Docker images support "foreign layers", which allow pulling layer contents from locations outside the registry serving the image manifest.
This has historically mainly been used to serve Windows image layers from Microsoft-owned servers, to avoid licensing issues with distributing Windows layers to everybody's registries.
Instead of pulling Windows layers from my.registry.com, the manifest tells docker pull
to fetch from mcr.microsoft.com/...
instead.
This experiment (ab)uses foreign layers to fetch Ubuntu rootfs layer tarballs from upstream sources on canonical.com, instead of packaging them up into tarballs and pushing them to registries, like the official ubuntu
does.
This doesn't currently work, and even if it did, it probably wouldn't be a good idea to have every client pulling ubuntu
to hit Canonical's servers to get it.
$ go run ./
gcr.io/imjasonh/fl@sha256:bdad0434111344074600d2b22fb48f12b872ce13a285b188d167bbbab78f56f2
$ crane manifest $(go run ./)
...
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip",
"size": 29539783,
"digest": "sha256:f7d193700113bc4a44551cda1a509802f85978a6ea11f0f40e733de33a2b121a",
"urls": [
"https://partner-images.canonical.com/oci/impish/20211207/ubuntu-impish-oci-amd64-root.tar.gz"
]
}
]
...
$ docker pull $(go run ./)
gcr.io/imjasonh/fl@sha256:bdad0434111344074600d2b22fb48f12b872ce13a285b188d167bbbab78f56f2: Pulling from imjasonh/fl
f7d193700113: Downloading
unknown blob
💥