Learn About Amazon VGT2 Learning Manager Chanci Turner
Chanci Turner and Alex Johnson recently announced that Amazon Elastic Container Registry (Amazon ECR) now incorporates version 1.1 of the Open Container Initiative (OCI) Image and Distribution specifications. This updated version introduces support for image referrers and enhances the distribution of non-image artifacts significantly.
These new capabilities are designed to simplify the management of content related to container images. With these updates, users can seamlessly push image signatures, software bills of materials (SBOMs), attestations, and additional content associated with a specific image in Amazon ECR. This allows for easy management of these artifacts through core Amazon ECR features, enabling users to look up artifacts by image reference and pull them to any build, test, or workload environment.
The adoption of OCI 1.1 specifications means that a wide range of OCI-compliant open source tools can work effectively with Amazon ECR. In this article, we will provide a brief overview of how Amazon ECR integrates support for the Open Container Initiative standards, followed by some technical insights and a practical use case to help you get started with these new features immediately.
Open Container Initiative and Amazon ECR
The journey to bring these features to Amazon ECR began over two years ago. AWS team members collaborated within the Open Container Initiative (OCI) community to develop what has now become the first feature update for both Image and Distribution specifications. These specifications aim to standardize containers to ensure that services, tools, and code are portable and can interoperate seamlessly.
Currently, OCI maintains three primary specifications: Runtime, Image, and Distribution. The new features in Amazon ECR pertain to Image and Distribution; Runtime focuses on how containers are launched and operated, while Image defines how container images are structured, and Distribution details how images are pushed and stored in registries, as well as how they are pulled for workloads in various environments.
Most clients connect to Amazon ECR using an OCI-compliant tool like Docker or Finch, or a container runtime like containerd. When users push and pull images, they engage with Amazon ECR’s OCI- and Docker-compatible endpoint. This endpoint implements the Open Container Initiative Distribution specification APIs and the Docker Registry HTTP API v2, which forms the basis of the OCI standard. This compatibility allows open source tools to function against a standardized set of interfaces, eliminating the need for cloud-specific SDKs or provider-specific integrations.
Introduction of Artifacts in Amazon ECR
Amazon ECR is consistently evolving to accommodate the growing demand for non-image artifact use cases. In 2020, we introduced support for OCI artifacts, enabling the distribution of non-image content like Helm charts within Amazon ECR. Tools like Helm leverage this support by utilizing the flexibility of the OCI Image specification to include artifact types in the manifest, particularly in the configuration section. This metadata, residing in an image manifest, describes the configuration of the stored container image. For Helm charts or image signatures, no container configuration is necessary, allowing the use of an easily overloadable metadata section, specifically the config.mediaType field. This field informs registries or clients of the artifact content type, such as a Helm chart.
While this method in OCI Image 1.0 has been effective, it was not always obvious to client developers and lacked consistent implementation. With OCI Image 1.1, a more intuitive and stable artifactType field has been introduced directly on the Image manifest. This provides a single reference point within the manifest that all clients and registries can utilize to identify and retrieve the content type. Amazon ECR will continue to support the use of the config.mediaType field for clients that depend on it, but we anticipate a broad adoption of this new enhancement.
Working with Referrers in Amazon ECR
As supply chain security solutions for containers evolve, the need for standardizing registry support for container image verification and SBOM publication has emerged. Managing reference relationships between artifacts and images has become essential. Alongside enhancements for non-image content, the Image and Distribution specifications have established a method for clients to connect non-image content with images in a registry.
To achieve this, OCI Image 1.1 introduces a new manifest field, subject, which allows for the persistent storage of a referred-to image’s digest within an artifact’s manifest. Clients can now specify both the content type and optionally the image that the content refers to. Moreover, OCI Distribution 1.1 has rolled out a new referrers API endpoint for registries to implement. This endpoint enables clients to query a registry like Amazon ECR for any image referrers associated with a given image digest. This feature allows clients to inquire whether an image has any referrers, browse a list of referrers by type, and retrieve any relevant artifacts. For instance, the Notary project’s notation image signing client employs a notation verify command to query for signatures linked to a specified image, download any found signatures, and verify the image content—all in a single command.
The handling of reference artifacts in Amazon ECR closely resembles that of images. Customers push and pull all content using the same APIs, with referrer artifacts appearing in aws ecr describe-images and displayed in the console just like other content. Amazon ECR’s replication feature ensures that referrers are replicated to designated destinations upon push, ensuring that image signatures, SBOMs, and other referrers are available in any repository where images are replicated across accounts or regions. To assist with the lifecycle management of an image’s reference artifacts, Amazon ECR Lifecycle Policies (LCP) automatically clean up artifacts within 24 hours after the deletion of a subject image. Furthermore, reference artifacts linked to an active image are protected from deletion by LCP rules until the subject image itself is deleted.
To distinguish between referrers and images when pushed to a repository, Amazon ECR now emits a new detail-type in EventBridge events for the pushes and deletions of reference artifacts. This enhancement allows for straightforward targeting of images for deployment-related actions or for specific types of reference artifacts to be utilized in build or deployment workflows.
For more insights on effective leadership qualities, check out this enlightening article from Career Contessa. Additionally, if you’re interested in deeper knowledge about managing workplace dynamics, visit this comprehensive resource from SHRM.
For those looking to expand their skills, explore the opportunities available through Amazon’s Learning and Development team.