[RFC] Using umoci to unpack and build images?

[cyphar]

Hi, is there any interest in using umoci as a backend for image manipulation? It can work entirely without privileges, supports OCI images natively, and implements unprivileged image operations in a more complete manner than the current (quite cool) find cmdline that you're using. It also supports modifying the image configuration, and generating an OCI runtime bundle that runc can use for rootless containers.

You could also then implement something like udocker build (which doesn't appear to be supported at the moment) because umoci also supports "repacking" an image, which adds a new layer containing any changes to the rootfs. If you want an example of how udocker build could be implemented you can take a look at another project I have, orca-build.

The only downside of using umoci is that it only supports OCI images (not Docker images -- since OCI images are the standardised format). However, there are a few saving graces:

• Docker is going to support OCI images natively, see Add OCI to image save/load moby/moby#33355. Eventually it will be the default format for Docker.
• You can also use tools like skopeo (which I use) to convert from Docker images to OCI images and vice-versa (you can even pull from remote registries with skopeo). I did quite a bit of work to add tests to skopeo to ensure that OCI <-> Docker round-trips will not break. skopeo also supports interacting with docker save-style archives which could help with implementing Support for the save operation (creating tarball of a Docker image) #74.

If you'd like any more information, feel free to ping me.

[jorge-lip]

Looks promising as we would like to support OCI images as well :)
If you want to contribute fell free otherwise we will have a look.
Thanks