support zstd as archive format #28394
Comments
cpuguy83
added
area/distribution
kind/enhancement
|
I can't believe this hasn't had more love yet. This would surely make pushing and pulling quite a bit faster. |
|
I don't think separate dictionaries are useful unless the content you are compressing is very small. The primary benefit of zstd is its very rapid compression and decompression (GB/sec), while also maintaining compression ratios similar to that of zlib for a variety of inputs. |
|
Link: OCI Image Spec added support for zstd recently: opencontainers/image-spec#788 This is already implemented by containerd, but still not implemented by Docker/Moby. |
|
Adding this to 20.03. It would be nice to be able to decompress zstd layers at least. |
|
is this issue closed by containerd/containerd#4809? |
|
No, because the containerd image store is not (yet) used; it's still separate |
|
opened a PR to support extracting zstd layers: #41759 Is it enough to close the issue or do we need write support as well? |
|
We could not load a docker image by: docker load image.tar.zstdbut we could use: zstdcat image.tar.zstd | docker loador zstd -dcf image.tar.zstd | docker loadYou need |
Do we need a separate issue open to track adding support to |
|
It would be great to be able to build and push zstd compressed images via moby. We do see the increasing demands of building and distributing images in zstd format due to the performance benefits. But the lack of toolchain supporting is the main blocker of the adoption among our customers. Is it likely to be supported? |
|
I believe this should be supported in the 22.06 beta release. |
Will 22.06 support building and pushing scenario as well? I thought it only supports decompressing zstd layers, rather than building/distributing. |
|
|
|
Thanks for the info. I did experiment the buildx approach. With buildx the newly built zstd image must be pushed to remote registry with the Currently it seems that there is no native support in Moby to distribute (docker push) layers in any other format apart from gzip. This makes it hard for scenarios like pull and push. Additionally a lot of our customers rely on native docker build instead of buildx. My question is that will Moby add support of the scenarios described above in the near future? Thanks! |
|
In 22.06
|
|
Any update on this ? we use zstd + containerd on production system and would like to be able to debug some images locally |
|
@thaJeztah Thoughts on this? |
A With the pre-containerd image store ("graphdrivers"), images are stored uncompressed, and image-layers as pulled from the registry are discarded after they've been pulled. When pushing an image, existing layers in the registry are skipped, and layers that don't exist in the registry are compressed during pull. Effectively, this means that the artifacts/layers that are "distributed" through the registry are created during With the containerd image store integration ("snapshotters"), the situation is different; containerd stores BOTH the compressed ("distributed") and extracted content / layers. When pushing an image to a registry, no compression happens, as the compressed layers already exist. This means that push/pull is fully reproducible, at the cost of additional storage. If a |
|
Do you have a sense of the timeline/transition plan for eventually making zstd compression the default? I presume due to backwards compatibility concerns this couldn't happen for some time (until support was dropped for Docker <23-24). Or alternatively, are there plans to start dual-publishing popular images to Docker Hub using both the legacy compression formats and zstd (to the same repo; presuming this is supported via the same manifests approach used by multi-arch images?), so newer clients could at least benefit from zstd in the meantime? |
All these questions were already solved in other tools that operate on images, including the options to (not) recompress already existing things. I'm not sure how
Please, no. People want to switch to zstd because gzip is slow. Pushing gzip and zstd would be even slower. |
No plans / nothing decided on yet.
No, that's a big issue; there's no such option currently that allows "dual" formats, and probably should've been a reason to reject the changes in the OCI specs pending that. See a more in-depth discussion on opencontainers/image-spec#803
This would be a feature when the containerd image-store (snapshotters) are used, not when using graphdrivers. |
I think you misunderstood. I wasn't proposing that the Docker CLI enable dual pushing by default, but instead that some of the popular "official" Docker Hub images (eg https://hub.docker.com/_/ubuntu/ and the rest) be dual published via their automated publishing pipelines, so downstream consumers of those images (eg myself, yourself) could at least benefit from zstd in the meantime when pulling from those repos.
