)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"a0ad0e79d2aa0bd45f774f7c106b3e4f7e5c0bb3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"38552ad0_492a2501","updated":"2024-10-28 22:25:30.000000000","message":"This looks good","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"7bffc3e7c0d320b4829f8832134357e5417d3dcd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"40628f1e_fb9f30dc","updated":"2024-10-29 15:23:39.000000000","message":"thanks Julia, looks really good at a glance","commit_id":"8929dc0ea73b33efbba1e41a090e07cf0b4ba06b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b6085a6a3c69387491da9cb60f9d8b9a6274bebb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"b5798d10_04482966","updated":"2024-11-01 17:14:37.000000000","message":"-1 mainly for clarification on the security concern","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"7d745d45_4fb8b04c","updated":"2024-11-14 14:07:02.000000000","message":"Thank you for starting this discussion! Some notes, both minor and major, inline.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"8fb253b9_de365a8c","updated":"2024-11-20 23:44:37.000000000","message":"My primary concerns all circle around basically disagreeing with the direction of the MVP to implement node.instance_info-driven setup of this first instead of conductor-configured setup first. I don\u0027t think there\u0027s a \"right answer\" for this and will not vote -1 just because I disagree.\n\nOther thing is that if we\u0027re trying to add annotations and almost create our own kinda schema, it\u0027d be nice to at least try to involve other projects in this area -- mainly want to avoid a case where \"oh, that\u0027s a Tinkerbell-style container image, not an Ironic-style container image\" type of problems in the future. This is a nice-to-have though as I realize it may be impossible or oppressively difficult.\n\nI think I\u0027m mostly onboard with this, that being excepted.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1b27501b869b11383e0edcce5349a4579e06599a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"1721e64b_9cc8bff9","in_reply_to":"8fb253b9_de365a8c","updated":"2024-11-21 15:26:49.000000000","message":"Enabling both conductor and agent side is relatively easy, but I can\u0027t scope creep and focus on that separately when my base need is user oriented.\n\nThe underlying issue regarding reaching any additional consenus on the declared freeform annotation schemas, which Dmitry and I discussed with one of the podman maintainers, is that the schema was intentionally left open because of challenges reaching consensus. This structure and model is what Podman is using, and sort of along the lines of what cardoe also proposed independently.\n\nI think the key for us is to assert what we expect, and check. If we don\u0027t see what we expect, it is logical for our code to reject attempts to deploy.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"bdfd0a61_d712da82","updated":"2025-01-21 21:20:33.000000000","message":"I\u0027ve moved most of the open threads to resolved at this point. This is not a perfect update, but it better aligns to the proposed code which is now also in review.","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"ff664d64_014f713c","updated":"2025-01-25 17:20:40.000000000","message":"I\u0027m a +2 on this overall. I have a few small nits for typos or style. Not sure why codespell didn\u0027t pick it up. But if you happen to fix stuff for my nits I\u0027ll give it a +2 again.","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"10c8895dff6c90f59f88c39810b91e868faa6f20","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"3739a4c9_af051e48","updated":"2025-01-29 16:17:58.000000000","message":"If any updates need to be made; they can be done as updates.","commit_id":"b66fd2f9f87ab3226929b2dccd714eabd8b5411c"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"e70e57d855d1863939e3624bfe0ba2bd8cdb0cbc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"6459c6e7_83c81ad6","updated":"2025-01-29 15:08:25.000000000","message":"thanks looks good!","commit_id":"b66fd2f9f87ab3226929b2dccd714eabd8b5411c"}],"specs/approved/oci-url.rst":[{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"c0c4c07b2a737e40801948b5aa8d7dcd6607df7f","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"30f737bf_905e248a","line":60,"updated":"2024-10-28 23:17:55.000000000","message":"If we\u0027re using skopeo\u0027s conventions for transport protocols then this should be docker://... since oci: refers to a local directory with an oci image layout. See https://www.mankier.com/5/containers-transports#Description-docker://docker-reference","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3ee85ba0c5b5b2712a90c88727ab52521c99896c","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4e9d1b66_2bf1c283","line":60,"in_reply_to":"2c01f014_b5658a3d","updated":"2024-10-29 17:27:01.000000000","message":"I glanced at podman and it looks like the syntax is the same, so I suspect docker:// is going to be the consensus item. OCI:/file/to/path is the oci option it seems, but the overall meaning of path specification is ultimately sort of lacking.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"22c516eefcf748f39656b1bb79e8dbcee6871335","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e3b38fc4_c89678fb","line":60,"in_reply_to":"30f737bf_905e248a","updated":"2024-10-29 12:39:10.000000000","message":"So, during the PTG, the discussion and some of the community members explicitly said they want to do oci://\n\nI guess I\u0027d also be worried about use of the docker:// label.. but maybe we need to? Dunno.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"10f90ac6ddb9e89f4699cad9d3b9933fc816ed6d","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"853ea651_7ca738d8","line":60,"in_reply_to":"4474a850_2ca1e111","updated":"2024-11-05 18:10:39.000000000","message":"So the base issue is lots of abiguity exists. I\u0027ve added notes to try and clean this up and explicitly suggest a path forward which does both... by stripping the actual indicator. Y\u0027all can yell at me later 😜","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"8d1772af20eccc4842db93cc5d79fd0b94f233f9","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"6ed203c3_54e16e25","line":60,"in_reply_to":"4d77054f_17c4317b","updated":"2024-11-05 03:01:03.000000000","message":"Its a shame the OCI Distribution Spec doesn\u0027t specify a protocol for registry endpoint URLs. I\u0027m fine with oci: for now but I suggest oci-registry: as an alternative which is less overloaded","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"da6933c8401846c7a0f32465a6a57d7061df0cce","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7fe7d2fc_c9d01452","line":60,"in_reply_to":"4e9d1b66_2bf1c283","updated":"2024-10-30 17:01:49.000000000","message":"So I would think that oci:// is more correct. docker:// refers to a \"Docker Registry HTTP API v2\". But that\u0027s a legacy protocol. The new one is the https://github.com/opencontainers/distribution-spec The OCI Distribution spec.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e89e9c547689fee56995e7c2df133d056b02c7d3","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4d77054f_17c4317b","line":60,"in_reply_to":"4ecb54a0_2dca76da","updated":"2024-11-01 15:20:06.000000000","message":"Jay raises a good point, lack of clarity is a reason to go the oci:// path.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"24d97fa2b882d2ea60f2ee42437dbb4505b86893","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4474a850_2ca1e111","line":60,"in_reply_to":"5efc30f6_4b343476","updated":"2024-11-05 16:01:26.000000000","message":"Docker might actually be the right path:\n\nhttps://docs.podman.io/en/latest/markdown/podman-pull.1.html#source\n\nAnd if you look at https://github.com/containers/image/blob/main/docs/containers-transports.5.md you\u0027ll see \u0027oci:\u0027 expects a file-system path.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"3ec105874a83794cc9b1da240e24b69a40c2e6c5","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5efc30f6_4b343476","line":60,"in_reply_to":"6ed203c3_54e16e25","updated":"2024-11-05 09:46:28.000000000","message":"I\u0027m ok using oci or oci-registry, just wanted to point out that the trademark guidelines for Docker refer to website names and the brand in general, not to the registry prefix\nof course better stay on the safe side :)","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"4d0bc5b93766b315a27e5106da058f026f318ac1","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4ecb54a0_2dca76da","line":60,"in_reply_to":"7fe7d2fc_c9d01452","updated":"2024-10-31 16:27:56.000000000","message":"Maybe I\u0027m being extra paranoid, but has docker disclaimed trademark for use in URLs? https://www.docker.com/legal/trademark-guidelines/ is unclear to my untrained eyes","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"67a87a3c_15474681","line":60,"in_reply_to":"853ea651_7ca738d8","updated":"2024-11-15 20:17:50.000000000","message":"\u003e So the base issue is lots of abiguity exists. I\u0027ve added notes to try and clean this up and explicitly suggest a path forward which does both... by stripping the actual indicator. Y\u0027all can yell at me later 😜","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"7bffc3e7c0d320b4829f8832134357e5417d3dcd","unresolved":true,"context_lines":[{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2c01f014_b5658a3d","line":60,"in_reply_to":"e3b38fc4_c89678fb","updated":"2024-10-29 15:23:39.000000000","message":"unfortunately Steve is right, I believe when OCI was mentioned during the PTG was just with a general meaning, going into the specific of skopeo the remote registry does use docker:// prefix, which makes sense considering that it refers to a Docker registry\nif we go for skopeo we\u0027ll have to go with that, or find an alternative","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"e7e8ad46348ce0e95cde9c5b2e02d51ca1f1d804","unresolved":true,"context_lines":[{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":64,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"}],"source_content_type":"text/x-rst","patch_set":3,"id":"81ade78c_645cbd78","line":61,"updated":"2024-10-29 00:20:01.000000000","message":"We also need to consider how the oci image reports the expected checksum. It could be in the metadata as a label or annotation. Or it could be as a file file.qcow2.sha256","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f074a3b4d087b65caf8aff145189877931bebc7c","unresolved":false,"context_lines":[{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":64,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"}],"source_content_type":"text/x-rst","patch_set":3,"id":"423570b5_7856486d","line":61,"in_reply_to":"5ce0ec08_9f2520a0","updated":"2024-10-29 18:15:23.000000000","message":"Added a note reflecting this to the updated version which I\u0027m about to upload.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"49296729fafadce3b43ac48168a027f6e464ecf2","unresolved":true,"context_lines":[{"line_number":58,"context_line":"``instance_info/image_source`` value to"},{"line_number":59,"context_line":"\"oci://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":60,"context_line":"\"file.qcow2\" is retrieved and extracted."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":63,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":64,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5ce0ec08_9f2520a0","line":61,"in_reply_to":"81ade78c_645cbd78","updated":"2024-10-29 12:37:30.000000000","message":"This is a great question!\n\nSo I visioned that the operator still supplied a checksum in this mode. That might not be a great idea, but could alternatively be a URL as well which we should still support.","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"a0ad0e79d2aa0bd45f774f7c106b3e4f7e5c0bb3","unresolved":true,"context_lines":[{"line_number":226,"context_line":"Dependencies"},{"line_number":227,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"At present, no dependcies have been identified."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Testing"},{"line_number":232,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8f628ccc_d193637d","line":229,"range":{"start_line":229,"start_character":15,"end_line":229,"end_character":25},"updated":"2024-10-28 22:25:30.000000000","message":"speling: dependencies","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":226,"context_line":"Dependencies"},{"line_number":227,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"At present, no dependcies have been identified."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Testing"},{"line_number":232,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"70704b82_fea04988","line":229,"range":{"start_line":229,"start_character":15,"end_line":229,"end_character":25},"in_reply_to":"8f628ccc_d193637d","updated":"2024-11-15 20:17:50.000000000","message":"Done","commit_id":"d4b178b653448785966e6e67dcd0a2123b7a2b7b"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"7bffc3e7c0d320b4829f8832134357e5417d3dcd","unresolved":true,"context_lines":[{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"The second chnage is likely to take place in the ironic-python-agent\u0027s"},{"line_number":51,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"}],"source_content_type":"text/x-rst","patch_set":4,"id":"725d65ee_6bfa0b8b","line":50,"range":{"start_line":50,"start_character":11,"end_line":50,"end_character":17},"updated":"2024-10-29 15:23:39.000000000","message":"nit: change","commit_id":"8929dc0ea73b33efbba1e41a090e07cf0b4ba06b"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"8d1772af20eccc4842db93cc5d79fd0b94f233f9","unresolved":false,"context_lines":[{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"The second chnage is likely to take place in the ironic-python-agent\u0027s"},{"line_number":51,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1c046d72_cb1d8969","line":50,"range":{"start_line":50,"start_character":11,"end_line":50,"end_character":17},"in_reply_to":"725d65ee_6bfa0b8b","updated":"2024-11-05 03:01:03.000000000","message":"Done","commit_id":"8929dc0ea73b33efbba1e41a090e07cf0b4ba06b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"10f90ac6ddb9e89f4699cad9d3b9933fc816ed6d","unresolved":false,"context_lines":[{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"The second chnage is likely to take place in the ironic-python-agent\u0027s"},{"line_number":51,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"}],"source_content_type":"text/x-rst","patch_set":4,"id":"98eca51d_20d693f8","line":50,"range":{"start_line":50,"start_character":11,"end_line":50,"end_character":17},"in_reply_to":"725d65ee_6bfa0b8b","updated":"2024-11-05 18:10:39.000000000","message":"Done","commit_id":"8929dc0ea73b33efbba1e41a090e07cf0b4ba06b"},{"author":{"_account_id":23851,"name":"Riccardo Pittau","email":"elfosardo@gmail.com","username":"elfosardo"},"change_message_id":"7bffc3e7c0d320b4829f8832134357e5417d3dcd","unresolved":true,"context_lines":[{"line_number":126,"context_line":""},{"line_number":127,"context_line":"This funcitonality is anticipated in ironic \"common\" code available to"},{"line_number":128,"context_line":"all drivers and modules which utilizes the common code for url or object"},{"line_number":129,"context_line":"retrieval. As such, in this model, it is not antiicpated to be breaking,"},{"line_number":130,"context_line":"only additive in the overall capabilities."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"Nova driver impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5074c098_bf396880","line":129,"updated":"2024-10-29 15:23:39.000000000","message":"nit: anticipated","commit_id":"8929dc0ea73b33efbba1e41a090e07cf0b4ba06b"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"f074a3b4d087b65caf8aff145189877931bebc7c","unresolved":false,"context_lines":[{"line_number":126,"context_line":""},{"line_number":127,"context_line":"This funcitonality is anticipated in ironic \"common\" code available to"},{"line_number":128,"context_line":"all drivers and modules which utilizes the common code for url or object"},{"line_number":129,"context_line":"retrieval. As such, in this model, it is not antiicpated to be breaking,"},{"line_number":130,"context_line":"only additive in the overall capabilities."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"Nova driver impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dddfa4f3_0155383d","line":129,"in_reply_to":"5074c098_bf396880","updated":"2024-10-29 18:15:23.000000000","message":"Done","commit_id":"8929dc0ea73b33efbba1e41a090e07cf0b4ba06b"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"4d0bc5b93766b315a27e5106da058f026f318ac1","unresolved":true,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"One of the observed patterns in the Metal3 and ultimately standalone user"},{"line_number":17,"context_line":"bases is the use of container images as a means to transport an image"},{"line_number":18,"context_line":"or bundle of images between one location and another."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"0f2610c8_a2d82dc7","line":16,"updated":"2024-10-31 16:27:56.000000000","message":"ultimately here is weird grammar? maybe something like \"many standalone user bases\"","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"10f90ac6ddb9e89f4699cad9d3b9933fc816ed6d","unresolved":true,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"One of the observed patterns in the Metal3 and ultimately standalone user"},{"line_number":17,"context_line":"bases is the use of container images as a means to transport an image"},{"line_number":18,"context_line":"or bundle of images between one location and another."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"e958ec9a_5084459d","line":16,"in_reply_to":"0f2610c8_a2d82dc7","updated":"2024-11-05 18:10:39.000000000","message":"I\u0027ve revised heavily.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"One of the observed patterns in the Metal3 and ultimately standalone user"},{"line_number":17,"context_line":"bases is the use of container images as a means to transport an image"},{"line_number":18,"context_line":"or bundle of images between one location and another."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"8d5196e6_873b7097","line":16,"in_reply_to":"e958ec9a_5084459d","updated":"2024-11-15 20:17:50.000000000","message":"Done","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"4d0bc5b93766b315a27e5106da058f026f318ac1","unresolved":true,"context_lines":[{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"92e19cfc_a3426672","line":55,"updated":"2024-10-31 16:27:56.000000000","message":"I\u0027d request we specifically NOT put the common code in standby extension -- we want this to be reusable for cleaning steps, too.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"10f90ac6ddb9e89f4699cad9d3b9933fc816ed6d","unresolved":true,"context_lines":[{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"cc32f780_0b9ddb29","line":55,"in_reply_to":"1414e4a7_42c8f074","updated":"2024-11-05 18:10:39.000000000","message":"revised to stipulate that expectation.