Migrate off of crane for pulling and pushing OCI images #3434
Comments
|
Both ORAS and https://github.com/containers/image seem to be reasonable alternatives to Crane. Both accept context, and seem to have more active contributions and updates. Both seem to be faster than crane, more official benchmarks to come. ORAS and "image" supports the same OCI format that Crane and Syft use. "image" supports pulling from the docker daemon while ORAS does not. ORAS does allow embedding itself into other CLIs with Cobra easily. I am not sure what our appetite for breaking changes are, but it seems to me that it might make sense to deprecate ORAS seems to at least protect the index.json while pulling concurrently, more experiments to come. Both seem to have a cache, but further testing on these caches is required, the ORAS cache is not exported for example - oras-project/oras-go#881 |
|
I would recommend you to look at regctl. |
Describe what should be investigated or refactored
Crane has been an instrumental library to Zarf. It is responsible one of the most core features of our product, pulling and pushing images. However, we've had several issues while using crane. In particular, not accepting context, concurrent pulls and caching of non container OCI images tend to cause trouble. See:
Alternatives
We should consider alternatives to fix these issues, and open ourselves up to further improvements.
Additional context
Moving off Crane will present challenges. Crane also supports the oci-dir format, which syft uses to scan images local, this is how SBOMs are created during
zarf package create. The Crane CLI is embedded directly into Zarf, removing it entirely will no doubt cause a breaking change in the workflow of some users. The Crane CLI has functionality to pull images from the local Docker daemon which would need replacement as wellThe text was updated successfully, but these errors were encountered: