9 posts tagged with "oras"

The ORAS Community is thrilled to announce the release of ORAS v1.3.0-beta.3! This milestone continues our vision to make managing OCI artifacts easier, faster, and more intuitive for users and developers.

This release includes new features, critical improvements, and bug fixes as we fine-tune ORAS for the upcoming stable release. Let’s dive into what’s new!

✨ What's New?​

OCI referrers is to associate additional artifacts with a container image without modifying the original image itself. Referrers are useful for software supply chain security, metadata enrichment, and artifact management.

oras discover provides structured output to show OCI referrers of a manifest in a registry or an OCI image layout. Previously, oras discover only shows direct referrers with limited metadata. Since this release, the output of oras discover has been enriched with showing all referrers recursively in all formatted outputs (tree, JSON, go-template) with annotations displayed by default. The subject manifest details is added to oras discover JSON output. It provides an informative output and ensures data consistency of different data formats in the output.

The tree view has better readability with colored-code visual effect on console as the screenshot shows below.

In addition, oras introduces an experimental --depth flag for oras discover, allowing users to specify the maximum depth of referrers in the formatted output. It avoids throttling or performance issues when a subject image has a complex referrer graph. For example, users can list the direct referrers of a subject image by specifying --depth 1 as the screenshot below.

Breaking Changes and Deprecation You Should Know​

• The global flag --no-tty flag has been removed, now available only for oras commands that need TTY behavior, improves consistency across commands.
• The property manifests has been renamed to referrers in the JSON output of oras discover
• The table output format is deprecated for oras discover

A sample output of oras discover in JSON format:

oras discover ghcr.io/kyverno/test-verify-image:signed --format json

{
  "reference": "ghcr.io/kyverno/test-verify-image@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105",
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "digest": "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105",
  "size": 938,
  "referrers": [
    {
      "reference": "ghcr.io/kyverno/test-verify-image@sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265",
      "size": 738,
      "annotations": {
        "io.cncf.notary.x509chain.thumbprint#S256": "[\"da1f2d7d648dfacc7ebd59f98a9f35c753c331d80ca4280bb94060f4af4a5357\"]",
        "org.opencontainers.image.created": "2023-05-22T21:45:06Z"
      },
      "artifactType": "application/vnd.cncf.notary.signature"
    },
    {
      "reference": "ghcr.io/kyverno/test-verify-image@sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd",
      "size": 699,
      "annotations": {
        "org.opencontainers.image.created": "2023-05-25T16:13:11Z"
      },
      "artifactType": "vulnerability-scan",
      "referrers": [
        {
          "reference": "ghcr.io/kyverno/test-verify-image@sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3",
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "digest": "sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3",
          "size": 728,
          "annotations": {
            "io.cncf.notary.x509chain.thumbprint#S256": "[\"da1f2d7d648dfacc7ebd59f98a9f35c753c331d80ca4280bb94060f4af4a5357\"]",
            "org.opencontainers.image.created": "2023-05-25T16:19:29Z"
          },
          "artifactType": "application/vnd.cncf.notary.signature"
        }
      ]
    },
    {
      "reference": "ghcr.io/kyverno/test-verify-image@sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414",
      "size": 695,
      "annotations": {
        "org.opencontainers.image.created": "2023-05-25T16:17:41Z"
      },
      "artifactType": "sbom/cyclone-dx",
      "referrers": [
        {
          "reference": "ghcr.io/kyverno/test-verify-image@sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322",
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "digest": "sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322",
          "size": 728,
          "annotations": {
            "io.cncf.notary.x509chain.thumbprint#S256": "[\"da1f2d7d648dfacc7ebd59f98a9f35c753c331d80ca4280bb94060f4af4a5357\"]",
            "org.opencontainers.image.created": "2023-05-25T16:20:01Z"
          },
          "artifactType": "application/vnd.cncf.notary.signature"
        }
      ]
    },
    {
      "reference": "ghcr.io/kyverno/test-verify-image@sha256:aa886b475b431a37baa0e803765a9212f0accece0b82a131ebafd43ea78fa1f8",
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:aa886b475b431a37baa0e803765a9212f0accece0b82a131ebafd43ea78fa1f8",
      "size": 681,
      "annotations": {
        "org.opencontainers.artifact.description": "CycloneDX JSON SBOM"
      },
      "artifactType": "application/vnd.cyclonedx+json",
      "referrers": [
        {
          "reference": "ghcr.io/kyverno/test-verify-image@sha256:00c5f96577878d79b545d424884886c37e270fac5996f17330d77a01a96801eb",
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "digest": "sha256:00c5f96577878d79b545d424884886c37e270fac5996f17330d77a01a96801eb",
          "size": 728,
          "annotations": {
            "io.cncf.notary.x509chain.thumbprint#S256": "[\"da1f2d7d648dfacc7ebd59f98a9f35c753c331d80ca4280bb94060f4af4a5357\"]",
            "org.opencontainers.image.created": "2023-07-10T16:55:36Z"
          },
          "artifactType": "application/vnd.cncf.notary.signature"
        },
        {
          "reference": "ghcr.io/kyverno/test-verify-image@sha256:f3dc4687f5654ea8c2bc8da4e831d22a067298e8651fb59d55565dee58e94e2d",
          "mediaType": "application/vnd.oci.image.manifest.v1+json",
          "digest": "sha256:f3dc4687f5654ea8c2bc8da4e831d22a067298e8651fb59d55565dee58e94e2d",
          "size": 728,
          "annotations": {
            "io.cncf.notary.x509chain.thumbprint#S256": "[\"da1f2d7d648dfacc7ebd59f98a9f35c753c331d80ca4280bb94060f4af4a5357\"]",
            "org.opencontainers.image.created": "2023-07-10T16:56:36Z"
          },
          "artifactType": "application/vnd.cncf.notary.signature"
        }
      ]
    },
    ...

There are a few bug fixes and a deprecated feature in this release. For a concrete changelog, please see ORAS CLI v1.3.0-beta.3 Release Notes.

Join the ORAS community​

You can follow this installation guidance to install ORAS v1.3.0-beta.3 and have a try. Feedback is crucial at this stage. If you run into issues or have suggestions, please open an issue. Join the Slack channel in CNCF and find us at oras channel.

The ORAS project maintainers are proud to announce ORAS CLI v1.2.0 and ORAS-go v2.5.0. These two releases are ready for production use. ORAS CLI v1.2.0 introduces OCI Spec v1.1.0 support, formatted output, brand-new terminal experience with progress bar, and more! This article walks you through the notable features and how these enhancements benefit ORAS users as well as the cloud-native ecosystem.

ORAS Lightweight Cloud Registry​

Setting up a centralized cloud OCI registry is sometimes too much for small scale tests and proof of concepts!
What if I told you there was a lightweight alternative?

Welcomes new owners and maintainers​

With a supermajority vote from the existing ORAS Organization Owners, we are excited to announce that Terry Howe and Andrew Block have been accepted as new ORAS Organization owners. In addition, Billy Zha and Feynman Zhou been accepted as ORAS subproject maintainers.

The OCI Registry As Storage (ORAS) project maintainers announced two releases of v0.15 for the ORAS CLI recently. ORAS v0.15.0 introduces four new top-level commands and new options to manage tags and repositories for advanced use cases. Three weeks later, ORAS 0.15.1 also released with a few known bug fixes. Since the release of v0.15, ORAS CLI has evolved into a fully functional OCI registry client.

ORAS (OCI Registry As Storage) is an important tool out there for working with OCI artifacts and OCI registries. As one of the users and advocates of ORAS, I witnessed the growing trend in both user adoption and contributions in 2022. In this blog post I will share an end-to-end scenario with OPA Gatekeeper policies and ORAS, from including the steps from bundling to deployment.

Policies are rules expressed in YAML that not only afford meeting governance requirements, but also improve the security of Kubernetes workloads and clusters. Policy engines like OPA Gatekeeper, Kyverno or even the new Kubernetes's Validating Admission Policies feature help write and enforce such policies. Once the policies are written, however, how do we easily and securely share them with different projects and teams? How do we deploy them across the fleet of clusters? How do we evaluate them as early as possible in CI/CD pipelines?

ORAS is a tool for working with OCI artifacts and OCI registries. It allows you to distribute OCI artifacts across OCI Registries. ORAS was established and open-sourced in Dec 2018 and joined CNCF as a Sandbox project in June 2021.

As you can see, ORAS has a long history and is still growing since it has an active community behind it. I was fortunate to join the ORAS community as a release manager in May 2022 and growing with the project this year. So I write this article to share the growth of the active community and project iteration that I witnessed in 2022. Let’s look back at what’s been happening this year and what we can expect in 2023 and beyond.

The OCI Registry As Storage (ORAS) project maintainers announced v0.14 release for the ORAS CLI recently. ORAS v0.14 introduces four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments.

Today, the OCI Registry As Storage (ORAS) project maintainers are happy to announce the first draft release of artifacts-spec. The artifacts-spec defines how OCI distribution-based registry users can attach references to images, helm charts, and other OCI Artifacts.