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e89e9c547689fee56995e7c2df133d056b02c7d3","unresolved":true,"context_lines":[{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1414e4a7_42c8f074","line":55,"in_reply_to":"92e19cfc_a3426672","updated":"2024-11-01 15:20:06.000000000","message":"Cleaning steps would be out of scope for base URL support, but I do concur in inclusion in common code.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":58,"context_line":"``instance_info/image_source`` value to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"81cc39d4_a6283440","line":55,"in_reply_to":"cc32f780_0b9ddb29","updated":"2024-11-15 20:17:50.000000000","message":"Done","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"4d0bc5b93766b315a27e5106da058f026f318ac1","unresolved":true,"context_lines":[{"line_number":73,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":74,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":75,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":76,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":77,"context_line":"code in the API surface should guard this value from being API visible, but"},{"line_number":78,"context_line":"this value can be utilized to establish the appropriate temporary user"},{"line_number":79,"context_line":"environment to access the remote container registry and download the artifact."}],"source_content_type":"text/x-rst","patch_set":5,"id":"886fc2a6_81478ab4","line":76,"updated":"2024-10-31 16:27:56.000000000","message":"Are we sure this should be at an instance level, and not at a systems level? I could see a use case of wanting to enable authentication to an internal registry, where there\u0027d be one central set of credentials on the conductor.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e89e9c547689fee56995e7c2df133d056b02c7d3","unresolved":true,"context_lines":[{"line_number":73,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":74,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":75,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":76,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":77,"context_line":"code in the API surface should guard this value from being API visible, but"},{"line_number":78,"context_line":"this value can be utilized to establish the appropriate temporary user"},{"line_number":79,"context_line":"environment to access the remote container registry and download the artifact."}],"source_content_type":"text/x-rst","patch_set":5,"id":"b8a50231_713c12f5","line":76,"in_reply_to":"886fc2a6_81478ab4","updated":"2024-11-01 15:20:06.000000000","message":"I guess it could make sense to have system level, but then also the overall URL format permits and allows for differences in the URL, and I\u0027m not sure it is also  a good idea to send a pull secret for someone else\u0027s server to another server.\n\nI mentally modeled this on URL support. We don\u0027t have general HTTP url support with authentication for any file on a specific remote server, the user has to come with the details.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b6085a6a3c69387491da9cb60f9d8b9a6274bebb","unresolved":true,"context_lines":[{"line_number":73,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":74,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":75,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":76,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":77,"context_line":"code in the API surface should guard this value from being API visible, but"},{"line_number":78,"context_line":"this value can be utilized to establish the appropriate temporary user"},{"line_number":79,"context_line":"environment to access the remote container registry and download the artifact."}],"source_content_type":"text/x-rst","patch_set":5,"id":"dd58b65f_31956caa","line":76,"in_reply_to":"b8a50231_713c12f5","updated":"2024-11-01 17:14:37.000000000","message":"Even if as an add-on (not in MVP), something like a config for mapping container registry to creds would be good. Ensuring that\u0027s possible when implementing would be nice (my downstream would be unable to use this feature with an instance-based authentication model).","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"10f90ac6ddb9e89f4699cad9d3b9933fc816ed6d","unresolved":false,"context_lines":[{"line_number":73,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":74,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":75,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":76,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":77,"context_line":"code in the API surface should guard this value from being API visible, but"},{"line_number":78,"context_line":"this value can be utilized to establish the appropriate temporary user"},{"line_number":79,"context_line":"environment to access the remote container registry and download the artifact."}],"source_content_type":"text/x-rst","patch_set":5,"id":"21200e78_1302b0c3","line":76,"in_reply_to":"dd58b65f_31956caa","updated":"2024-11-05 18:10:39.000000000","message":"Explicitly created a carve out for this.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":24828,"name":"Kaifeng Wang","email":"kaifeng.w@gmail.com","username":"wangkf"},"change_message_id":"b1b7d4d446d79d6b50bae7aed2e90a76176eb2dc","unresolved":true,"context_lines":[{"line_number":151,"context_line":"Overall, no impact to the ramdisk composition or structure is anticipated,"},{"line_number":152,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":153,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"In part, the standby extension\u0027s ImageDownload class seems logical to extend"},{"line_number":156,"context_line":"further to support this modeling, yet this class is exclusively modeled on"},{"line_number":157,"context_line":"HTTP(S) interactions to enable delineation of streaming or file download and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"cc6a9075_c77085a5","line":154,"updated":"2024-11-01 15:03:21.000000000","message":"Please correct if i am wrong, it seems like implying the ramdisk needs to pack some container packages to be able to retrieve the image, not sure the overhead of the image size but we already have quite large already which has non-negligible impact on the large concurrent deployment performance. Would be good to note it here.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":151,"context_line":"Overall, no impact to the ramdisk composition or structure is anticipated,"},{"line_number":152,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":153,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"In part, the standby extension\u0027s ImageDownload class seems logical to extend"},{"line_number":156,"context_line":"further to support this modeling, yet this class is exclusively modeled on"},{"line_number":157,"context_line":"HTTP(S) interactions to enable delineation of streaming or file download and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"739c52e9_f0ce2ae4","line":154,"in_reply_to":"575ea6d6_d9b1c9c8","updated":"2024-11-14 16:02:00.000000000","message":"Yes, that would be required, there is other proposed work which would similarly have the same exact requirement. \n\nTo do things right, we would need to support both paths and implement the base logic in the agent *as well*. What an operator chooses to do or how they wish to have their environment configured, i.e. if the conductor pulls and extracts, or if the ramdisk.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":151,"context_line":"Overall, no impact to the ramdisk composition or structure is anticipated,"},{"line_number":152,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":153,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"In part, the standby extension\u0027s ImageDownload class seems logical to extend"},{"line_number":156,"context_line":"further to support this modeling, yet this class is exclusively modeled on"},{"line_number":157,"context_line":"HTTP(S) interactions to enable delineation of streaming or file download and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"e0da4126_9f8491f9","line":154,"in_reply_to":"739c52e9_f0ce2ae4","updated":"2024-11-15 20:17:50.000000000","message":"So this next revision calls it out such that this feels like we\u0027re being pedantic in a needless way, but to be more verbose so everyone understands we\u0027re talking about both supporting retrieval in the ramdisk and by the conductor.\n\nActual source data we get based upon the user\u0027s created container composition *will* be critical because they might not attach certain formats which may require sending us down a slightly different code path, or rejecting the request depending on what they have submitted Ironic in the first place.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":151,"context_line":"Overall, no impact to the ramdisk composition or structure is anticipated,"},{"line_number":152,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":153,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"In part, the standby extension\u0027s ImageDownload class seems logical to extend"},{"line_number":156,"context_line":"further to support this modeling, yet this class is exclusively modeled on"},{"line_number":157,"context_line":"HTTP(S) interactions to enable delineation of streaming or file download and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"575ea6d6_d9b1c9c8","line":154,"in_reply_to":"cc6a9075_c77085a5","updated":"2024-11-14 14:07:02.000000000","message":"Yep. This is also a reason why I\u0027m talking about image_download_source above.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":151,"context_line":"Overall, no impact to the ramdisk composition or structure is anticipated,"},{"line_number":152,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":153,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"In part, the standby extension\u0027s ImageDownload class seems logical to extend"},{"line_number":156,"context_line":"further to support this modeling, yet this class is exclusively modeled on"},{"line_number":157,"context_line":"HTTP(S) interactions to enable delineation of streaming or file download and"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b1256e94_54edcbf5","line":154,"in_reply_to":"e0da4126_9f8491f9","updated":"2025-01-21 21:20:33.000000000","message":"Done","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"4d0bc5b93766b315a27e5106da058f026f318ac1","unresolved":true,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"90a5d956_3ccdf677","line":165,"updated":"2024-10-31 16:27:56.000000000","message":"I would really appreciate if the implementer ended up factoring some of this code out of the StandbyExtension so https://bugs.launchpad.net/ironic/+bug/2059948 can utilize it (my hope would be to help with this effort in service of 2059948, since they are similar)","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"51ca3c2e_6ae7c5fc","line":165,"in_reply_to":"0ad584f3_beb260e1","updated":"2024-11-15 20:17:50.000000000","message":"I\u0027m going to stress that the next revision of this spec looks a *lot* like Steve\u0027s proposal, just slightly different for mutli-arch attached artifacts.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"f063c381dfc83ecaa743704b53a08f7d58995d17","unresolved":true,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"74afaf8c_3c0028d9","line":165,"in_reply_to":"0d53da7b_40869758","updated":"2024-11-06 23:08:31.000000000","message":"Well even further supporting this there are cases already where OCI images have qcow2 blobs in them rather than layers. You can store a kernel object and ramdisk object in there as well.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"0fa88f0d304d0fc6b2bc16916b8442900e0ba360","unresolved":true,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0d53da7b_40869758","line":165,"in_reply_to":"2d741d88_e7cad8fa","updated":"2024-11-06 22:41:59.000000000","message":"I have a slightly evil suggestion which I\u0027ll just lay out here.\n\nDon\u0027t use podman. Instead implement enough of a registry client in python to do the following:\n- handle auth\n- fetch manifest\n- fetch the image manifest (which is more json metadata on the other layers)\n- fetch layer blobs one at a time (top most first) and stream directly to tar. Process layers until the required file is found.\n- Write it to disk with on-the-fly hash validation. (If raw, stream to a block device)\n\nAdvantages over using podman:\n- saves network transfers by not needing to download base layers (some images may contain more than just the required file).\n- saves disk storage, there is no need to store the full container image plus the qcow2.\n- retains ability to stream raw images directly to the block device\n\nDisadvantages:\n- more python to maintain, although I don\u0027t think the implementation will be very large at all, and there is no advantage to adding concurrency\n- less of the re-use that Jay is going for\n\nThis might be best as a follow-up enhancement, but I\u0027m laying it out here in case the advantages are enough to do it straight up.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"ba1a7805_8d17b2e3","line":165,"in_reply_to":"51ca3c2e_6ae7c5fc","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"7e60cd8e82fcf53dd2867941d86d213ab64431f3","unresolved":true,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0ad584f3_beb260e1","line":165,"in_reply_to":"74afaf8c_3c0028d9","updated":"2024-11-07 17:02:26.000000000","message":"I *think* the requirement would need to be a file mapped to a blob... and I just looked at the image-spec and all I can convey is sadness.\n\nThe image specification which defines index.json is *actually* *not* inclusive of a file. So in terms of a \"file on a fileystem we want to extract\", we\u0027re likely going to need to let the gunzip/untar contents of the file to be extracted to reach the base contents.\n\nhttps://github.com/opencontainers/image-spec/\n\nWhich I think means streaming is just off the table.\n\nThink of it this way:\n\nimage-index.md talks about the index pointing to manifests, matched upon aspects like *architecture* or *os*.\n\nThen manifest.md talks about it being a composite of image layers with base configuration.\n\nEach layer, has a media type, a size, and a digest. Each media type is thus likely a gzipped/tarred file.\n\nYou *CAN* store an entire layer in json. Likely not the best idea and ideally we want easy to use. Going back to the configuration, that is also required and contains some details/history as well as runtime configurations, as well as the content detail regarding the strucutre of layers to be laid down to make the composite container, but *not* a artifact mapping. To do that, we would need to begin to crack open the container contents.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e89e9c547689fee56995e7c2df133d056b02c7d3","unresolved":true,"context_lines":[{"line_number":162,"context_line":"container registry. In all likelihood, the implementer will need to modify"},{"line_number":163,"context_line":"the ``StandbyExtension.prepare_image`` method logic based upon what they"},{"line_number":164,"context_line":"learn from the work in Ironic, as the ramdisk is more memory constrained"},{"line_number":165,"context_line":"than the ironic-conductor\u0027s file download model."},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Security impact"},{"line_number":168,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2d741d88_e7cad8fa","line":165,"in_reply_to":"90a5d956_3ccdf677","updated":"2024-11-01 15:20:06.000000000","message":"I think that is reasonable, but the end code to this shouldn\u0027t be that difficult.\n\nURL format identification (definitely common code)\nRemote registry authentication (Also definitely common)\nActual act of pulling, common.\nAbility to get from a URL overall, likely common code.\nThe actual ability to recognize and engage a remote registry at a high level is the code path under prepare_image.\n\nWe should also be mindful about big refactors in IPA as part of other changes in a single patch, they get exceptionally painful in IPA when general fixes are trying to be backported. I think this has bitten us all over time.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"4d0bc5b93766b315a27e5106da058f026f318ac1","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8a28dcc6_17011c9b","line":183,"updated":"2024-10-31 16:27:56.000000000","message":"Won\u0027t we need to make the image format inspector be able to detect container images? It seems very trusting to do initial extraction of a container image without any security check code.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"59580126e454fc2457fe3bf33c3f48184c67ae20","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"477e7888_a53ce9ab","line":183,"in_reply_to":"3ec20496_d4adeae1","updated":"2024-11-05 16:06:19.000000000","message":"So, I guess that might be possible to do.\n\nExplicitly set it has to be an OCI layout available store in the appropriate layout. But how do we handle authentication then? I mean, sure we could for example use skopeo to copy the container to a local OCI layout, load index.json to find the file mapping, and directly access the blobs/sha256/appropriate-hash-value...","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"10f90ac6ddb9e89f4699cad9d3b9933fc816ed6d","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"83e4335d_0d3f1991","line":183,"in_reply_to":"477e7888_a53ce9ab","updated":"2024-11-05 18:10:39.000000000","message":"I\u0027m revising the overall text here.\n\nSo I had to take a look at what was the dockerv2 structure and what is the OCI structure, and at the end of the day whatever tool we use is just going to be downloading the files(s), writing them to disk, and we\u0027re going to extract them and run format inspector on them as well. Which is distinctly different than the qemu-img issues, the revised text should cover and delineate this more clearly.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"a5fd130a073a43bdc7dc5f3f0c0adb1a5fec6f02","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"71d5c072_03e8880d","line":183,"in_reply_to":"6531e655_be9ea954","updated":"2024-11-01 20:00:57.000000000","message":"Clarifying based on chat in IRC with Julia: I\u0027m not saying *we have to own security of container images*; but instead we should ensure that the upstream we use (podman/docker) will consider the class of issues we saw in the qemu-img related CVEs -- or anything else related to safety of using untrusted images -- in scope for their project (and not outsourced to the user; e.g. us).","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"c0de27e30af5bbd0c87b6dc6613f2c435d0ee6d6","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3ec20496_d4adeae1","line":183,"in_reply_to":"71d5c072_03e8880d","updated":"2024-11-04 23:28:58.000000000","message":"So the way I was thinking about this is that we\u0027re fetching a manifest, which is either good JSON or bad JSON. It\u0027s pointing us to objects which are either blobs like a kernel or a ramdisk or a rootfs. I guess if we say that the rootfs is a partition vs a whole disk image blob then we need to deal with some data parsing.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bdea02ac_0462acc7","line":183,"in_reply_to":"83e4335d_0d3f1991","updated":"2025-01-21 21:20:33.000000000","message":"Done","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e89e9c547689fee56995e7c2df133d056b02c7d3","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a4a85602_22c21ca1","line":183,"in_reply_to":"8a28dcc6_17011c9b","updated":"2024-11-01 15:20:06.000000000","message":"I think that would be out of scope if we\u0027re saying \"hey podman, go grab the container\" and \"hey podman, copy that file out so I can interact with it directly\". At which point, in this model, then we would run FormatInspector on the file we extracted.\n\nI think the key is we\u0027re not downloading a container to a file we can directly inspect. We\u0027re telling tools in the system to download the artifact from the container registry and then asking the tools to extract a file from the container which is a composite the tools help assemble and make visible as a userspace runtime environment.","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b6085a6a3c69387491da9cb60f9d8b9a6274bebb","unresolved":true,"context_lines":[{"line_number":180,"context_line":"access the container registry. At present, if set in the existing"},{"line_number":181,"context_line":"``instance_info`` field with an appropriate name, should result in the value"},{"line_number":182,"context_line":"from being visible to an API consumer. Special care should be taken by the"},{"line_number":183,"context_line":"implementer to purge this value upon the completion of operations."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Other end user impact"},{"line_number":186,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6531e655_be9ea954","line":183,"in_reply_to":"a4a85602_22c21ca1","updated":"2024-11-01 17:14:37.000000000","message":"This is *exactly* the scenario I\u0027m worried about. We\u0027re trusting podman/docker implicitly to do these things securely, in the same way we (originally) trusted qemu-img. Do we have any commitment from the OCI implementations we\u0027re likely to use that they can be used with untrusted images?","commit_id":"99fffcb3fa6ff66ace5c80dfa2ac55b5f5f36d7a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"447cab131fe942db9958370710cfbf447c5e8379","unresolved":true,"context_lines":[{"line_number":128,"context_line":"   image structure on disk. This limits the overall scope of interaction,"},{"line_number":129,"context_line":"   because the underlying Docker V2 protocol modeling is functionally HTTP"},{"line_number":130,"context_line":"   file downloads from the registry in a similar layout."},{"line_number":131,"context_line":"4) The resulting \u003ccontainer_temp_filter\u003e/index.json file accessed as valid"},{"line_number":132,"context_line":"   json to map the user requested *file* to the blob on disk which will be"},{"line_number":133,"context_line":"   in the folder path of \u003ccontainer_temp_folder\u003e/blobs/sha256/\u003cblob-checksum\u003e."},{"line_number":134,"context_line":"5) The image cache shall then be updated to purge the temporary folder"},{"line_number":135,"context_line":"   structure representing the container at an appropriate time once the user"},{"line_number":136,"context_line":"   requested artifact has been extracted."}],"source_content_type":"text/x-rst","patch_set":6,"id":"c1d48103_e6d69a89","line":133,"range":{"start_line":131,"start_character":2,"end_line":133,"end_character":78},"updated":"2024-11-07 17:03:39.000000000","message":"Bad news folks, this is wrong, the tool needs to extract the composite layers based upon the image specification and structure as there is no direct mapping for housing files, only layers.","commit_id":"cd294ea9335a8209b0346125dca3ebce0be67f9f"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":128,"context_line":"   image structure on disk. This limits the overall scope of interaction,"},{"line_number":129,"context_line":"   because the underlying Docker V2 protocol modeling is functionally HTTP"},{"line_number":130,"context_line":"   file downloads from the registry in a similar layout."},{"line_number":131,"context_line":"4) The resulting \u003ccontainer_temp_filter\u003e/index.json file accessed as valid"},{"line_number":132,"context_line":"   json to map the user requested *file* to the blob on disk which will be"},{"line_number":133,"context_line":"   in the folder path of \u003ccontainer_temp_folder\u003e/blobs/sha256/\u003cblob-checksum\u003e."},{"line_number":134,"context_line":"5) The image cache shall then be updated to purge the temporary folder"},{"line_number":135,"context_line":"   structure representing the container at an appropriate time once the user"},{"line_number":136,"context_line":"   requested artifact has been extracted."}],"source_content_type":"text/x-rst","patch_set":6,"id":"8ef13d01_4072b6e7","line":133,"range":{"start_line":131,"start_character":2,"end_line":133,"end_character":78},"in_reply_to":"c1d48103_e6d69a89","updated":"2024-11-15 20:17:50.000000000","message":"Done","commit_id":"cd294ea9335a8209b0346125dca3ebce0be67f9f"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"One of the observed patterns in the Metal3 and standalone users utilize a"},{"line_number":17,"context_line":"container images as a means to transport an image or bundle of images"},{"line_number":18,"context_line":"between one location and another."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"ed8b9cd7_de22dfd9","line":16,"updated":"2024-11-14 14:07:02.000000000","message":"nit: It\u0027s a desired, not observed pattern in Metal3. Right now we\u0027re forced to ask all users to create an HTTP server.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"One of the observed patterns in the Metal3 and standalone users utilize a"},{"line_number":17,"context_line":"container images as a means to transport an image or bundle of images"},{"line_number":18,"context_line":"between one location and another."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fb8b49f_36dacba9","line":16,"in_reply_to":"8e317d8f_08d50c91","updated":"2025-01-21 21:20:33.000000000","message":"Done","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":13,"context_line":"Problem description"},{"line_number":14,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"One of the observed patterns in the Metal3 and standalone users utilize a"},{"line_number":17,"context_line":"container images as a means to transport an image or bundle of images"},{"line_number":18,"context_line":"between one location and another."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"8e317d8f_08d50c91","line":16,"in_reply_to":"ed8b9cd7_de22dfd9","updated":"2024-11-14 16:02:00.000000000","message":"Ack.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":24,"context_line":"container filesystem. The conatiner, itself likely having been created through"},{"line_number":25,"context_line":"the execution of a Dockerfile which built the disk image inside of the"},{"line_number":26,"context_line":"container environment and placed the resulting artifacts as a file on the"},{"line_number":27,"context_line":"fileystem."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"One challenge is when you need to modify the image, it is relatively easy to"},{"line_number":30,"context_line":"upload a new container to the container registry. The resulting process"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a7fcfb9a_2a955ab4","line":27,"updated":"2024-11-14 14:07:02.000000000","message":"In two hours we have a meeting where we might learn a completely different approach that podman takes.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e7dba8d9bd5de02eeb11631116adfeed9a591379","unresolved":true,"context_lines":[{"line_number":24,"context_line":"container filesystem. The conatiner, itself likely having been created through"},{"line_number":25,"context_line":"the execution of a Dockerfile which built the disk image inside of the"},{"line_number":26,"context_line":"container environment and placed the resulting artifacts as a file on the"},{"line_number":27,"context_line":"fileystem."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"One challenge is when you need to modify the image, it is relatively easy to"},{"line_number":30,"context_line":"upload a new container to the container registry. The resulting process"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ed308f1a_d6071476","line":27,"in_reply_to":"a5456648_1a01eac6","updated":"2024-11-15 14:40:39.000000000","message":"Right, this was my intention. I don\u0027t think we get any text to link to, but we definitely can refer to quay.io/podman/machine-os as an example of where we want to be.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":24,"context_line":"container filesystem. The conatiner, itself likely having been created through"},{"line_number":25,"context_line":"the execution of a Dockerfile which built the disk image inside of the"},{"line_number":26,"context_line":"container environment and placed the resulting artifacts as a file on the"},{"line_number":27,"context_line":"fileystem."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"One challenge is when you need to modify the image, it is relatively easy to"},{"line_number":30,"context_line":"upload a new container to the container registry. The resulting process"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a5456648_1a01eac6","line":27,"in_reply_to":"a7fcfb9a_2a955ab4","updated":"2024-11-14 16:02:00.000000000","message":"That is a downstream meeting. Not fair to bring into an upstream spec until we have artifact we can point to in the upstream.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":24,"context_line":"container filesystem. The conatiner, itself likely having been created through"},{"line_number":25,"context_line":"the execution of a Dockerfile which built the disk image inside of the"},{"line_number":26,"context_line":"container environment and placed the resulting artifacts as a file on the"},{"line_number":27,"context_line":"fileystem."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"One challenge is when you need to modify the image, it is relatively easy to"},{"line_number":30,"context_line":"upload a new container to the container registry. The resulting process"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ce122197_29939bdc","line":27,"in_reply_to":"c5277e0d_ae90540d","updated":"2024-11-15 20:17:50.000000000","message":"And I\u0027ve included an explicit reference to it as well.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3bb06bd1f4f7f5a48b661b8d5a98b2a9edd89ff6","unresolved":true,"context_lines":[{"line_number":24,"context_line":"container filesystem. The conatiner, itself likely having been created through"},{"line_number":25,"context_line":"the execution of a Dockerfile which built the disk image inside of the"},{"line_number":26,"context_line":"container environment and placed the resulting artifacts as a file on the"},{"line_number":27,"context_line":"fileystem."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"One challenge is when you need to modify the image, it is relatively easy to"},{"line_number":30,"context_line":"upload a new container to the container registry. The resulting process"}],"source_content_type":"text/x-rst","patch_set":7,"id":"c5277e0d_ae90540d","line":27,"in_reply_to":"ed308f1a_d6071476","updated":"2024-11-15 15:55:13.000000000","message":"That works for me!","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":42,"context_line":"This change proposes adapation of core Ironic service code to enable"},{"line_number":43,"context_line":"retrieval of artifacts from OCI containers."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"The first change is to modify the ironic \"ironic/common/image_service.py\""},{"line_number":46,"context_line":"code such that there is an OCI protocol mapping, with associated class which"},{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."}],"source_content_type":"text/x-rst","patch_set":7,"id":"e2a28b1b_7ad87ff4","line":45,"updated":"2024-11-14 14:07:02.000000000","message":"nit: Let\u0027s not mention specific code locations in a spec. It\u0027s enough to say \"create another image service / image protocol implementation\".","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":42,"context_line":"This change proposes adapation of core Ironic service code to enable"},{"line_number":43,"context_line":"retrieval of artifacts from OCI containers."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"The first change is to modify the ironic \"ironic/common/image_service.py\""},{"line_number":46,"context_line":"code such that there is an OCI protocol mapping, with associated class which"},{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."}],"source_content_type":"text/x-rst","patch_set":7,"id":"61e61a32_45ae6023","line":45,"in_reply_to":"5f146e86_16c77788","updated":"2024-11-15 20:17:50.000000000","message":"Done, however... we know from history specs are not user facing design documents, nor should they be because they can\u0027t be documentation on how to do a thing because they are also frozen in time.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e7dba8d9bd5de02eeb11631116adfeed9a591379","unresolved":true,"context_lines":[{"line_number":42,"context_line":"This change proposes adapation of core Ironic service code to enable"},{"line_number":43,"context_line":"retrieval of artifacts from OCI containers."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"The first change is to modify the ironic \"ironic/common/image_service.py\""},{"line_number":46,"context_line":"code such that there is an OCI protocol mapping, with associated class which"},{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."}],"source_content_type":"text/x-rst","patch_set":7,"id":"5f146e86_16c77788","line":45,"in_reply_to":"8a69c68f_00ff84e5","updated":"2024-11-15 14:40:39.000000000","message":"You assume readers who are familiar with the structure of Ironic code base. Ideally, our specifications should be friendly towards people who are not.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":42,"context_line":"This change proposes adapation of core Ironic service code to enable"},{"line_number":43,"context_line":"retrieval of artifacts from OCI containers."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"The first change is to modify the ironic \"ironic/common/image_service.py\""},{"line_number":46,"context_line":"code such that there is an OCI protocol mapping, with associated class which"},{"line_number":47,"context_line":"understands how to retrieve metadata, download, and ultimately extract the"},{"line_number":48,"context_line":"requested file."}],"source_content_type":"text/x-rst","patch_set":7,"id":"8a69c68f_00ff84e5","line":45,"in_reply_to":"e2a28b1b_7ad87ff4","updated":"2024-11-14 16:02:00.000000000","message":"Fair, but the intent was to provide people with enough understanding who are reviewing it. To keep the discussion to far away from what is actually under the hood today... where *everything* is supplied as is, just seems like we\u0027re not helping ourselves get the idea across to readers. Dunno.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":51,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation"},{"line_number":56,"context_line":"with the base stipulation that code to support URL access is *largely*"},{"line_number":57,"context_line":"in the form common code."}],"source_content_type":"text/x-rst","patch_set":7,"id":"0d117c4c_fe231d3c","line":54,"updated":"2024-11-14 14:07:02.000000000","message":"-1 to leaving this unspecified. If we find a way to download OCI artifacts, we can very well use the same in IPA.\n\nFurthermore, we\u0027d need to make sure image_download_source works for OCI images, so that operators can define whether they want the OCI handling to happen depending on whether IPA has access to the registry and the pull secret to use it.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":51,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation"},{"line_number":56,"context_line":"with the base stipulation that code to support URL access is *largely*"},{"line_number":57,"context_line":"in the form common code."}],"source_content_type":"text/x-rst","patch_set":7,"id":"6a1736f9_bb29d3e5","line":54,"in_reply_to":"0d117c4c_fe231d3c","updated":"2024-11-14 16:02:00.000000000","message":"Well, the fundamental issue is JayF wants an entirely separate implementation and use model for runtime steps, so I\u0027m trying not to entirely design the vague at this precise moment.\n\nAs for image_download_source in the conductor, that is higher level logic the underlying image service which retrieves the artifact. The net effect being if an older IPA gets used, there is zero guard depending on image_download_source settings beyond any higher level url format validation. Really, again, the targetted nature of the change is disjointed from image_download_source since it is a higher level logic than the underlying image services which exist.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":51,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":52,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":53,"context_line":"it is unknown if all current access methods can be adapted and this"},{"line_number":54,"context_line":"specification leans towards the \"implementer\u0027s progotive\" on identifying"},{"line_number":55,"context_line":"the correct course and scope as it relates to agent side implementation"},{"line_number":56,"context_line":"with the base stipulation that code to support URL access is *largely*"},{"line_number":57,"context_line":"in the form common code."}],"source_content_type":"text/x-rst","patch_set":7,"id":"21dfdc82_af93c91c","line":54,"in_reply_to":"6a1736f9_bb29d3e5","updated":"2025-01-21 21:20:33.000000000","message":"I\u0027m revising all this, and as such I think this s no longer valid, and image_download_source does affect the code in review.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"6cf03f08_d42b7702","line":61,"updated":"2024-11-14 14:07:02.000000000","message":"-1 to docker, please use oci (yes, I\u0027ve read the previous discussion).","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e7dba8d9bd5de02eeb11631116adfeed9a591379","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"74ce85b6_e0117bde","line":61,"in_reply_to":"4b601d45_47806164","updated":"2024-11-15 14:40:39.000000000","message":"I have two large issues despite what the documents say.\n\n1) We should not promote one commercial solution which is not even the one we really target.\n\n2) Using \"docker\" as a synonym of \"container\" already causes a lot of confusion, we\u0027re going to confuse users more, especially the ones who are not familiar with the history around the protocol.\n\nAs an exercise, imagine answering a user\u0027s question \"okay, so which docker command do I use to prepare an image for the docker:// protocol\". If we go down the artifact path, the answer may be \"podman\" :)\n\nI perceive a difference between using \"docker://\" in a skopeo command (where the context is very obvious) and in Ironic (where there are no other hints to derive the relationship with Docker-the-project or Docker-the-protocol).","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"4b601d45_47806164","line":61,"in_reply_to":"6cf03f08_d42b7702","updated":"2024-11-14 16:02:00.000000000","message":"And the linked documents in the discussion?","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3bb06bd1f4f7f5a48b661b8d5a98b2a9edd89ff6","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"dae0ea8a_b9abd014","line":61,"in_reply_to":"74ce85b6_e0117bde","updated":"2024-11-15 15:55:13.000000000","message":"I agree, except the oci \"protocol\" is just a superset of the docker2 protocol with some changes, I honestly don\u0027t care, but we have two extremes of perception to deal with here.\n\nThe answer really is to just accept whatever, strip the url protocol indicator type off, and just let the tools sort it out.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"f193ce91_a4d58ba7","line":61,"in_reply_to":"aeae4738_2eacd38c","updated":"2024-11-15 20:17:50.000000000","message":"I think we\u0027re over thinking it if we just access the remote store then and bypass the command line tooling entirely. Please see the current revision which does a structural deep dive which also aligns with the OCI registry store modeling as well.\n\nWe don\u0027t tell them the commands to run to make the thing... *yet* and in that case I suspect they will have to be uploading to an OCI v1.0 (or maybe 1.1 if they ever reach agreement) store which should line up with the existing data.  And if we do that, we just show how to do it with the tools we\u0027re comfortable with.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"ca390785855f957102cd46d6bd506c7438e979fa","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"aeae4738_2eacd38c","line":61,"in_reply_to":"dae0ea8a_b9abd014","updated":"2024-11-15 16:08:57.000000000","message":"\u003e The answer really is to just accept whatever\n\nThere will be another side of the equation: users that will most likely need to use the \u0027podman\u0027 command to publish the image that later will use the docker:// protocol despite the fact that docker cannot produce (or can it?) a suitable image easily.\n\nCalling a tool, a product, and a protocol the same name was a mistake.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":60,"context_line":"``instance_info/image_source`` value to"},{"line_number":61,"context_line":"\"docker://fqdn:port/container:latest#file.qcow2\", which would result in"},{"line_number":62,"context_line":"\"file.qcow2\" is retrieved and extracted. The protocol portion of the URL,"},{"line_number":63,"context_line":"specifically \"docker://\" shall be stripped from the URL provided to the"},{"line_number":64,"context_line":"underlying artifact retrieval tool."}],"source_content_type":"text/x-rst","patch_set":7,"id":"754c0543_57317176","line":61,"in_reply_to":"f193ce91_a4d58ba7","updated":"2025-01-21 21:20:33.000000000","message":"I think we\u0027ve resolved this.... If not please re-open.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":67,"context_line":"   When discussed during the Epoxy development cycle Project Teams Gathering,"},{"line_number":68,"context_line":"   the consensus on the URL form was \"oci://\", however looking at possible"},{"line_number":69,"context_line":"   options and modeling, the OCI path specification is intended for \"on disk\""},{"line_number":70,"context_line":"   containers, where as \"docker://\" is intended for remote registries."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":".. NOTE::"},{"line_number":73,"context_line":"   Back-end tools which authenticate and interact with container registries,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"6c4229ee_72278a12","line":70,"updated":"2024-11-14 14:07:02.000000000","message":"... still hard nope. I\u0027m open to something like container:// if we\u0027re sure-sure-sure that we should not use OCI (I don\u0027t understand the \"on disk\" bit).","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":67,"context_line":"   When discussed during the Epoxy development cycle Project Teams Gathering,"},{"line_number":68,"context_line":"   the consensus on the URL form was \"oci://\", however looking at possible"},{"line_number":69,"context_line":"   options and modeling, the OCI path specification is intended for \"on disk\""},{"line_number":70,"context_line":"   containers, where as \"docker://\" is intended for remote registries."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":".. NOTE::"},{"line_number":73,"context_line":"   Back-end tools which authenticate and interact with container registries,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"c228280d_76fcb6e6","line":70,"in_reply_to":"2b4deb6a_6c6c5858","updated":"2024-11-15 20:17:50.000000000","message":"... file path folder structure in a tgz file.\n\ntry copy with a target of oci://home/youruser/machine-os as the target and then change that that to oci-artifact://home/youruser/machine-os and you\u0027ll see what I\u0027m talking about.\n\nAlso, if you try:\n\n$ skopeo inspect --raw oci://quay.io/podman/machine-os:5.3\nFATA[0000] Error parsing image name \"oci://quay.io/podman/machine-os:5.3\": lstat /quay.io: no such file or directory\n\nYou\u0027ll get a nice error because oci:// is *not* the convention for remote registries, even though we\u0027re attempting to set it here, we need to be open to minimize confusion.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e7dba8d9bd5de02eeb11631116adfeed9a591379","unresolved":true,"context_lines":[{"line_number":67,"context_line":"   When discussed during the Epoxy development cycle Project Teams Gathering,"},{"line_number":68,"context_line":"   the consensus on the URL form was \"oci://\", however looking at possible"},{"line_number":69,"context_line":"   options and modeling, the OCI path specification is intended for \"on disk\""},{"line_number":70,"context_line":"   containers, where as \"docker://\" is intended for remote registries."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":".. NOTE::"},{"line_number":73,"context_line":"   Back-end tools which authenticate and interact with container registries,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ff5c1f00_ac3f1d85","line":70,"in_reply_to":"6c4229ee_72278a12","updated":"2024-11-15 14:40:39.000000000","message":"Another idea: oci-artifact://","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":67,"context_line":"   When discussed during the Epoxy development cycle Project Teams Gathering,"},{"line_number":68,"context_line":"   the consensus on the URL form was \"oci://\", however looking at possible"},{"line_number":69,"context_line":"   options and modeling, the OCI path specification is intended for \"on disk\""},{"line_number":70,"context_line":"   containers, where as \"docker://\" is intended for remote registries."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":".. NOTE::"},{"line_number":73,"context_line":"   Back-end tools which authenticate and interact with container registries,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a4cb71f9_9740a622","line":70,"in_reply_to":"c228280d_76fcb6e6","updated":"2025-01-21 21:20:33.000000000","message":"Done, I think we resolved this thread.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3bb06bd1f4f7f5a48b661b8d5a98b2a9edd89ff6","unresolved":true,"context_lines":[{"line_number":67,"context_line":"   When discussed during the Epoxy development cycle Project Teams Gathering,"},{"line_number":68,"context_line":"   the consensus on the URL form was \"oci://\", however looking at possible"},{"line_number":69,"context_line":"   options and modeling, the OCI path specification is intended for \"on disk\""},{"line_number":70,"context_line":"   containers, where as \"docker://\" is intended for remote registries."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":".. NOTE::"},{"line_number":73,"context_line":"   Back-end tools which authenticate and interact with container registries,"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2b4deb6a_6c6c5858","line":70,"in_reply_to":"ff5c1f00_ac3f1d85","updated":"2024-11-15 15:55:13.000000000","message":"oci-artifact is explicitly noted to be a file path to a folder structure...\n\nWhich in the older and still current docs on projects (even if the tools under the hood can still figure it out, the docs were not updated, oci://path is the model documented.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"f8797b2d_03bcd21c","line":91,"updated":"2024-11-14 14:07:02.000000000","message":"It\u0027s very common for container references to have a checksum, and some people feel very strongly about using them (since tags can be easily replaced). Example: https://github.com/metal3-io/baremetal-operator/blob/main/Dockerfile#L2-L3","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"636adb49_36864c07","line":91,"in_reply_to":"15996596_62c1a4c8","updated":"2025-01-21 21:20:33.000000000","message":"I think this is also resolved at this point. Text has also been re-written.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"d58471b34a6dd7b4804bd37c7948618097725f0f","unresolved":true,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fc4861ce_50ebaa0f","line":91,"in_reply_to":"1fd6957f_132811b0","updated":"2024-11-18 12:34:38.000000000","message":"Yeah, but we only need to verify that what we got over network is what we expect to get (as you rightfully say, it\u0027s also the case for qcow2 images - the conductor-side conversion is not always enabled!). The built-in checksums do exactly that.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1fd6957f_132811b0","line":91,"in_reply_to":"8713a470_87a2ca31","updated":"2024-11-15 20:17:50.000000000","message":"A note for your impression that we get checksums for free. We actually, really, don\u0027t.  We get checksums of the compressed artifacts which require further extraction:\n\n$ sha256sum ./blobs/sha256/ba8314fa3e3a52055761afa9045165cb8db679423c5e1c6a216cb350c5fb45e2\nba8314fa3e3a52055761afa9045165cb8db679423c5e1c6a216cb350c5fb45e2  ./blobs/sha256/ba8314fa3e3a52055761afa9045165cb8db679423c5e1c6a216cb350c5fb45e2\n\nNote the match...\n\n$ zstdcat ./blobs/sha256/ba8314fa3e3a52055761afa9045165cb8db679423c5e1c6a216cb350c5fb45e2 \u003e actual_raw_image\n\nDecompressed to actual_raw_image\n\n$ sha256sum actual_raw_image \n6bc468b39b8bd6dcad05262c5332035f6c8a293761797bf474d801d535f67825  actual_raw_image\n\nwhich means, if we just stream the artifact and don\u0027t need to force the artifact to raw to stream it, then any assumption the original recorded blob checksum matches what we need to write to disk, is broken and the values won\u0027t match. The same holds true for qcows, we still need to decompress them too, and ironic right now would still convert it to raw. The key is going to be upfront selection or a reliable image selection pattern for the user.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e7dba8d9bd5de02eeb11631116adfeed9a591379","unresolved":true,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"8713a470_87a2ca31","line":91,"in_reply_to":"99d2334d_93c51c70","updated":"2024-11-15 14:40:39.000000000","message":"I don\u0027t think we should go down the \"file in a filesystem\" path, but in any case, you get checksums for free, so it may be worth spelling it out as a nice bonus. You make it sound like a downside of this proposal.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"99d2334d_93c51c70","line":91,"in_reply_to":"f8797b2d_03bcd21c","updated":"2024-11-14 16:02:00.000000000","message":"The point of the comment is to try and cast the context that I have no intent of removing the checksum requirement, since it has repeatedly come up in discussion to drop the requirement as a result of this feature, and the underlying oci image structure inherently has it if the file is a whole \"layer\" in the data model. That being said, the existing pattern I\u0027ve been observing is file on a filesystem in a container, not file as an layer in a container.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"983f1dbecfe9f5d5c8f478091d62277b20747b63","unresolved":true,"context_lines":[{"line_number":88,"context_line":".. NOTE::"},{"line_number":89,"context_line":"   An option question is the use of checksums. Under the proposed model, the"},{"line_number":90,"context_line":"   checksum would still be required, but could be a URL to the same or"},{"line_number":91,"context_line":"   another container\u0027s checksum payload file."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":".. NOTE::"},{"line_number":94,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":7,"id":"15996596_62c1a4c8","line":91,"in_reply_to":"fc4861ce_50ebaa0f","updated":"2024-11-18 15:48:48.000000000","message":"Well, the model of the checksum we have today is the *user* or some service on the user\u0027s behalf is saying \"I expect this\", do we checksum the end result after we unpack it, or do we let the transport which could overall be compromised, assert it?\n\nIf we just say it is high level transport, then we begin to break the base contract we offered with the checksum field(s).","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":97,"context_line":"   may not want to expose the project to having to track the fine details"},{"line_number":98,"context_line":"   of container URLs and distribution protocols. The biggest unknown is"},{"line_number":99,"context_line":"   authenticaiton handling, which is clearly covered for command line tool"},{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ea71abe5_9976605a","line":100,"updated":"2024-11-14 14:07:02.000000000","message":"I really hope to learn in 2 hours that podman is such a tool. If not.. we\u0027ll see.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":97,"context_line":"   may not want to expose the project to having to track the fine details"},{"line_number":98,"context_line":"   of container URLs and distribution protocols. The biggest unknown is"},{"line_number":99,"context_line":"   authenticaiton handling, which is clearly covered for command line tool"},{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":7,"id":"52c3fa67_1393b799","line":100,"in_reply_to":"b2f2bee8_644e750e","updated":"2025-01-21 21:20:33.000000000","message":"I think this is resolved now.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":true,"context_lines":[{"line_number":97,"context_line":"   may not want to expose the project to having to track the fine details"},{"line_number":98,"context_line":"   of container URLs and distribution protocols. The biggest unknown is"},{"line_number":99,"context_line":"   authenticaiton handling, which is clearly covered for command line tool"},{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"}],"source_content_type":"text/x-rst","patch_set":7,"id":"b2f2bee8_644e750e","line":100,"in_reply_to":"ea71abe5_9976605a","updated":"2024-11-15 20:17:50.000000000","message":"The more I look at the data structure they are using, and the data modeling with the streaming challenge, the more I think we just need to do this in python. Steve seems to think he has some prior art as well, the key would just be sorting out authentication and decompression. He anticipates he will look at this spec again on his next Monday.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"42814aaa62e61ab9c60d6b1e870589004f125156","unresolved":true,"context_lines":[{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":104,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":105,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":106,"context_line":"code in the API surface should guard this value from being API visible, but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"d3b86fc5_dfe99129","line":103,"updated":"2024-11-14 14:07:02.000000000","message":"nit: It\u0027s not distinct, it\u0027s very high for any on-premise usage. Definitely for OpenShift.","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ca0763176703d28de3e8b677564c4b8d2ba48e67","unresolved":false,"context_lines":[{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":104,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":105,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":106,"context_line":"code in the API surface should guard this value from being API visible, but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"e304628f_2bb7a311","line":103,"in_reply_to":"3da3adae_da658757","updated":"2024-11-15 20:17:50.000000000","message":"Done","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"e7dba8d9bd5de02eeb11631116adfeed9a591379","unresolved":true,"context_lines":[{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":104,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":105,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":106,"context_line":"code in the API surface should guard this value from being API visible, but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"beadf939_7c8448df","line":103,"in_reply_to":"a0ee2123_7f59951a","updated":"2024-11-15 14:40:39.000000000","message":"Sure, and we can make it optional as well. I\u0027m just pointing out that not having authentication may be an immediate blocker for many consumers (like OCP).","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3bb06bd1f4f7f5a48b661b8d5a98b2a9edd89ff6","unresolved":true,"context_lines":[{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":104,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":105,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":106,"context_line":"code in the API surface should guard this value from being API visible, but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3da3adae_da658757","line":103,"in_reply_to":"beadf939_7c8448df","updated":"2024-11-15 15:55:13.000000000","message":"I\u0027m totally good with that! Thanks!","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"aa747c6afafa3fd5b04483ec95d79422427e7d44","unresolved":true,"context_lines":[{"line_number":100,"context_line":"   usage."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"A distinct possibiliy also exists that the remote container registry will"},{"line_number":103,"context_line":"require authentication. The best course of action is to support submission"},{"line_number":104,"context_line":"of a \"pull secret\" to enable image retrieval by the user in the form of"},{"line_number":105,"context_line":"an ``instance_info/image_pull_secret`` value. The existing secret protection"},{"line_number":106,"context_line":"code in the API surface should guard this value from being API visible, but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a0ee2123_7f59951a","line":103,"in_reply_to":"d3b86fc5_dfe99129","updated":"2024-11-14 16:02:00.000000000","message":"Good data point, some folks I\u0027ve discussed it with frame this as \"entirely optional\".","commit_id":"0d69148f7b73e914574617ced6474acdf337efc9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"abde8a9003925a4ceafd13897ea49c88efe69ea5","unresolved":true,"context_lines":[{"line_number":134,"context_line":"   this model. A decision if it should be supported as part of the specific"},{"line_number":135,"context_line":"   user supplied URL has not made, and as such we will expect the use"},{"line_number":136,"context_line":"   of the ``image_checksum`` field or ``os_hash_algo`` and ``os_hash_value``"},{"line_number":137,"context_line":"   fields."