Ah understood - than you for the discussion link. |
|
How I verify that Will this work with graphdriver or only with Will it still use zstd if I split this into two steps? Will this work with graphdriver?
And what about Windows images? Are you sure it is a good idea to tie zstd and |
|
@slonopotamus "docker push" will still use gzip. The --output line needs "push=true", but this preempts local storage, apparently. This was my question above. Image-tools inspections seems to still report gzip for all layers maybe from some previous build? It's not clear how to confirm that the output of the build actually used zstd because it's not clear where the output can even be found on the local system. |
|
We're going to be leaving this issue closed, then? |
Unless I'm misunderstanding something you will need I would recommend taking a look at buildx and buildkit (which buildx essentially wraps):
I would note that the next version of containerd will support igzip which while still slower than zstd on decompression is at least not that much slower. |
I fully wiped local storage and did Additionally, |
Docker devs say Docker is already able to push zstd images, but nobody in current thread was able to reproduce that yet. |
|
You'll need
A better way to check is to see the mediatype of the image layers, and not the mediatype of the manifest.
While we ultimately switched to using buildkit directly for image building I do know that I did have buildx working with building zstd images prior to the switch. I'm not in front of the scripts for that or I'd give you the exact options to use, but it does work if you use the right options. |
I'm not sure how to do that. Nope, even with |
I can reproduce. Dockerfile: # The base image layers remain gzip by default.
# Specify force-compression=true to override this.
# ( See https://github.com/moby/buildkit/tree/v0.12.3#output )
FROM alpine
# compression=zstd applies to the layers below
RUN apk add neofetchBuild steps: $ docker buildx create --use
nervous_clarke
$ docker buildx build --output type=image,name=akihirosuda/tmp-zstd-demo,oci-mediatypes=true,compression=zstd,push=true .
[+] Building 19.6s (9/9) FINISHED docker-container:nervous_clarke
=> [internal] booting buildkit 8.8s
=> => pulling image moby/buildkit:buildx-stable-1 8.0s
=> => creating container buildx_buildkit_nervous_clarke0 0.7s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 282B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 2.6s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/2] FROM docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0.6s
=> => resolve docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0.0s
=> => sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa 3.40MB / 3.40MB 0.4s
=> => extracting sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa 0.1s
=> [2/2] RUN apk add neofetch 2.0s
=> exporting to image 5.4s
=> => exporting layers 0.1s
=> => exporting manifest sha256:a607b80f464e110b979794febc11f60a3033213e37a282f99d0500cc28dbe845 0.0s
=> => exporting config sha256:5c2effb34fa9ba83d127ef6f730ba0adb5610117e5f144e49c922dc7948c28a3 0.0s
=> => exporting attestation manifest sha256:baed245d68a2bcf1c81151836804b56289a77a0de7c4459901d7438cb3269761 0.0s
=> => exporting manifest list sha256:c4a84a6dcc48aaf672db01432bd91442f2c0a996620440a32f9613c09f68f5de 0.0s
=> => pushing layers 3.5s
=> => pushing manifest for docker.io/akihirosuda/tmp-zstd-demo:latest@sha256:c4a84a6dcc48aaf672db01432bd91442f2c0a996620 1.7s
=> [auth] akihirosuda/tmp-zstd-demo:pull,push token for registry-1.docker.Confirmation:
$ docker buildx imagetools inspect --raw akihirosuda/tmp-zstd-demo@sha256:a607b80f464e110b979794febc11f60a3033213e37a282f99d0500cc28dbe845
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:5c2effb34fa9ba83d127ef6f730ba0adb5610117e5f144e49c922dc7948c28a3",
"size": 812
},
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa",
"size": 3401967
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+zstd",
"digest": "sha256:38e95ff4e4d377377e6391ce1bfa253e415b7623e12e90e76f6feb9f948169c0",
"size": 2780349
}
]
}Docker version $ docker version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.25
GitCommit: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc:
Version: 1.1.10
GitCommit: v1.1.10-0-g18a0cb0
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$ docker info
Client: Docker Engine - Community
Version: 24.0.7
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.11.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.21.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 24.0.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc version: v1.1.10-0-g18a0cb0
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.0-86-generic
Operating System: Ubuntu 22.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.818GiB
Name: lima-docker-rootful
ID: 2ee359ad-2cf5-4c9b-ae65-f572cbc5628b
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: akihirosuda
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false |
|
As an evidence, posting the result of $ docker buildx build --output type=image,name=akihirosuda/tmp-zstd-demo:force-compression,oci-mediatypes=true,compression=zstd,push=true,force-compression=true .
