aA

New, modernized labels of EuroLinux container images

New, modernized labels of EuroLinux container images

We have been supporting our clients with open container solutions for many years. Our golden standard is to publish containers that are being rebuilt, tested and delivered for the whole community in regular cycles. In line with our internal policy, we build containers not only for our company’s solutions, but for other Enterprise Linux systems as well. This way, organizations are able to utilize a single source of updated container images with a stable lifecycle.

EuroLinux belongs to the „light side of the Force”, that delivers its users a complete recipe on how a container has been prepared (Dockerfile – the containers-rfc repository) and, what’s of the same importance, doesn’t artificially cut out its build history. It allows, along with all the files that reside in an open access, to create a reproducible container in any environment your own way and then compare it with the containers from registries. This increases both security and transparency of the solution, since an administrator can test not only the container itself, statically and dynamically, but its building process as well.

An example as the case of EuroLinux 8 image:

[[email protected] ~]$ podman image history eurolinux-8:latest
ID            CREATED      CREATED BY                                     SIZE        COMMENT
713ceb415c6c  3 weeks ago  CMD ["/bin/bash"]                              0 B         buildkit.dockerfile.v0
    3 weeks ago  ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true           0 B         buildkit.dockerfile.v0
    3 weeks ago  LABEL org.label-schema.schema-version=1.0 ...  0 B         buildkit.dockerfile.v0
    3 weeks ago  LABEL maintainer=Aleksander Baranowski     
    3 weeks ago  ADD eurolinux-8.tar.gz / # buildkit            252 MB      buildkit.dockerfile.v0

A similar UBI image by Red Hat:

[[email protected] ~]$ podman image history ubi8:latest
ID CREATED CREATED BY SIZE COMMENT
552ac8ae4291 10 days ago 20.5 kB
10 days ago 235 MB Imported from -

One can see labels, among others, in EuroLinux containers build history. A label in the context of containers, and Kubernetes in particular, is a key-value pair that allows grouping, filtering, sorting and managing resources. Without a doubt, one of the more important aspect of Kubernetes are container images. That’s why it’s so important that they have at least generally standardized labels.

Historical background of labels

In the ancient times (considering the rate of container development), that is about 4 years ago, when we were building our first containers, the preferred way of labeling their images was the one proposed by the community label-schema project and its last version, that is Release Candidate 1. Today the OCI (Open Container Initiative) project suggests an approach that is de facto standard, that has been described in the container images specification official repository: Open Containers Initiative - Image Specification.

Sample EuroLinux 8 labels before changes, based on label-schema at that time:

[[email protected] ~]$ podman inspect eurolinux-8:latest --format json | jq '.[0].Labels'
{
  "maintainer": "Aleksander Baranowski <[email protected]> (@AlexBaranowski)",
  "org.label-schema.build-date": "20220303",
  "org.label-schema.license": "GPLv2",
  "org.label-schema.name": "EuroLinux 8",
  "org.label-schema.schema-version": "1.0",
  "org.label-schema.url": "https://euro-linux.com",
  "org.label-schema.vcs-url": "https://github.com/EuroLinux/containers-rfc",
  "org.label-schema.vendor": "System - EuroLinux; Image - EuroLinux"
}

Below we present a modernized approach, that has been in use for quite a long time by CentOS Stream, among others. This example shows the labels of the newest CentOS Stream 8 version at the time of writing this article:

[[email protected] ~]$ podman inspect centos:stream8 --format json | jq '.[0].Labels'
{
  "architecture": "x86_64",
  "build-date": "2022-03-08T13:06:07.436525",
  "com.redhat.build-host": "cpt-1006.osbs.prod.upshift.rdu2.redhat.com",
  "com.redhat.component": "centos-stream-container",
  "com.redhat.license_terms": "https://centos.org/legal/licensing-policy/",
  "description": "CentOS Stream is a continuously delivered distro that tracks just ahead of Red Hat Enterprise Linux development. This image takes the Red Hat UBI and layers on content from CentOS Stream",
  "distribution-scope": "public",
  "io.buildah.version": "1.19.8",
  "io.k8s.description": "The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.",
  "io.k8s.display-name": "CentOS Stream 8",
  "io.openshift.expose-services": "",
  "io.openshift.tags": "base centos centos-stream",
  "maintainer": "The CentOS Project",
  "name": "centos-stream",
  "release": "236",
  "summary": "Provides a CentOS Stream container based on the Red Hat Universal Base Image",
  "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.5-236",
  "vcs-ref": "3aadd00326f3dd6cfe65ee31017ab98915fddb56",
  "vcs-type": "git",
  "vendor": "Red Hat, Inc.",
  "version": "8"
}

Unfortunately, not all Enterprise Linux distributions care about proper labeling. Let’s analyze a sample Oracle Linux 8 container. First, let’s download it from Oracle’s official container registry:

[[email protected] ~]$ podman pull oraclelinux:8
Resolved "oraclelinux" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull container-registry.oracle.com/os/oraclelinux:8...
Getting image source signatures
Copying blob 00e01bb8b231 done
Copying config c23ed56a96 done
Writing manifest to image destination
Storing signatures
c23ed56a96930c584033d69e8bd3846122df20f12c1869fa9d04f385c0293adc

Next, let’s check its labels – or rather the lack of them 🙂

[[email protected] ~]$ podman inspect oraclelinux:8 --format json | jq '.[0].Labels'
[[email protected] ~]$ podman inspect oraclelinux:8 | grep -i label
        "Labels": null,

Changes in EuroLinux labels

As we wrote before, the standard of container labels changed. Due to modernization, we introduced the following enhancements:

  • maintainer has been moved to one layer with other labels. Furthermore, e-mail contact data has been changed to a more generic one.
  • org.label-schema.schema-version="1.0" has been removed
  • org.label-schema.name -> name – a container name in the `name` label now corresponds to its name provided with a commandline. For example, Rocky 8 has been changed to rocky-8
  • org.label-schema.vendor -> vendor
  • org.label-schema.url -> url
  • org.label-schema.vcs-url -> source
  • org.label-schema.license -> licenses – it’s worth noting that `license` did not exist in the label-schema standard. It was, however, sometimes present in guides
  • org.label-schema.build-date -> created
  • the architecture label has been added
  • the version label has been added
  • the description label has been added
  • the summary label has been added
  • the io.k8s.display-name label has been added
  • the io.k8s.description label has been added
  • the io.openshift.tags label has been added.

It’s also worth noting that the name label shall now be named title. However, due to a broad spectrum of application of the former name in places such as certification guides – like this entry by Red Hat – we don’t change it.

Updated labels with EuroLinux 7 as an example

[[email protected] ~]$ podman inspect eurolinux-7 --format json | jq '.[0].Labels'
{
  "architecture": "x86_64",
  "created": "20220327",
  "description": "Provides EuroLinux 7 Base Container",
  "io.k8s.description": "Provides EuroLinux 7 Base Container",
  "io.k8s.display-name": "EuroLinux 7 Base Container",
  "io.openshift.tags": "base eurolinux",
  "licenses": "GPLv2",
  "maintainer": "EuroLinux Containers team <[email protected]>",
  "name": "eurolinux-7",
  "source": "https://github.com/EuroLinux/containers-rfc",
  "summary": "EuroLinux 7 Base Container",
  "url": "https://euro-linux.com",
  "vendor": "EuroLinux",
  "version": "7"
}

Sample Dockerfile (AlmaLinux 8) before and after the change

As mentioned earlier, we publish all Dockerfiles and files which make a container, in our Git repositories. This is also the place one can request suggestions, enhancements (RFC – Request For Change) as well as bugs.

AlmaLinux 8 Dockerfile before the change:

FROM scratch
ADD almalinux-8.tar.gz /

LABEL maintainer="Aleksander Baranowski <[email protected]> (@AlexBaranowski)"
LABEL org.label-schema.schema-version="1.0" \\
  org.label-schema.name="AlmaLinux 8" \\
  org.label-schema.vendor="System - AlmaLinux; Image - EuroLinux" \\
  org.label-schema.url="https://euro-linux.com"\\
  org.label-schema.vcs-url="https://github.com/EuroLinux/containers-rfc"\\
  org.label-schema.license="GPLv2" \\
  org.label-schema.build-date="$(date +%Y%m%d)"

CMD ["/bin/bash"]

Dockerfile AlmaLinux 8 after changes:

FROM scratch
ADD almalinux-8.tar.gz /

LABEL maintainer="EuroLinux Containers team <[email protected]>" \
  name="almalinux-8" \
  vendor="System - AlmaLinux; Image - EuroLinux" \
  url="https://euro-linux.com"\
  source="https://github.com/EuroLinux/containers-rfc"\
  licenses="GPLv2" \
  created="20220327" \
  architecture="x86_64" \
  summary="AlmaLinux 8 Base Container" \
  description="Provides AlmaLinux 8 Base Container" \
  version="8" \
  io.k8s.display-name="AlmaLinux 8 Base Container" \
  io.k8s.description="Provides AlmaLinux 8 Base Container" \
  io.openshift.tags="base almalinux"

CMD ["/bin/bash"]

Summary

Even though labels may not have a great meaning for many end-users, there’s a certain set of its uses – in particular when it comes to orchestrators such as Kubernetes or OpenShift, which is based on the former one. The label-related changes have been introduced mostly for the people who work with these solutions.

Bibliography / worth reading

https://github.com/opencontainers/image-spec/blob/main/annotations.md
https://developers.redhat.com/articles/2021/11/11/best-practices-building-images-pass-red-hat-container-certification
https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/ https://github.com/label-schema/label-schema.org

Leave a Reply

Your email address will not be published. Required fields are marked *