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":".. NOTE::"},{"line_number":140,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":8,"id":"166cba44_7acd50b3","line":137,"updated":"2024-11-21 15:44:08.000000000","message":"As long as you don\u0027t make them mandatory (as they are with normal images), I\u0027m good.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":false,"context_lines":[{"line_number":134,"context_line":"   this model. A decision if it should be supported as part of the specific"},{"line_number":135,"context_line":"   user supplied URL has not made, and as such we will expect the use"},{"line_number":136,"context_line":"   of the ``image_checksum`` field or ``os_hash_algo`` and ``os_hash_value``"},{"line_number":137,"context_line":"   fields."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":".. NOTE::"},{"line_number":140,"context_line":"   While it is *entirely* possible to implement a pure python client, for an"}],"source_content_type":"text/x-rst","patch_set":8,"id":"272e5664_9bf230fa","line":137,"in_reply_to":"166cba44_7acd50b3","updated":"2024-11-25 18:51:38.000000000","message":"I think we need to discuss this in high bandwidth. I\u0027ll further add to the note, because I do generally agree  when I reframe it as \"similar to glance\"","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":true,"context_lines":[{"line_number":145,"context_line":"   authentication handling, which is clearly covered for command line tool"},{"line_number":146,"context_line":"   usage. It should be noted a native or pure-python image registry client,"},{"line_number":147,"context_line":"   in the proposed model, is the most powerful path to take as it would enable"},{"line_number":148,"context_line":"   raw image streaming."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":151,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"a45b92ce_621098a5","line":148,"updated":"2024-11-20 23:44:37.000000000","message":"Clarifying my read of this: We may MVP by shelling out, but the end-goal is a native python client?","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1b27501b869b11383e0edcce5349a4579e06599a","unresolved":true,"context_lines":[{"line_number":145,"context_line":"   authentication handling, which is clearly covered for command line tool"},{"line_number":146,"context_line":"   usage. It should be noted a native or pure-python image registry client,"},{"line_number":147,"context_line":"   in the proposed model, is the most powerful path to take as it would enable"},{"line_number":148,"context_line":"   raw image streaming."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":151,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"bfcf3b56_0b312b6c","line":148,"in_reply_to":"a45b92ce_621098a5","updated":"2024-11-21 15:26:49.000000000","message":"I\u0027ve been talking with Steve Baker, and since we now sort of understand the auth mode, at least with pull secrets.. and we should be able to do it native python out of the box.\n\nDoing so opens the door to streaming on some level as well, and is ultimately more efficient because the podman commands we would need to do the single artifact extract are under development, but won\u0027t be available for at least a few more months.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":false,"context_lines":[{"line_number":145,"context_line":"   authentication handling, which is clearly covered for command line tool"},{"line_number":146,"context_line":"   usage. It should be noted a native or pure-python image registry client,"},{"line_number":147,"context_line":"   in the proposed model, is the most powerful path to take as it would enable"},{"line_number":148,"context_line":"   raw image streaming."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":151,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"8f4a5c8f_6fb03564","line":148,"in_reply_to":"b4ab640b_9687f0ca","updated":"2024-11-25 18:51:38.000000000","message":"Yeah, at this point, re-writing.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d405f507e38dfa163563c6814bdbb1d91660d910","unresolved":true,"context_lines":[{"line_number":145,"context_line":"   authentication handling, which is clearly covered for command line tool"},{"line_number":146,"context_line":"   usage. It should be noted a native or pure-python image registry client,"},{"line_number":147,"context_line":"   in the proposed model, is the most powerful path to take as it would enable"},{"line_number":148,"context_line":"   raw image streaming."},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":151,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"b4ab640b_9687f0ca","line":148,"in_reply_to":"bfcf3b56_0b312b6c","updated":"2024-11-21 19:14:30.000000000","message":"This sounds awesome, and like it\u0027ll make mapping something into IPA a lot easier. Does this section of the spec need revision to reflect that, or did I misread it?","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"9b228595_d7d8c5a3","line":169,"updated":"2024-11-20 23:44:37.000000000","message":"We don\u0027t even intend on allowing for configuration of a universal secret as the MVP? I am not keen that our MVP of this project may require this much credential passing over the Ironic API.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"b0429583911f193001f3b76ee6a1f8e86c32963d","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"5d47f2c8_903b860d","line":169,"in_reply_to":"02714ea8_67ad15d5","updated":"2025-01-08 15:42:00.000000000","message":"\u003e I think the potential problem with that is that without some type of mapped-config (e.g. key: hostname value: secret)\n\nThere is a standard on such a config: see how podman/docker keep their authentication files.\n\n\u003e Agreed, we can\u0027t just have a static pull secret. \n\nYou\u0027re making our lives harder (to the extent that I don\u0027t know if we\u0027ll be able to use this feature in Metal3, definitely not in OpenShift) for no obvious reason :-/","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"b2225b13_99086f33","line":169,"in_reply_to":"525d0adc_a60f911f","updated":"2025-01-21 21:20:33.000000000","message":"I confirmed this last week. I\u0027m updating the spec to also note we\u0027re supporting docker auths config file format, as the change already has that support. That should also ultimatley address JayF\u0027s needs as well, and then everyone should be happy.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"97087b642dad265885e80862ee448fde40f600e5","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"525d0adc_a60f911f","line":169,"in_reply_to":"5872a621_2aa9ba61","updated":"2025-01-10 21:02:22.000000000","message":"I need to double check, but I think the model is blank username, and the auth is sent as a password for the authentication.\n\nThe reality is, I think it is fine if we also support reading a file, but I didn\u0027t want to try and bolt all that in on the first pass. The current code in review does have a carve out to try and make centralized auth from the operating context of the service a possibility as well.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"4d681784f6b7bbd0dfa886903760ef27d389f5bf","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"5872a621_2aa9ba61","line":169,"in_reply_to":"5d47f2c8_903b860d","updated":"2025-01-08 15:49:13.000000000","message":"To be clear, this is how an authentication file look like on my development environment: https://paste.opendev.org/show/b7amWp4OqDggCvwsy5QY/\n\nSomething like this would be mounted to the Ironic container and linked in ironic.conf to be used by the extraction code. Going through the suggested flow here would require me to parse this file on the BMO level, guess the right host and pass it to instance_info?","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"02714ea8_67ad15d5","line":169,"in_reply_to":"735a8751_8b610559","updated":"2024-11-25 18:51:38.000000000","message":"Agreed, we can\u0027t just have a static pull secret. It is a complete no-go to also rewrite the config file for metal3.\n\nWhile the secret is \"encrypted\", one could take secret they identify from an exchange and then use it elsewhere, so technical CVE if someone is a situation where they could detect it.\n\nAnd that is sort of aside from the fact that doing configuration in the config file is also sort of an antipattern we should be trying to avoid...\n\nThe bottom line is we already have some of this happening with URLs today with standalone. The key is to make things better as we evolve.\n\nEven *then*, if we have to get conductor side config details to the agent, that is even more complexity.. :\\\n\nI guess one thought is we could permit it to be posted to the agent as body payload on a request?!","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"abde8a9003925a4ceafd13897ea49c88efe69ea5","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"a3609686_d572ac4e","line":169,"in_reply_to":"76d79e72_fa77ae1e","updated":"2024-11-21 15:44:08.000000000","message":"Note: I agree that instance_info level is very valuable, but I also suspect that without a conductor-level option it\u0027s going to be useless for Metal3/OpenShift (I\u0027m not going to pass the pull secret through entire BMO).\n\nWhat is the difficulty here? Aren\u0027t we talking about something as complex as\n\n pull_secret \u003d node.instance_info.get(\u0027image_pull_secret\u0027) or CONF.conductor.image_pull_secret\n \n?","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1b27501b869b11383e0edcce5349a4579e06599a","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"76d79e72_fa77ae1e","line":169,"in_reply_to":"9b228595_d7d8c5a3","updated":"2024-11-21 15:26:49.000000000","message":"I\u0027m sorry you feel that way, but the bottom line is we need to support some confurability via the user. Expecting conductor side configuration really just doesn\u0027t work and is obviously then not user specific.\n\nFurthermore, this follows existing HTTP url use modeling *and* if properly done is an encrypted secret which is sill overall in a better position.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d405f507e38dfa163563c6814bdbb1d91660d910","unresolved":true,"context_lines":[{"line_number":166,"context_line":"   the Ironic service through configuration. Such a capability is a"},{"line_number":167,"context_line":"   non-mvp item, which may be implemented by the community is a basic host"},{"line_number":168,"context_line":"   URL to authentication key mapping, but such work is outside the scope"},{"line_number":169,"context_line":"   of this specification and may be handled through simple RFE process."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"To help enable management of capabilities, a new configuration option will"},{"line_number":172,"context_line":"also be introduced to allow operators to disable this capability."}],"source_content_type":"text/x-rst","patch_set":8,"id":"735a8751_8b610559","line":169,"in_reply_to":"a3609686_d572ac4e","updated":"2024-11-21 19:14:30.000000000","message":"I think the potential problem with that is that without some type of mapped-config (e.g. key: hostname value: secret), it\u0027s EXTREMELY EASY to end up with a CVE where I can force Ironic to pass a secret for \"registry A\" to \"registry B\".","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"abde8a9003925a4ceafd13897ea49c88efe69ea5","unresolved":true,"context_lines":[{"line_number":198,"context_line":".. WARNING::"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"   The examples of container artifact modeling for disk images does not"},{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"496ae5ad_490de3e9","line":201,"updated":"2024-11-21 15:44:08.000000000","message":"What\u0027s the challenge in doing stuff like\n\n deploy_kernel \u003d docker://quay.io/dtantsur/my-ipa:kernel@sha256:abcd\n deploy_ramdisk \u003d docker://quay.io/dtantsur/my-ipa:initramfs@sha256:efgh\n \n? (I don\u0027t insist that we cover this feature in the MVP, just setting my expectations)","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"97087b642dad265885e80862ee448fde40f600e5","unresolved":true,"context_lines":[{"line_number":198,"context_line":".. WARNING::"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"   The examples of container artifact modeling for disk images does not"},{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"eb5d5413_a08dbffd","line":201,"in_reply_to":"1e44854e_d6e19e74","updated":"2025-01-10 21:02:22.000000000","message":"FWIW, in the data model and existing code, the tag gets ignored when the digest is specified. as the digest is the direct pointer to the manifest which refers to the backend blob.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":true,"context_lines":[{"line_number":198,"context_line":".. WARNING::"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"   The examples of container artifact modeling for disk images does not"},{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"1e44854e_d6e19e74","line":201,"in_reply_to":"496ae5ad_490de3e9","updated":"2024-11-25 18:51:38.000000000","message":"So a tag is just a pointer in the reference of where to look high level, like a different version.\n\nPutting the digest on the end *would* help on the first pass, so basically skipping the very first structural step, but would then require later steps to decompose the layer data and annotation to select the correct content.\n\nIn a sense, what your proposing is the same container, two separate versions with separate artifacts, since your thinking of using different tags, with different digest data relationships.\n\nI think the overall way to do it would be to just model on annotations and keep things consistent, and I\u0027ve discussed it with Steve, and we think kernel/initramfs as disktype annotations are the way to go so regardless of how someone wants to tag/version/layer their repository, they could have a single tag with both pieces which they could then leverage.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":198,"context_line":".. WARNING::"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"   The examples of container artifact modeling for disk images does not"},{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"f864f024_bda6e5ca","line":201,"in_reply_to":"eb5d5413_a08dbffd","updated":"2025-01-21 21:20:33.000000000","message":"I\u0027m marking this as resolved. I\u0027ve revised this text and noted the explicit digest\nreference is what to be used. If we want to do more magic beyond that, it is really out of scope for an mvp.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."}],"source_content_type":"text/x-rst","patch_set":8,"id":"b580beab_32e5d801","line":204,"updated":"2024-11-20 23:44:37.000000000","message":"IMO the Ironic project should *not* do this alone, we should involve more layers of OpenStack, e.g. Glance developers, and maybe folks on the CNCF side as well (beyond the free-crossover we get with the folks working on metal3+ironic). It seems like there\u0027s something ripe here for a cross-project standard that might help with all parts of the ecosystem.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"abde8a9003925a4ceafd13897ea49c88efe69ea5","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."}],"source_content_type":"text/x-rst","patch_set":8,"id":"354af590_5afc7b7c","line":204,"in_reply_to":"2d7a6bc6_b21281cd","updated":"2024-11-21 15:44:08.000000000","message":"I agree, the CNCF world is heavily driven by de-facto standards.. for better or worse.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d405f507e38dfa163563c6814bdbb1d91660d910","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."}],"source_content_type":"text/x-rst","patch_set":8,"id":"89565df9_0960b977","line":204,"in_reply_to":"354af590_5afc7b7c","updated":"2024-11-21 19:14:30.000000000","message":"Cool, thanks for letting me know. Just wanted to make sure we weren\u0027t going off on our own; but it seems like we should just do what\u0027s right and if needed standardize something later.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":false,"context_lines":[{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3010b4ee_a7526461","line":204,"in_reply_to":"89565df9_0960b977","updated":"2024-11-25 18:51:38.000000000","message":"It is a great question, I just don\u0027t want us to also block ourselves on trying to make something happen which may never.. happen without momentum starting.\n\nFWIW, proposing something in the next revision for kernel/initramfs artifacts.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1b27501b869b11383e0edcce5349a4579e06599a","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   solve the underlying challenge of a kernel/ramdisk artifact. That being"},{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."}],"source_content_type":"text/x-rst","patch_set":8,"id":"2d7a6bc6_b21281cd","line":204,"in_reply_to":"b580beab_32e5d801","updated":"2024-11-21 15:26:49.000000000","message":"After discussing with a podman maintainer, I don\u0027t think there is any appetite to do further standard building around the image structure and data modeling.\n\nFundimentally, we\u0027ve already discussed this across our own project boundaries. Other projects in openstack just don\u0027t care or are not interested... or are waiting to see if we have any level of success.\n\nAt the same time, on the container side of things, the model is not complete consensus driven, but almost a use the thing and do whatever you want unless docker decides it wants soemthing different, then expect to change. I\u0027m toning this response down because there seem to be lot of contributor burnout involved in that ecosystem as well. Happy to discuss at length.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":true,"context_lines":[{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."},{"line_number":208,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"592c60f3_61049178","line":205,"updated":"2024-11-20 23:44:37.000000000","message":"nit: Glance","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":false,"context_lines":[{"line_number":202,"context_line":"   said, it is entirely possible that we, as a project, determine an"},{"line_number":203,"context_line":"   appropriate annotation to denote kernel/ramdisk related artifacts from a"},{"line_number":204,"context_line":"   container supporting the overall operation of the Ironic deployment,"},{"line_number":205,"context_line":"   where as today the alternative is files in glance, or files on local"},{"line_number":206,"context_line":"   conductor filesystems (which could be immutable containers anyhow), or"},{"line_number":207,"context_line":"   files on a remote webserver."