[+] Building 6.9s (8/8) FINISHED docker-container:nervous_clarke
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 282B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 1.4s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/2] FROM docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0.0s
=> => resolve docker.io/library/alpine:latest@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978 0.0s
=> CACHED [2/2] RUN apk add neofetch 0.0s
=> exporting to image 5.4s
=> => exporting layers 0.1s
=> => exporting manifest sha256:71bedc0a7b811473156f170e4de7f0dbbc3b2ab5433a3d671c93416448132833 0.0s
=> => exporting config sha256:5c2effb34fa9ba83d127ef6f730ba0adb5610117e5f144e49c922dc7948c28a3 0.0s
=> => exporting attestation manifest sha256:6e6fe413c2e9eb25f28b37c12a03c18c9aca517964565ae936e6aa13f80494dc 0.0s
=> => exporting manifest list sha256:59baa7c0cbca27952dfdf0899115f8cef8ea53e33c238e6518c35223f949474a 0.0s
=> => pushing layers 3.4s
=> => pushing manifest for docker.io/akihirosuda/tmp-zstd-demo:force-compression@sha256:59baa7c0cbca27952dfdf0899115f8cef8ea53e33c238e6518c35223f949474a 1.9s
=> [auth] akihirosuda/tmp-zstd-demo:pull,push token for registry-1.docker.io
$ docker buildx imagetools inspect --raw akihirosuda/tmp-zstd-demo:force-compression@sha256:71bedc0a7b811473156f170e4de7f0dbbc3b2ab5433a3d671c93416448132833
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:5c2effb34fa9ba83d127ef6f730ba0adb5610117e5f144e49c922dc7948c28a3",
"size": 812
},
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+zstd",
"digest": "sha256:0bc1f746077d47db5c749b0e66ec2362d12462280b31bdace073d41be181e68e",
"size": 3432705
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+zstd",
"digest": "sha256:38e95ff4e4d377377e6391ce1bfa253e415b7623e12e90e76f6feb9f948169c0",
"size": 2780349
}
]
} |
You need to run |
I did that. Though I don't see how |
busybox layer is gzip (because its unchanged) and the layer created by |
|
I did something and it started to work. Most likely buildx builder was not used for some reason. It it possible to prevent pushed image to be wrapped with
P.S. I still think it is too much invasive to force all these things on users instead of just |
Likely you are building and pushing a multi-arch image for some reason.
I think you misunderstand.
That sounds like a personal opinion that doesn't have any basis in reality. Zstd compression support was implemented into Buildkit directly and support for it is only available through buildkit/buildx. You cannot have zstd-compressed images without buildx. You must specify OCI mediatypes because the Docker mediatype doesn't support zstd compression. Like it or not you are trying to use advanced features that are still relatively new here, and so advanced configuration is expected at this stage. There is a lot of room for improved UX around this and that will come with time. As you are seeing zstd support is still fairly new in the ecosystem and there's still a lot of work to be done. This issue is specifically dealing with Docker supporting zstd-compressed images for pushing and pulling, which it does. Issue should remain closed.
Sounds like a problem with Gitlab Registry. We use it too and these images do still work on pulling/pushing even if the webui doesn't pretty-print the metadata for tags with multi-image manifests like this. |
Nope, it is single-arch, but I do have |
|
Just in case, this is how manifest looks like: |
Yes, with |
Thanks, that worked! |
|
You almost need a PhD to use Zstd with Docker 😂 |
|
Except most Docker users are completely oblivious to these levels.
