://registry.fedoraproject.org/static/](https://registry.fedoraproject.org/static/) (corresponding to oci+[https://registry.fedoraproject.org/](https://registry.fedoraproject.org/) ) * some people were able to "duplicate" this using github workflow : [https://github.com/TheEvilSkeleton/flatpak-remote](https://github.com/TheEvilSkeleton/flatpak-remote) * the static page part is at [https://github.com/TheEvilSkeleton/flatpak-remote/blob/main/.github/workflows/flatpak.yml#L148=](https://github.com/TheEvilSkeleton/flatpak-remote/blob/main/.github/workflows/flatpak.yml#L148=) * As  this requires custom development to get this working with our infrastructure, it makes no sense to invest supporting oci+https * upstream has a issue opened to switch to "pure" OCI registry: * [https://github.com/flatpak/flatpak/issues/4744](https://github.com/flatpak/flatpak/issues/4744) * this is a new feature request upstream and it still at discussion phase. We should participate actively (contribute ideas or even code) if we want to switch to Flatpak over OCI * On OCI front, there is not support for a search api (see [https://github.com/distribution/distribution/issues/206](https://github.com/distribution/distribution/issues/206) and [https://github.com/opencontainers/distribution-spec/issues/71](https://github.com/opencontainers/distribution-spec/issues/71) ) but I might have missed some upstream discussions. We should ask our OCI specialists at SUSE. There was a proposal for a \_catalog api but it was dropped [https://github.com/opencontainers/distribution-spec/issues/22](https://github.com/opencontainers/distribution-spec/issues/22)
 
×
Reply to fcrozat
State of the Art regarding Flatpak and OCI containers:
• Flatpak can be distributed two ways:
  • as ostree directly
  • as ostree but bundled into OCI containers
• For building flatpak as OCI:
  • you need a local build stored as ostree (usually done using flatpak build)
  • local ostree is bundled as OCI tarball using "flatpak build-bundle --oci" (option --runtime to create runtime flatpak)
  • Fedora has created some tooling around this https://pagure.io/flatpak-module-tools but they are relying on Fedora Modularity
  • additional Fedora documentation: https://docs.fedoraproject.org/en-US/flatpak/tutorial/
  • caveat of using OCI for flatpak:
    • download size when upgrading: https://groups.google.com/a/opencontainers.org/g/dev/c/daBUKI3KkRk/m/Gb2tFXMGAQAJ
    • GPG signature not implemented for containers: https://github.com/flatpak/flatpak/blob/4247e61fbe8ffc9f6b095240159f53f73568378c/app/flatpak-builtins-remote-add.c#L348-L351
    • cosign not implemented
• currently, distributing flatpak using OCI registry requiring additional http(s) server to provide index of all flatpak available on the repository:
  • this is why the uri used for those is oci+http or oci+https
  • this customization doesn't make easy to publish flatpak on any random OCI registry
  • this customization is badly documented (or at least, difficult to find online):
    
    • some discussions were done at opencontainer level : https://groups.google.com/a/opencontainers.org/g/dev/c/ehjHDL4uPJE?pli=1 
    • there is a blog post at https://opencontainers.org/posts/blog/2018-11-07-bringing-oci-images-to-the-desktop-with-flatpak/
    • the protocol is https://github.com/owtaylor/flagstate/blob/master/docs/protocol.md
    • initial implementation at https://github.com/owtaylor/flagstate/
    • production implementation for the indexer is https://github.com/owtaylor/flatpak-indexer but is RH infrastructure specific
    • End results is visible at https://registry.fedoraproject.org/static/ (corresponding to oci+https://registry.fedoraproject.org/ )
    • some people were able to "duplicate" this using github workflow : https://github.com/TheEvilSkeleton/flatpak-remote
      • the static page part is at https://github.com/TheEvilSkeleton/flatpak-remote/blob/main/.github/workflows/flatpak.yml#L148=
  • As  this requires custom development to get this working with our infrastructure, it makes no sense to invest supporting oci+https
• upstream has a issue opened to switch to "pure" OCI registry:
  • https://github.com/flatpak/flatpak/issues/4744
  • this is a new feature request upstream and it still at discussion phase. We should participate actively (contribute ideas or even code) if we want to switch to Flatpak over OCI
  • On OCI front, there is not support for a search api (see https://github.com/distribution/distribution/issues/206 and https://github.com/opencontainers/distribution-spec/issues/71 ) but I might have missed some upstream discussions. We should ask our OCI specialists at SUSE. There was a proposal for a _catalog api but it was dropped https://github.com/opencontainers/distribution-spec/issues/22
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
 
• 

  11 months ago by fcrozat | Reply

  gdm container is still an ongoing effort, some progress being made, not yet finished

×
Edit Comment 6476
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview
gdm container is still an ongoing effort, some progress being made, not yet finished
 
×
Reply to fcrozat
gdm container is still an ongoing effort, some progress being made, not yet finished
---
# A First Level Header
## A Second Level Header

Use one asterisk to *emphasize*

Use two asterisks for **strong emphasis**

* Use asterisks
* for lists

This is an [example link](http://example.com/)

This is an ![example image](http://paste.opensuse.org/view/raw/68957446)

This is a user link @hans

This is a project link hw#some-cool-title
More Complex Markdown Help
Formatting Help
• Edit
• Preview