},{"line_number":208,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"ce47d5fa_dc9851c3","line":205,"in_reply_to":"592c60f3_61049178","updated":"2024-11-25 18:51:38.000000000","message":"Doesn\u0027t exist in the next rev :)","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3b8105fc9c9ce6f5340ac9461aa41df92da372e0","unresolved":true,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"d3492ddc_5b71de09","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"updated":"2024-11-19 21:47:36.000000000","message":"Discussed with steve baker:\n* We could have an kernel/initramfs annotation for our kernel/ramdisk stuffs\n* We *should* *also* have a sector or block size annotation\n* We could also have \"raw\" as a disktype annotation.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"abde8a9003925a4ceafd13897ea49c88efe69ea5","unresolved":true,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"67923a01_36567aac","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"in_reply_to":"0d9b8e38_b35afd34","updated":"2024-11-21 15:44:08.000000000","message":"As Julia said, that\u0027s what podman does to deliver their OS images for MacOS support.\n\nI wonder if we can simplify MVP by requiring only one binary layer* and adding support for different image types later.\n\n[*] More precisely, require users to specify an exact layer when the image contains several artifacts.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"86c04f4c_f4cf1526","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"in_reply_to":"2cbb9787_ab79ab00","updated":"2025-01-21 21:20:33.000000000","message":"I have added a bit more in the way of annotation to spread context. If that doesn\u0027t address this item, please reopen it.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d405f507e38dfa163563c6814bdbb1d91660d910","unresolved":true,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"e1df059d_9d4d7f50","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"in_reply_to":"67923a01_36567aac","updated":"2024-11-21 19:14:30.000000000","message":"My concerns in this category are resolved mainly by the knowledge that annotations are basically not standard in practice.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"1b27501b869b11383e0edcce5349a4579e06599a","unresolved":true,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"0d9b8e38_b35afd34","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"in_reply_to":"ca77bcb1_e2e9eceb","updated":"2024-11-21 15:26:49.000000000","message":"None of this is what we\u0027re inventing. It is prior art used by podman desktop. The suggested url to look at earlier in the spec is of the same exact container, with the structure trimmed down on the next to last json document.\n\nThe idea at the moment based upon the comment is maybe we add a \"kernel\" and \"initramfs\" annotation. Since annotations are free form, as I understand it, we can do whatever we want. I\u0027ll note the \"applehv\" disk type just appears to be a raw image as well.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":true,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"ca77bcb1_e2e9eceb","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"in_reply_to":"d3492ddc_5b71de09","updated":"2024-11-20 23:44:37.000000000","message":"Can you help me understand how much of these example code blocks are existing annotation patterns vs pieces that Ironic/Metal3 are inventing?","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"bb1637ed6b74bfeb4f2791e765b8df9496d1eca2","unresolved":true,"context_lines":[{"line_number":273,"context_line":"        \"digest\": \"sha256:6dda6fec71d06cc3d19460a4228e28aad2c9fc48ce0f7f1c4052f6c97c78b0dd\","},{"line_number":274,"context_line":"        \"size\": 475,"},{"line_number":275,"context_line":"        \"annotations\": {"},{"line_number":276,"context_line":"          \"disktype\": \"qemu\""},{"line_number":277,"context_line":"        },"},{"line_number":278,"context_line":"        \"platform\": {"},{"line_number":279,"context_line":"          \"architecture\": \"aarch64\","}],"source_content_type":"text/x-rst","patch_set":8,"id":"2cbb9787_ab79ab00","line":276,"range":{"start_line":276,"start_character":27,"end_line":276,"end_character":28},"in_reply_to":"e1df059d_9d4d7f50","updated":"2024-11-25 18:51:38.000000000","message":"Hey Dmitry, I don\u0027t think the size of work, for example in story points, really changes by trying to delineate it as a single binary layer or not, since ultimately we have to make the multiple hops through the remote registry data no matter what. The last step is really just a selection process and to do the selection upfront seems cleaner in that we are making less assumptions. Also, if we do it right, we can address artifacts needed for other artifacts required the same basic way.\n\nThe mental reasoning to avoid building expectations on single layer in the second step is then having a kernel and ramdisk would require two completely disjointed, either through tagging or through entirely different containers for each artifact, and really the key is to keep things interlocked.\n\nBesides, don\u0027t we want to be able to deploy the existing machine-os container?! ;)","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"3b8105fc9c9ce6f5340ac9461aa41df92da372e0","unresolved":true,"context_lines":[{"line_number":417,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":418,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"This support, if we can determine how to authenticate properly, would result"},{"line_number":421,"context_line":"in part of the Agent\u0027s standby extension\u0027s ImageDownload class to be"},{"line_number":422,"context_line":"extended with the creation of some likely common code. The major differences,"},{"line_number":423,"context_line":"depending on the exact client interaction path chosen, is the existing code may"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7391dcaa_8a98bbd7","line":420,"range":{"start_line":420,"start_character":13,"end_line":420,"end_character":63},"updated":"2024-11-19 21:47:36.000000000","message":"So, it looks like a pull secret is just a magical combined authorization string. Steve has some reference and hinting to this, but we\u0027re likely going to need to take a peak at existing reference docs and maybe client code to confirm the behavior pattern required.","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":417,"context_line":"however we anticipate adding some limited specific object retreieval into the"},{"line_number":418,"context_line":"agent itself to support retrieval of objects from container registry."},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"This support, if we can determine how to authenticate properly, would result"},{"line_number":421,"context_line":"in part of the Agent\u0027s standby extension\u0027s ImageDownload class to be"},{"line_number":422,"context_line":"extended with the creation of some likely common code. The major differences,"},{"line_number":423,"context_line":"depending on the exact client interaction path chosen, is the existing code may"}],"source_content_type":"text/x-rst","patch_set":8,"id":"8ecab0f1_802c7d4a","line":420,"range":{"start_line":420,"start_character":13,"end_line":420,"end_character":63},"in_reply_to":"7391dcaa_8a98bbd7","updated":"2025-01-21 21:20:33.000000000","message":"Done","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9b3d22349ea9b2c95b8f52324f4a7282d4c2e543","unresolved":false,"context_lines":[{"line_number":465,"context_line":"of copying from an OCI compliant registry will largely take the shape of"},{"line_number":466,"context_line":"HTTP interactions, possibly including just a transfer of the desirable"},{"line_number":467,"context_line":"artifact file. Once that file is in a state ready for file inspection,"},{"line_number":468,"context_line":"such as qcow2 file, then we anticipate the file to be checked."},{"line_number":469,"context_line":""},{"line_number":470,"context_line":"Another aspect is any user supplied pull secret which may be required to"},{"line_number":471,"context_line":"access the container registry. At present, if set in the existing"}],"source_content_type":"text/x-rst","patch_set":8,"id":"2199b002_e78ffba2","line":468,"updated":"2024-11-20 23:44:37.000000000","message":"Thank you very much for this! It\u0027s exactly what I wanted 😄","commit_id":"71d94bc31954bd79cf3563b5f5776c28d273fa17"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"b0429583911f193001f3b76ee6a1f8e86c32963d","unresolved":true,"context_lines":[{"line_number":52,"context_line":"   skopeo inspect --raw docker://quay.io/podman/machine-os:5.3"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"The overall positive of this approach is the underlying \"layer\" file matching"},{"line_number":55,"context_line":"the user required annotaitons can be updated directly after a single file in"},{"line_number":56,"context_line":"the overall layer has been updated. Effectively \"compressing\" complexity into"},{"line_number":57,"context_line":"a single shipping and reference format with some minor additional complexity"},{"line_number":58,"context_line":"as a result of the container build process. Please note, we\u0027ll dig into the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"29b5502d_611ca2e2","line":55,"updated":"2025-01-08 15:42:00.000000000","message":"typo: annotations","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":52,"context_line":"   skopeo inspect --raw docker://quay.io/podman/machine-os:5.3"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"The overall positive of this approach is the underlying \"layer\" file matching"},{"line_number":55,"context_line":"the user required annotaitons can be updated directly after a single file in"},{"line_number":56,"context_line":"the overall layer has been updated. Effectively \"compressing\" complexity into"},{"line_number":57,"context_line":"a single shipping and reference format with some minor additional complexity"},{"line_number":58,"context_line":"as a result of the container build process. Please note, we\u0027ll dig into the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"550dd1f5_6c8a25d4","line":55,"in_reply_to":"29b5502d_611ca2e2","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"The first change is to modify Ironic\u0027s Image Service code,"},{"line_number":76,"context_line":"such that there is an OCI protocol mapping, with associated class which"},{"line_number":77,"context_line":"understands how to authenticate, retrieve metadata, download, and ultimately"},{"line_number":78,"context_line":"the required content to a file on the local conductor just like other image"},{"line_number":79,"context_line":"service driver paths handling different urls."},{"line_number":80,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bc30f434_193191d3","line":77,"updated":"2025-01-24 19:42:06.000000000","message":"do you mean: ...such that there is an OCI protocol mapping with an associated class which ultimately understands how to authenticate, retrieve metadata, and ultimately download the required content...","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"The first change is to modify Ironic\u0027s Image Service code,"},{"line_number":76,"context_line":"such that there is an OCI protocol mapping, with associated class which"},{"line_number":77,"context_line":"understands how to authenticate, retrieve metadata, download, and ultimately"},{"line_number":78,"context_line":"the required content to a file on the local conductor just like other image"},{"line_number":79,"context_line":"service driver paths handling different urls."},{"line_number":80,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"8bf334ce_6b3efb6d","line":77,"in_reply_to":"aee85f3d_8609b09c","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"cf28d23a78dcb8cba3cf865da8f110efb37634a0","unresolved":true,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"The first change is to modify Ironic\u0027s Image Service code,"},{"line_number":76,"context_line":"such that there is an OCI protocol mapping, with associated class which"},{"line_number":77,"context_line":"understands how to authenticate, retrieve metadata, download, and ultimately"},{"line_number":78,"context_line":"the required content to a file on the local conductor just like other image"},{"line_number":79,"context_line":"service driver paths handling different urls."},{"line_number":80,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"aee85f3d_8609b09c","line":77,"in_reply_to":"bc30f434_193191d3","updated":"2025-01-24 21:05:06.000000000","message":"Yes, re-reading that I clearly need to revise that.","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"b0429583911f193001f3b76ee6a1f8e86c32963d","unresolved":true,"context_lines":[{"line_number":85,"context_line":"The second change will take place in the ironic-python-agent\u0027s"},{"line_number":86,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":87,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":88,"context_line":"it is unknown if all current access methods can be adapted."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Specifically, the artifacts are zstd-compressed by default, and to support"},{"line_number":91,"context_line":"streaming we would need decompress each data block as part of the streaming"}],"source_content_type":"text/x-rst","patch_set":9,"id":"92b70c9f_da7e4cc1","line":88,"updated":"2025-01-08 15:42:00.000000000","message":"For the sake of delivering the MVP, we could decide to assume image_download_source\u003dlocal by default, i.e. limit the OCI handling to the conductor side only.","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"97087b642dad265885e80862ee448fde40f600e5","unresolved":true,"context_lines":[{"line_number":85,"context_line":"The second change will take place in the ironic-python-agent\u0027s"},{"line_number":86,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":87,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":88,"context_line":"it is unknown if all current access methods can be adapted."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Specifically, the artifacts are zstd-compressed by default, and to support"},{"line_number":91,"context_line":"streaming we would need decompress each data block as part of the streaming"}],"source_content_type":"text/x-rst","patch_set":9,"id":"eeffc603_32b3a560","line":88,"in_reply_to":"92b70c9f_da7e4cc1","updated":"2025-01-10 21:02:22.000000000","message":"See the posted patch and notes on the docs. It is dependent upon the artifact content at this point.","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":85,"context_line":"The second change will take place in the ironic-python-agent\u0027s"},{"line_number":86,"context_line":"artifact retrieval code in the \"standby\" extension. That being said, because"},{"line_number":87,"context_line":"of the overall complexity of that code *and* the overall retrieval model,"},{"line_number":88,"context_line":"it is unknown if all current access methods can be adapted."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Specifically, the artifacts are zstd-compressed by default, and to support"},{"line_number":91,"context_line":"streaming we would need decompress each data block as part of the streaming"}],"source_content_type":"text/x-rst","patch_set":9,"id":"50175736_d23096b1","line":88,"in_reply_to":"eeffc603_32b3a560","updated":"2025-01-21 21:20:33.000000000","message":"Done","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"b0429583911f193001f3b76ee6a1f8e86c32963d","unresolved":true,"context_lines":[{"line_number":142,"context_line":"   to do so. Should they be unable to be resolved, the MVP of this capability"},{"line_number":143,"context_line":"   may be invoked using OS provided clients and tools. That being said,"},{"line_number":144,"context_line":"   the overall efficiency gain of doing it with native python makes it the"},{"line_number":145,"context_line":"   preferred approach."},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":148,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"0747d84a_0273e517","line":145,"updated":"2025-01-08 15:42:00.000000000","message":"Note: if we go down this path, we\u0027ll need a way to share the code between Ironic and IPA (given that we deprecate ironic-lib, it has to be something new)","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"97087b642dad265885e80862ee448fde40f600e5","unresolved":true,"context_lines":[{"line_number":142,"context_line":"   to do so. Should they be unable to be resolved, the MVP of this capability"},{"line_number":143,"context_line":"   may be invoked using OS provided clients and tools. That being said,"},{"line_number":144,"context_line":"   the overall efficiency gain of doing it with native python makes it the"},{"line_number":145,"context_line":"   preferred approach."},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":148,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"b23e4854_b01f7c10","line":145,"in_reply_to":"0747d84a_0273e517","updated":"2025-01-10 21:02:22.000000000","message":"We don\u0027t *actually* need to teach IPA about this directly, given the formatting we *generally* want it to come down through the conductor, but that is fine if the conductor identifies the required URL and hints that to IPA. That is the way it is currently implemented. The *only* thing we really need to do is be able to tell IPA \"hey, use this authentication data in case the back end CDN says \"nope!\"","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":142,"context_line":"   to do so. Should they be unable to be resolved, the MVP of this capability"},{"line_number":143,"context_line":"   may be invoked using OS provided clients and tools. That being said,"},{"line_number":144,"context_line":"   the overall efficiency gain of doing it with native python makes it the"},{"line_number":145,"context_line":"   preferred approach."},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":148,"context_line":"explicitly require authentication for users to access contents in the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"010cff9d_aa04d8ac","line":145,"in_reply_to":"b23e4854_b01f7c10","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"b0429583911f193001f3b76ee6a1f8e86c32963d","unresolved":true,"context_lines":[{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":148,"context_line":"explicitly require authentication for users to access contents in the"},{"line_number":149,"context_line":"remote container registry."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"The best course of action is to support submission of a \"pull secret\" to"},{"line_number":152,"context_line":"enable image retrieval by the user in the form of an"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3e7d274a_c86b08b9","line":149,"updated":"2025-01-08 15:42:00.000000000","message":"Also Dockerhub with its harsh rate limits for unauthenticated users","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"97087b642dad265885e80862ee448fde40f600e5","unresolved":true,"context_lines":[{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":148,"context_line":"explicitly require authentication for users to access contents in the"},{"line_number":149,"context_line":"remote container registry."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"The best course of action is to support submission of a \"pull secret\" to"},{"line_number":152,"context_line":"enable image retrieval by the user in the form of an"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bd7c1584_20e6534a","line":149,"in_reply_to":"3e7d274a_c86b08b9","updated":"2025-01-10 21:02:22.000000000","message":"great point!","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"664e1c39271d5d041c9c8afde2b7c2acb7ba4c9c","unresolved":false,"context_lines":[{"line_number":146,"context_line":""},{"line_number":147,"context_line":"Furthermore, many registries, for example like one hosted on OpenShift,"},{"line_number":148,"context_line":"explicitly require authentication for users to access contents in the"},{"line_number":149,"context_line":"remote container registry."},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"The best course of action is to support submission of a \"pull secret\" to"},{"line_number":152,"context_line":"enable image retrieval by the user in the form of an"}],"source_content_type":"text/x-rst","patch_set":9,"id":"aa4517be_7cb1a664","line":149,"in_reply_to":"bd7c1584_20e6534a","updated":"2025-01-21 21:20:33.000000000","message":"Done","commit_id":"17acdb1cd4d4a3c3a3536804f897c253b6e72cbd"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":37,"context_line":"as a raw, vhd, or qcow2 image representing the contents of an image."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"This presents an interesting path where you match the file contents in layers"},{"line_number":40,"context_line":"up with a binary artifact which could be deployed, which is fundimentally how"},{"line_number":41,"context_line":"multi-architecture container support is handled for other host and hypervisor"},{"line_number":42,"context_line":"types by Podman."},{"line_number":43,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"f3c2252a_0a15d927","line":40,"updated":"2025-01-24 19:42:06.000000000","message":"nit: fundamentally","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":37,"context_line":"as a raw, vhd, or qcow2 image representing the contents of an image."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"This presents an interesting path where you match the file contents in layers"},{"line_number":40,"context_line":"up with a binary artifact which could be deployed, which is fundimentally how"},{"line_number":41,"context_line":"multi-architecture container support is handled for other host and hypervisor"},{"line_number":42,"context_line":"types by Podman."},{"line_number":43,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"4b6b019f_99793830","line":40,"in_reply_to":"f3c2252a_0a15d927","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":60,"context_line":"overall structure modeling of the container after the high level change"},{"line_number":61,"context_line":"proposal below."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"In order to streamline the overall flow and interaction, we propose"},{"line_number":64,"context_line":"supporting the model of interaction where we are able to support a container"},{"line_number":65,"context_line":"which has an associated matching disk image by enhancing our image handling"},{"line_number":66,"context_line":"logic to enable access to the relevant artifact based upon annocations with"}],"source_content_type":"text/x-rst","patch_set":10,"id":"f3a25447_a979f156","line":63,"updated":"2025-01-24 19:42:06.000000000","message":"So one associated disk image per container? Is the disk image also going to be a layer within the container, and annotated so it can be found by a user?\nAlso, nit: annotations on line 66","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"6f96d75d3d1d319e8a45497692c6eea511447ca5","unresolved":false,"context_lines":[{"line_number":60,"context_line":"overall structure modeling of the container after the high level change"},{"line_number":61,"context_line":"proposal below."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"In order to streamline the overall flow and interaction, we propose"},{"line_number":64,"context_line":"supporting the model of interaction where we are able to support a container"},{"line_number":65,"context_line":"which has an associated matching disk image by enhancing our image handling"},{"line_number":66,"context_line":"logic to enable access to the relevant artifact based upon annocations with"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e1ef86c4_265259b9","line":63,"in_reply_to":"2df1a294_cd6b6b9f","updated":"2025-01-28 13:57:39.000000000","message":"That makes sense, thank you!","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"cf28d23a78dcb8cba3cf865da8f110efb37634a0","unresolved":true,"context_lines":[{"line_number":60,"context_line":"overall structure modeling of the container after the high level change"},{"line_number":61,"context_line":"proposal below."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"In order to streamline the overall flow and interaction, we propose"},{"line_number":64,"context_line":"supporting the model of interaction where we are able to support a container"},{"line_number":65,"context_line":"which has an associated matching disk image by enhancing our image handling"},{"line_number":66,"context_line":"logic to enable access to the relevant artifact based upon annocations with"}],"source_content_type":"text/x-rst","patch_set":10,"id":"2df1a294_cd6b6b9f","line":63,"in_reply_to":"f3a25447_a979f156","updated":"2025-01-24 21:05:06.000000000","message":"This is more a detail in the actual data structures as to what is defined as a container. You can have a container with many artifacts, you can refer to those artifacts with a digest value (sha256:64charactersofchecksum), or using a tag.\n\nThese structures all model it as a blob file structurally just like a layer, but it is just the artifact.\n\nSo not a file in the container, but a file in the container registry. Hopefully that provides clarity.","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":109,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":110,"context_line":"``instance_info/image_source`` value to"},{"line_number":111,"context_line":"\"oci://fqdn:port/container:version-label\", which would result in the required"},{"line_number":112,"context_line":"\"raw\" or \"qcow\" artifact being retrieved and extracted."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The protocol portion of the URL, specifically \"oci://\" shall be stripped"},{"line_number":115,"context_line":"from the URL provided to the underlying artifact retrieval tool or code path"}],"source_content_type":"text/x-rst","patch_set":10,"id":"ff63dc75_0c52f6d8","line":112,"updated":"2025-01-24 19:42:06.000000000","message":"and also deployed onto a node?","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"6f96d75d3d1d319e8a45497692c6eea511447ca5","unresolved":false,"context_lines":[{"line_number":109,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":110,"context_line":"``instance_info/image_source`` value to"},{"line_number":111,"context_line":"\"oci://fqdn:port/container:version-label\", which would result in the required"},{"line_number":112,"context_line":"\"raw\" or \"qcow\" artifact being retrieved and extracted."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The protocol portion of the URL, specifically \"oci://\" shall be stripped"},{"line_number":115,"context_line":"from the URL provided to the underlying artifact retrieval tool or code path"}],"source_content_type":"text/x-rst","patch_set":10,"id":"1baab2d0_333663aa","line":112,"in_reply_to":"d8b66dac_b07f8416","updated":"2025-01-28 13:57:39.000000000","message":"Makes sense","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"cf28d23a78dcb8cba3cf865da8f110efb37634a0","unresolved":true,"context_lines":[{"line_number":109,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":110,"context_line":"``instance_info/image_source`` value to"},{"line_number":111,"context_line":"\"oci://fqdn:port/container:version-label\", which would result in the required"},{"line_number":112,"context_line":"\"raw\" or \"qcow\" artifact being retrieved and extracted."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The protocol portion of the URL, specifically \"oci://\" shall be stripped"},{"line_number":115,"context_line":"from the URL provided to the underlying artifact retrieval tool or code path"}],"source_content_type":"text/x-rst","patch_set":10,"id":"d8b66dac_b07f8416","line":112,"in_reply_to":"ff63dc75_0c52f6d8","updated":"2025-01-24 21:05:06.000000000","message":"Well, the goal is more about image service access compatability so the rest of the code can deploy an artifact.\n\nBut also, this also allows us to get the kernel and ramdisk artifacts from a container as well.","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":150,"context_line":"remote container registry. Additionally, some public image registries"},{"line_number":151,"context_line":"have fairly restrictive rate limits in place for unauthenticated users."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"The best course of action is to support submission of a \"pull secret\" to"},{"line_number":154,"context_line":"enable image retrieval by the user in the form of an"},{"line_number":155,"context_line":"``instance_info/image_pull_secret`` value for *user* artifact authentication."},{"line_number":156,"context_line":"The existing secret protection code in the API surface should guard this"}],"source_content_type":"text/x-rst","patch_set":10,"id":"dfc4ea2f_61c568cb","line":153,"updated":"2025-01-24 19:42:06.000000000","message":"So anybody having access to the node object will also have access to a pull secret present in its instance_info, but when sharing nodes, one also must share pull secrets. It sounds fine. (Just making sure I\u0027m understanding correctly)","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"6f96d75d3d1d319e8a45497692c6eea511447ca5","unresolved":false,"context_lines":[{"line_number":150,"context_line":"remote container registry. Additionally, some public image registries"},{"line_number":151,"context_line":"have fairly restrictive rate limits in place for unauthenticated users."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"The best course of action is to support submission of a \"pull secret\" to"},{"line_number":154,"context_line":"enable image retrieval by the user in the form of an"},{"line_number":155,"context_line":"``instance_info/image_pull_secret`` value for *user* artifact authentication."},{"line_number":156,"context_line":"The existing secret protection code in the API surface should guard this"}],"source_content_type":"text/x-rst","patch_set":10,"id":"938776cb_9e2cfe29","line":153,"in_reply_to":"2aa08767_ab65de0a","updated":"2025-01-28 13:57:39.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"cf28d23a78dcb8cba3cf865da8f110efb37634a0","unresolved":true,"context_lines":[{"line_number":150,"context_line":"remote container registry. Additionally, some public image registries"},{"line_number":151,"context_line":"have fairly restrictive rate limits in place for unauthenticated users."},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"The best course of action is to support submission of a \"pull secret\" to"},{"line_number":154,"context_line":"enable image retrieval by the user in the form of an"},{"line_number":155,"context_line":"``instance_info/image_pull_secret`` value for *user* artifact authentication."},{"line_number":156,"context_line":"The existing secret protection code in the API surface should guard this"}],"source_content_type":"text/x-rst","patch_set":10,"id":"2aa08767_ab65de0a","line":153,"in_reply_to":"dfc4ea2f_61c568cb","updated":"2025-01-24 21:05:06.000000000","message":"They can *set* the pull secret. The value is redacted by ironic\u0027s API layer because the field name ends in \"_secret\"\n\nIn effect, a user may have their own registry they need to use, and because it is able to be set in instance_info, they can use it directly... and another user can use an entirely different registry if so desired.\n\nIn other words, there is no need to share pull secrets, it is more about how the registry they are connecting to interacts.\n\nFor what is is worth, we *did* add support for a centralized file into the change. That should... address some challenges, and is separately populated and thus not exposed to a user.","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":183,"context_line":"   being decompressed. This can be handled as a minor magic byte check and"},{"line_number":184,"context_line":"   opportunistic uncompression separate from the overall flow."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"While not distinctly part of this change, an other possible future change"},{"line_number":187,"context_line":"is the deployment of containers as an bootable container image."},{"line_number":188,"context_line":"In such a case, we would just expect the whole container to be set as an"},{"line_number":189,"context_line":"``image_source`` parameter, and ultimately the ``deploy_interface`` would"}],"source_content_type":"text/x-rst","patch_set":10,"id":"b93734dd_0e91cee4","line":186,"updated":"2025-01-24 19:42:06.000000000","message":"nit: another possible future change...a bootable container image","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":183,"context_line":"   being decompressed. This can be handled as a minor magic byte check and"},{"line_number":184,"context_line":"   opportunistic uncompression separate from the overall flow."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"While not distinctly part of this change, an other possible future change"},{"line_number":187,"context_line":"is the deployment of containers as an bootable container image."},{"line_number":188,"context_line":"In such a case, we would just expect the whole container to be set as an"},{"line_number":189,"context_line":"``image_source`` parameter, and ultimately the ``deploy_interface`` would"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7d8e062d_30d84221","line":186,"in_reply_to":"b93734dd_0e91cee4","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":215,"context_line":"the required mapping data for multi-architecture."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":".. note::"},{"line_number":218,"context_line":"   The examples in this deep dive are from an oci://path copy output from an"},{"line_number":219,"context_line":"   remote registry inspired by Podman\u0027s multi-arch support. The file contents"},{"line_number":220,"context_line":"   and structure thus mirror what is API accessible for the container."},{"line_number":221,"context_line":"   The goal of this is to help paint an illustration of what the data"}],"source_content_type":"text/x-rst","patch_set":10,"id":"aa0d2898_30fc88df","line":218,"updated":"2025-01-24 19:42:06.000000000","message":"nit: a remote registry","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":215,"context_line":"the required mapping data for multi-architecture."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":".. note::"},{"line_number":218,"context_line":"   The examples in this deep dive are from an oci://path copy output from an"},{"line_number":219,"context_line":"   remote registry inspired by Podman\u0027s multi-arch support. The file contents"},{"line_number":220,"context_line":"   and structure thus mirror what is API accessible for the container."},{"line_number":221,"context_line":"   The goal of this is to help paint an illustration of what the data"}],"source_content_type":"text/x-rst","patch_set":10,"id":"25200f32_2a7a2ce1","line":218,"in_reply_to":"aa0d2898_30fc88df","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":240,"context_line":"    ]"},{"line_number":241,"context_line":"  }"},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"Such that when we evaluate the contents of the second file, we see something"},{"line_number":244,"context_line":"along the following lines. Please note this is being edited down from the"},{"line_number":245,"context_line":"the actual example to focus clarity for context exchange, by removing"},{"line_number":246,"context_line":"artifacts with ``disktype`` annotations ``applehv`` and ``hyperv``."}],"source_content_type":"text/x-rst","patch_set":10,"id":"10e74388_4914fdb4","line":243,"updated":"2025-01-24 19:42:06.000000000","message":"nit: \u0027Such that\u0027 could be dropped.","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":240,"context_line":"    ]"},{"line_number":241,"context_line":"  }"},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"Such that when we evaluate the contents of the second file, we see something"},{"line_number":244,"context_line":"along the following lines. Please note this is being edited down from the"},{"line_number":245,"context_line":"the actual example to focus clarity for context exchange, by removing"},{"line_number":246,"context_line":"artifacts with ``disktype`` annotations ``applehv`` and ``hyperv``."}],"source_content_type":"text/x-rst","patch_set":10,"id":"cfd1f338_72e7d81e","line":243,"in_reply_to":"10e74388_4914fdb4","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":301,"context_line":"  }"},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"In the above context, these are intermediate pointer files, which help link"},{"line_number":304,"context_line":"the platform, os, and disk type annocation together. Below is an example of the"},{"line_number":305,"context_line":"disk image. The references lacking a ``disktype`` annotation are simply just"},{"line_number":306,"context_line":"another container filesystem layer reference."},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"ce84e67a_d12e4c71","line":304,"updated":"2025-01-24 19:42:06.000000000","message":"nit: annotation","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":301,"context_line":"  }"},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"In the above context, these are intermediate pointer files, which help link"},{"line_number":304,"context_line":"the platform, os, and disk type annocation together. Below is an example of the"},{"line_number":305,"context_line":"disk image. The references lacking a ``disktype`` annotation are simply just"},{"line_number":306,"context_line":"another container filesystem layer reference."},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"5d9c2e3a_28505847","line":304,"in_reply_to":"ce84e67a_d12e4c71","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":305,"context_line":"disk image. The references lacking a ``disktype`` annotation are simply just"},{"line_number":306,"context_line":"another container filesystem layer reference."},{"line_number":307,"context_line":""},{"line_number":308,"context_line":"When you utilize the format ``oci://host/contatainer@sha256:hash``,"},{"line_number":309,"context_line":"your referring *directly* to a manifest such as the file below. It is also"},{"line_number":310,"context_line":"important to note that this file has *no* pointer pointing to the previous"},{"line_number":311,"context_line":"data structure."}],"source_content_type":"text/x-rst","patch_set":10,"id":"e750cb0e_3d1b5ed7","line":308,"updated":"2025-01-24 19:42:06.000000000","message":"nit: ``oci...container...``","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":305,"context_line":"disk image. The references lacking a ``disktype`` annotation are simply just"},{"line_number":306,"context_line":"another container filesystem layer reference."},{"line_number":307,"context_line":""},{"line_number":308,"context_line":"When you utilize the format ``oci://host/contatainer@sha256:hash``,"},{"line_number":309,"context_line":"your referring *directly* to a manifest such as the file below. It is also"},{"line_number":310,"context_line":"important to note that this file has *no* pointer pointing to the previous"},{"line_number":311,"context_line":"data structure."}],"source_content_type":"text/x-rst","patch_set":10,"id":"8c41a9f8_74576342","line":308,"in_reply_to":"e750cb0e_3d1b5ed7","updated":"2025-01-24 21:17:41.000000000","message":"Done","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":431,"context_line":""},{"line_number":432,"context_line":"Meaning, the resulting common code if we can do it in our existing code paths"},{"line_number":433,"context_line":"cleanly is the translation of the user requested url to what available source"},{"line_number":434,"context_line":"artifacts are available and if we can stream/download/convert them in them"},{"line_number":435,"context_line":"with the agent. Ultimately, operators who leverage ``image_download_source``"},{"line_number":436,"context_line":"of ``local`` should have artifacts entirely downloaded by the conductor,"},{"line_number":437,"context_line":"and then extracted regardless of of the code or feature set on the ramdisk"}],"source_content_type":"text/x-rst","patch_set":10,"id":"de795050_73a70313","line":434,"updated":"2025-01-24 19:42:06.000000000","message":"nit: ...and if we can stream/download/convert them with the agent.","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":431,"context_line":""},{"line_number":432,"context_line":"Meaning, the resulting common code if we can do it in our existing code paths"},{"line_number":433,"context_line":"cleanly is the translation of the user requested url to what available source"},{"line_number":434,"context_line":"artifacts are available and if we can stream/download/convert them in them"},{"line_number":435,"context_line":"with the agent. Ultimately, operators who leverage ``image_download_source``"},{"line_number":436,"context_line":"of ``local`` should have artifacts entirely downloaded by the conductor,"},{"line_number":437,"context_line":"and then extracted regardless of of the code or feature set on the ramdisk"}],"source_content_type":"text/x-rst","patch_set":10,"id":"a2c9766c_9ce5ff7b","line":434,"in_reply_to":"de795050_73a70313","updated":"2025-01-24 21:17:41.000000000","message":"I slimmed this entire paragraph down, since the code has gotten further along. The new revision will detail the one thing we might need to do at some point.","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":35929,"name":"Mahnoor Asghar","display_name":"Mahnoor Asghar","email":"masghar@redhat.com","username":"mahnoorasghar"},"change_message_id":"99884d3a8f789ba5ddb751bf149425c9fd9f727b","unresolved":true,"context_lines":[{"line_number":459,"context_line":"occur transparently as they are executed outside of the lowest levels of"},{"line_number":460,"context_line":"artifact retrieval. The underlying protocol is built upon the model of"},{"line_number":461,"context_line":"file transfers over HTTP, which natively may be decompressed if the"},{"line_number":462,"context_line":"client is capable, and is is disctinctly different from security issues"},{"line_number":463,"context_line":"in 2024 with ``qemu-img`` where disk images were interacted and streamed"},{"line_number":464,"context_line":"through memory with multiple ``qemu`` plugins attempting to access data"},{"line_number":465,"context_line":"in the user supplied disk image for data transformation. The overall act"}],"source_content_type":"text/x-rst","patch_set":10,"id":"4097ae2d_80584beb","line":462,"updated":"2025-01-24 19:42:06.000000000","message":"nit: two is-s","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ecfa05bd3f5100b09bc5b59f9c3c2377adfb8a11","unresolved":false,"context_lines":[{"line_number":459,"context_line":"occur transparently as they are executed outside of the lowest levels of"},{"line_number":460,"context_line":"artifact retrieval. The underlying protocol is built upon the model of"},{"line_number":461,"context_line":"file transfers over HTTP, which natively may be decompressed if the"},{"line_number":462,"context_line":"client is capable, and is is disctinctly different from security issues"},{"line_number":463,"context_line":"in 2024 with ``qemu-img`` where disk images were interacted and streamed"},{"line_number":464,"context_line":"through memory with multiple ``qemu`` plugins attempting to access data"},{"line_number":465,"context_line":"in the user supplied disk image for data transformation. The overall act"}],"source_content_type":"text/x-rst","patch_set":10,"id":"7120d3ec_12767ad5","line":462,"in_reply_to":"4097ae2d_80584beb","updated":"2025-01-24 21:17:41.000000000","message":"And it is definitely not IS-IS... https://en.wikipedia.org/wiki/IS-IS 😊","commit_id":"c8bad67f408bd73f9898b559688b44ac9254183d"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":"A second change *may* be needed for Ironic-Python-Agent to understand"},{"line_number":86,"context_line":"how to authenticate to an image registry to retrieve the *final* artifact,"},{"line_number":87,"context_line":"but ultimatley our hope is the conductor performs all actions related to"},{"line_number":88,"context_line":"identifying the disk image artifact."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Specifically, a pattern exists to artifacts to also be compressed using"}],"source_content_type":"text/x-rst","patch_set":11,"id":"75bb440e_230491a3","line":87,"updated":"2025-01-25 17:20:40.000000000","message":"```suggestion\nbut ultimately our hope is the conductor performs all actions related to\n```","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":"A second change *may* be needed for Ironic-Python-Agent to understand"},{"line_number":86,"context_line":"how to authenticate to an image registry to retrieve the *final* artifact,"},{"line_number":87,"context_line":"but ultimatley our hope is the conductor performs all actions related to"},{"line_number":88,"context_line":"identifying the disk image artifact."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"Specifically, a pattern exists to artifacts to also be compressed using"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ed48fad3_3a1a0cf3","line":87,"in_reply_to":"75bb440e_230491a3","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":97,"context_line":"feasible with the existing flow model mirroring what is done when"},{"line_number":98,"context_line":"Swift image downloads are performed."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"For example, When the ``image_download_source`` is set to ``local``, then the"},{"line_number":101,"context_line":"conductor would be responsible for retrieval of the requested ``image_source``"},{"line_number":102,"context_line":"from the registry, and providing the safety checked artifact to the"},{"line_number":103,"context_line":"ironic-python-agent. All that the Ironic-Python-Agent would be"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2b2f0ab7_a01203b2","line":100,"updated":"2025-01-25 17:20:40.000000000","message":"```suggestion\nFor example, when the ``image_download_source`` is set to ``local``, then the\n```","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":97,"context_line":"feasible with the existing flow model mirroring what is done when"},{"line_number":98,"context_line":"Swift image downloads are performed."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"For example, When the ``image_download_source`` is set to ``local``, then the"},{"line_number":101,"context_line":"conductor would be responsible for retrieval of the requested ``image_source``"},{"line_number":102,"context_line":"from the registry, and providing the safety checked artifact to the"},{"line_number":103,"context_line":"ironic-python-agent. All that the Ironic-Python-Agent would be"}],"source_content_type":"text/x-rst","patch_set":11,"id":"029aa40e_2d33374b","line":100,"in_reply_to":"2b2f0ab7_a01203b2","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":108,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":109,"context_line":"``instance_info/image_source`` value to"},{"line_number":110,"context_line":"\"oci://fqdn:port/container:version-label\", which would result in the required"},{"line_number":111,"context_line":"\"raw\" or \"qcow\" artifact being retrieved and extracted."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"The protocol portion of the URL, specifically \"oci://\" shall be stripped"},{"line_number":114,"context_line":"from the URL provided to the underlying artifact retrieval tool or code path"}],"source_content_type":"text/x-rst","patch_set":11,"id":"716a6d43_fee115f6","line":111,"updated":"2025-01-25 17:20:40.000000000","message":"```suggestion\n\"raw\" or \"qcow2\" artifact being retrieved and extracted.\n```","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":108,"context_line":"The overall goal being for a user to be able to set an"},{"line_number":109,"context_line":"``instance_info/image_source`` value to"},{"line_number":110,"context_line":"\"oci://fqdn:port/container:version-label\", which would result in the required"},{"line_number":111,"context_line":"\"raw\" or \"qcow\" artifact being retrieved and extracted."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"The protocol portion of the URL, specifically \"oci://\" shall be stripped"},{"line_number":114,"context_line":"from the URL provided to the underlying artifact retrieval tool or code path"}],"source_content_type":"text/x-rst","patch_set":11,"id":"d7536695_ea343b3a","line":111,"in_reply_to":"716a6d43_fee115f6","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":139,"context_line":""},{"line_number":140,"context_line":".. NOTE::"},{"line_number":141,"context_line":"   It is likely this capability will be implemented via pure python with"},{"line_number":142,"context_line":"   an invocation of requests. The base protocol is well detailed and"},{"line_number":143,"context_line":"   examples exist. Furthermore, native python object usage will enable"},{"line_number":144,"context_line":"   appropriate authentication handling for mutli-user environments, where"},{"line_number":145,"context_line":"   doing the same with CLI tools may prove overly complex."}],"source_content_type":"text/x-rst","patch_set":11,"id":"d3a980f1_1b3602bb","line":142,"updated":"2025-01-25 17:20:40.000000000","message":"I\u0027d recommend leaving \"requests\" out of it since there\u0027s a shift towards async IO in the future which will mean a different library.","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":139,"context_line":""},{"line_number":140,"context_line":".. NOTE::"},{"line_number":141,"context_line":"   It is likely this capability will be implemented via pure python with"},{"line_number":142,"context_line":"   an invocation of requests. The base protocol is well detailed and"},{"line_number":143,"context_line":"   examples exist. Furthermore, native python object usage will enable"},{"line_number":144,"context_line":"   appropriate authentication handling for mutli-user environments, where"},{"line_number":145,"context_line":"   doing the same with CLI tools may prove overly complex."}],"source_content_type":"text/x-rst","patch_set":11,"id":"d50b4336_f80151d7","line":142,"in_reply_to":"d3a980f1_1b3602bb","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":159,"context_line":""},{"line_number":160,"context_line":"For *service* artifact, and ultimately user artifact collection as a fallback"},{"line_number":161,"context_line":"in secure environment contexts, it is necessary for the service to support"},{"line_number":162,"context_line":"use of the docker auths configuration format. This will be introduced as"},{"line_number":163,"context_line":"a new OCI client configuration option which allows conductor configuration"},{"line_number":164,"context_line":"to hold a pre-shared secret."},{"line_number":165,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"227501e4_81a35d3a","line":162,"updated":"2025-01-25 17:20:40.000000000","message":"Worth a link here?","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":159,"context_line":""},{"line_number":160,"context_line":"For *service* artifact, and ultimately user artifact collection as a fallback"},{"line_number":161,"context_line":"in secure environment contexts, it is necessary for the service to support"},{"line_number":162,"context_line":"use of the docker auths configuration format. This will be introduced as"},{"line_number":163,"context_line":"a new OCI client configuration option which allows conductor configuration"},{"line_number":164,"context_line":"to hold a pre-shared secret."},{"line_number":165,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"027fabb0_b5f532a0","line":162,"in_reply_to":"227501e4_81a35d3a","updated":"2025-01-28 19:11:41.000000000","message":"Adding.","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":176,"context_line":"   translated to an HTTP \"GET /v2/\u003cname\u003e/blobs/\u003cdigest\u003e\" command where the"},{"line_number":177,"context_line":"   ``name`` value is the container name, and the ``digest`` is the sha256"},{"line_number":178,"context_line":"   checksum representing the blob, as referenced through the metadata."},{"line_number":179,"context_line":"   The act of retrieval for IPA would be through IPA to be provided"},{"line_number":180,"context_line":"   the direct URL to download."},{"line_number":181,"context_line":"5) The artifact will likely need to be checked for compression *prior* to"},{"line_number":182,"context_line":"   being decompressed. This can be handled as a minor magic byte check and"}],"source_content_type":"text/x-rst","patch_set":11,"id":"795a1999_fbf4f8d8","line":179,"updated":"2025-01-25 17:20:40.000000000","message":"I know it\u0027s obvious to Ironic contributors and users but above you use Ironic-Python-Agent almost everywhere (a few places lower case) but it\u0027d probably be good to just use it spelled out above and put ``(IPA)`` after it then use the short hand.","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":176,"context_line":"   translated to an HTTP \"GET /v2/\u003cname\u003e/blobs/\u003cdigest\u003e\" command where the"},{"line_number":177,"context_line":"   ``name`` value is the container name, and the ``digest`` is the sha256"},{"line_number":178,"context_line":"   checksum representing the blob, as referenced through the metadata."},{"line_number":179,"context_line":"   The act of retrieval for IPA would be through IPA to be provided"},{"line_number":180,"context_line":"   the direct URL to download."},{"line_number":181,"context_line":"5) The artifact will likely need to be checked for compression *prior* to"},{"line_number":182,"context_line":"   being decompressed. This can be handled as a minor magic byte check and"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b0de252a_0d590492","line":179,"in_reply_to":"795a1999_fbf4f8d8","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"change_message_id":"a2124756898107e4def7ce6fb278e4ed079cb418","unresolved":true,"context_lines":[{"line_number":300,"context_line":"  }"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"In the above context, these are intermediate pointer files, which help link"},{"line_number":303,"context_line":"the platform, os, and disk type annocation together. Below is an example of the"},{"line_number":304,"context_line":"disk image. The references lacking a ``disktype`` annotation are simply just"},{"line_number":305,"context_line":"another container filesystem layer reference."},{"line_number":306,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"980ea790_7578b1b5","line":303,"updated":"2025-01-25 17:20:40.000000000","message":"```suggestion\nthe ``platform``, ``os``, and ``disktype`` annocation together. Below is an example of the\n```\n\nSince you refer to them in that style later.","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"ce18d9a17027a6b26e1b43e7f312938dc4a48226","unresolved":false,"context_lines":[{"line_number":300,"context_line":"  }"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"In the above context, these are intermediate pointer files, which help link"},{"line_number":303,"context_line":"the platform, os, and disk type annocation together. Below is an example of the"},{"line_number":304,"context_line":"disk image. The references lacking a ``disktype`` annotation are simply just"},{"line_number":305,"context_line":"another container filesystem layer reference."},{"line_number":306,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1bff080b_f5f7ba5e","line":303,"in_reply_to":"980ea790_7578b1b5","updated":"2025-01-28 19:11:41.000000000","message":"Done","commit_id":"7048c572e75be113875f3f977d5699465dbd1b05"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"6b1c68138915f370e5e8e3002662d260807a752b","unresolved":true,"context_lines":[{"line_number":25,"context_line":"complicated to obtain access to the desired file."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"That complexity is because in a container model, the file we want, which is a"},{"line_number":28,"context_line":"qcow2 or raw image file, is inside of a filesystem layer file (z-compressed,"},{"line_number":29,"context_line":"tar format files) which then have to be mapped, extracted into a usable"},{"line_number":30,"context_line":"structure, and then navigated to extract the file. The major downside to"},{"line_number":31,"context_line":"this approach is that each time the *file* in the container is updated into"}],"source_content_type":"text/x-rst","patch_set":12,"id":"58097263_30801ac3","line":28,"updated":"2025-01-28 20:05:47.000000000","message":"nit: z-compressed is ambiguous; I assume you mean zstd? (There is .Z which is compress and nobody uses anymore, but this could be mistaken as a typo for \"gz\")","commit_id":"c5bee719acf7fb5e7c7a9f69d30ac06242f7cfdd"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"5fc1f44e998937c28012d3151ae76e1ac031ec58","unresolved":false,"context_lines":[{"line_number":25,"context_line":"complicated to obtain access to the desired file."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"That complexity is because in a container model, the file we want, which is a"},{"line_number":28,"context_line":"qcow2 or raw image file, is inside of a filesystem layer file (z-compressed,"},{"line_number":29,"context_line":"tar format files) which then have to be mapped, extracted into a usable"},{"line_number":30,"context_line":"structure, and then navigated to extract the file. The major downside to"},{"line_number":31,"context_line":"this approach is that each time the *file* in the container is updated into"}],"source_content_type":"text/x-rst","patch_set":12,"id":"b8e9cc76_419f82bc","line":28,"in_reply_to":"58097263_30801ac3","updated":"2025-01-29 15:06:44.000000000","message":"gz, specifically.","commit_id":"c5bee719acf7fb5e7c7a9f69d30ac06242f7cfdd"}]}