We need tee-shirts. Something wordy that ends with "and all I got was this
stupid algorithm." :)
…On Wed, Nov 22, 2023, 18:20 Juan Calderon-Perez ***@***.***> wrote:
You almost need a PhD to use Zstd with Docker 😂
—
Reply to this email directly, view it on GitHub
<#28394 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFOW2TMVAOU2RZ7XD2PHG3YF2CCHAVCNFSM4CWGEH72U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBSGM3DCOBZGE2Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Is there some way to retain the layers and apply the tag(s) when not pushing? Currently, in order to debug/validate the build process, "push" needs to be "true". |
|
You can't without the containerd integration enabled. With graphdrivers the layers are stored in the uncompressed form so it doesn't matter what compression you set when building that image, it will have no compression when loaded into Docker. With containerd image store, the image is stored both in the original form (unmodified image content blobs) and uncompressed (snapshots). That means that pushing the image no longer recreates the image manifest, but transfers the original image form instead. Currently Docker doesn't expose the raw image content directly, but you can use for example the # force-compression=true is needed to force recompression of the busybox layer which is gzip compressed
# otherwise only new layers would get compressed with zstd (and in this example we don't create any new layers because we don't have any `ADD` or `COPY` instruction)
$ echo 'FROM busybox' | docker buildx build --output type=image,compression=zstd,force-compression=true -t my-image -
[+] Building 0.1s (5/5) FINISHED docker:desktop-linux
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 50B 0.0s
=> [internal] load metadata for docker.io/library/busybox:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [1/1] FROM docker.io/library/busybox:latest@sha256:3fbc632167424a6d997e74f52b878d7cc478225cffac6bc977eedfe51c7f4e79 0.0s
=> => resolve docker.io/library/busybox:latest@sha256:3fbc632167424a6d997e74f52b878d7cc478225cffac6bc977eedfe51c7f4e79 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => exporting manifest sha256:bdb6b6d656ed78eedf98d556213825dbc52fc5e1bc4e41499de3011964deb18a 0.0s
=> => exporting config sha256:037035b971fe4ba8cfd47ffb6000e02ab063ea90362e4811c9625df947270cd5 0.0s
=> => exporting attestation manifest sha256:c4a54e5dee008e8ae1bbb9ce79db12417bdd2347375f122327c724e071a0b2f2 0.0s
=> => exporting manifest list sha256:466184b4ad471bbba3bfc4cbf226e92c1e4f07e480417836c9343994b4053e67 0.0s
=> => naming to docker.io/library/my-image:latest 0.0s
=> => unpacking to docker.io/library/my-image:latest 0.0s
View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/wo1qe8u25llwq2rxfhpxwzbgu
$ ctr -n moby content get sha256:bdb6b6d656ed78eedf98d556213825dbc52fc5e1bc4e41499de3011964deb18a
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:037035b971fe4ba8cfd47ffb6000e02ab063ea90362e4811c9625df947270cd5",
"size": 605
},
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+zstd",
"digest": "sha256:45107fed83aca2fe20442edf446c0d63732f7ae0553232bd3aa39d314ddb7f0c",
"size": 1951598
}
]
}
$ ctr -n moby content get sha256:45107fed83aca2fe20442edf446c0d63732f7ae0553232bd3aa39d314ddb7f0c | file -
/dev/stdin: Zstandard compressed data (v0.8+), Dictionary ID: None
|
|
Sorry. Yes. I'm referring to a containerd-enabled context. Thanks for the example, as well as bringing the ctr command to my general awareness. |
in addition to the currently supported archive formats zip, bz2 and tar.gz, it would be great to add support for the free and open ZSTD compression recently open sourced by Facebook.
The format provides excellent compression and speed, and is already supported by a variety of standard tools.
zstd on Github
related article
The text was updated successfully, but these errors were encountered: