For several years now Container images have been shipped with gzip format compression, first designed by Docker. But the OCI Container Image Format supports zstd and zstd:chunked format as well. Not only is this a better compression format, which should speed up image pulls, but zstd:chunked will allow container tools like Podman, Buildah and CRI-O to pull only the files that have changed in an image rather then the entire image. This should greatly reduce the time to pull an image.
We are switching the default for podman in Fedora 41 to push images in zstd:chunked format.
All current container tools support zstd:chunked format, including Podman, CRI-O, Buildah, Containerd, and Docker. Docker began supporting zstd:chunked in March of 2023.
All of the other container engines began supporting it back in 2020 or earlier.
One problem with changing this format for Fedora based images would be Docker versions older then 2023. If this is considered too big of an issue, there is a way to have images which include both the older gzip format and zstd:chunked format. Podman, Buildah, CRI-O will pull the newer format, and docker and containerd would pull the older gzip format, meaning these tools would not see the improvement with the new compression algorithm. One issue with supporting both formats is that image sizes will grow to slightly less then 2X times in size at the registry. This should not effect pulling for those using the traditional gzip format.
I love how open source software becomes more sustainable and efficient over time!
Is there some kind of analysis what hosts run Fedora Containers? There would be absolutely use cases on Debian 11 or 12, or the old supported RHEL versions.
Would it be possible to rename the gzipped container images, and contact the distros that use them, to contact their users to switch the images?
People deploying Fedora containers should be the folks that respond to such messages and switch the containers.
That duplicated size doesn’t seem like a good option.
You can associate the same image twice to a manifest list, and as long as the first one is gzip then older tools will pull that. Podman and friends is smart enough to look for the zstd:chunked version first, and then fall back to the gzip version.
Yes, as Dan mentioned there is a way to include both. The OCI image spec mentions that “if multiple manifests match a client or runtime’s requirements, the first matching entry SHOULD be used”.
To remain backwards compatible, the “trick” is to have the image with gzip-compressed layers before the zstd one. This way, old clients will pick the gzip one while newer clients are smart enough to pick the zstd one.
IIUC it means that for example for fedora:latest we will have a manifest list with:
x86 - gzip
x86 - zstd
aarch64 - gzip
aarch64 - zstd
ppc64le - gzip
ppc64le - zstd
s390x - gzip
s390x - zstd
Also just to make it visible the images hosted on DockerHub won’t have the zstd support since we don’t push these images to the registry. Docker is building the images and pushing them themself.
So who is in charge of pushing these images? Would love to meet with them and attempt to create one image, that we could then test with Podman and Docker to make sure they both work. Even with an older version of Docker, perhaps on Ubuntu or something.
--compression-format gzip --add-compression zstd will push a manifest list with each instance being compressed with gzip plus an additional variant of each instance being compressed with zstd.