From 8dbfebeed66dd3eec34e339820413cfcc38b1c3b Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Mon, 3 Jul 2023 12:31:41 +0300 Subject: [PATCH 01/13] Add container.image.digest and make container.image.tag array Signed-off-by: ChrsMark --- semantic_conventions/resource/container.yaml | 17 ++++++++++++++--- .../resource/semantic_conventions/container.md | 3 ++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/semantic_conventions/resource/container.yaml b/semantic_conventions/resource/container.yaml index 6fdb1fd42f..4e93be6819 100644 --- a/semantic_conventions/resource/container.yaml +++ b/semantic_conventions/resource/container.yaml @@ -28,7 +28,18 @@ groups: Name of the image the container was built on. examples: ['gcr.io/opentelemetry/operator'] - id: image.tag - type: string + type: string[] + brief: > + Container image tags. An example can be found in + [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). + Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. + examples: ['v1.27.1', '3.5.7-0'] + - id: image.digest + type: string[] brief: > - Container image tag. - examples: ['0.1'] + Container image digests this image is based on. + Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), + and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). + An example can be found in + [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). + examples: ['prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b'] \ No newline at end of file diff --git a/specification/resource/semantic_conventions/container.md b/specification/resource/semantic_conventions/container.md index da54233049..ebf5101d64 100644 --- a/specification/resource/semantic_conventions/container.md +++ b/specification/resource/semantic_conventions/container.md @@ -13,7 +13,8 @@ | `container.id` | string | Container ID. Usually a UUID, as for example used to [identify Docker containers](https://docs.docker.com/engine/reference/run/#container-identification). The UUID might be abbreviated. | `a3bf90e006b2` | Recommended | | `container.runtime` | string | The container runtime managing this container. | `docker`; `containerd`; `rkt` | Recommended | | `container.image.name` | string | Name of the image the container was built on. | `gcr.io/opentelemetry/operator` | Recommended | -| `container.image.tag` | string | Container image tag. | `0.1` | Recommended | +| `container.image.tag` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | +| `container.image.digest` | string[] | Container image digests this image is based on. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). | `[prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/blob/v1.21.0/specification/document-status.md From e758406816825fca8f5bcb107a54b9d79b594c62 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Tue, 4 Jul 2023 17:37:49 +0300 Subject: [PATCH 02/13] lint Signed-off-by: ChrsMark --- semantic_conventions/resource/container.yaml | 11 +++++++---- .../resource/semantic_conventions/container.md | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/semantic_conventions/resource/container.yaml b/semantic_conventions/resource/container.yaml index 8968571464..af417bf32e 100644 --- a/semantic_conventions/resource/container.yaml +++ b/semantic_conventions/resource/container.yaml @@ -32,14 +32,17 @@ groups: brief: > Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). - Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. + Should be only the `` section of the full name for example + from `registry.example.com/my-org/my-image:`. examples: ['v1.27.1', '3.5.7-0'] - id: image.digest type: string[] brief: > - Container image digests this image is based on. - Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), - and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). + Container image digests this image is based on. + Follows + [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), + and specifically the + [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). examples: ['prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b'] diff --git a/specification/resource/semantic_conventions/container.md b/specification/resource/semantic_conventions/container.md index 62c8f3248b..de24aacada 100644 --- a/specification/resource/semantic_conventions/container.md +++ b/specification/resource/semantic_conventions/container.md @@ -14,7 +14,7 @@ | `container.runtime` | string | The container runtime managing this container. | `docker`; `containerd`; `rkt` | Recommended | | `container.image.name` | string | Name of the image the container was built on. | `gcr.io/opentelemetry/operator` | Recommended | | `container.image.tag` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | -| `container.image.digest` | string[] | Container image digests this image is based on. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). | `[prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | +| `container.image.digest` | string[] | Container image digests this image is based on. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). | `[prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | | `container.image.id` | string | Runtime specific image identifier. Usually a hash algorithm followed by a UUID. [1] | `sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f` | Recommended | | `container.command` | string | The command used to run the container (i.e. the command name). [2] | `otelcontribcol` | Opt-In | | `container.command_line` | string | The full command run by the container as a single string representing the full command. [2] | `otelcontribcol --config config.yaml` | Opt-In | From d0988732e5a0e8377dc150da4bbcbdafcd55c06f Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Mon, 31 Jul 2023 11:47:44 +0300 Subject: [PATCH 03/13] Add oci.manifest.digest Signed-off-by: ChrsMark --- docs/resource/oci.md | 13 +++++++++++++ model/resource/container.yaml | 11 ----------- model/resource/oci.yaml | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+), 11 deletions(-) create mode 100644 docs/resource/oci.md create mode 100644 model/resource/oci.yaml diff --git a/docs/resource/oci.md b/docs/resource/oci.md new file mode 100644 index 0000000000..33cffb960a --- /dev/null +++ b/docs/resource/oci.md @@ -0,0 +1,13 @@ +# OCI + +**Status**: [Experimental][DocumentStatus] + +**type:** `oci` + +**Description:** An OCI instance. + + + + + +[DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/blob/v1.21.0/specification/document-status.md diff --git a/model/resource/container.yaml b/model/resource/container.yaml index af417bf32e..24602d7322 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -35,17 +35,6 @@ groups: Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. examples: ['v1.27.1', '3.5.7-0'] - - id: image.digest - type: string[] - brief: > - Container image digests this image is based on. - Follows - [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), - and specifically the - [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). - An example can be found in - [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). - examples: ['prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b'] - id: image.id type: string brief: > diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml new file mode 100644 index 0000000000..969632a4de --- /dev/null +++ b/model/resource/oci.yaml @@ -0,0 +1,18 @@ +groups: + - id: oci + prefix: oci + type: resource + brief: > + An OCI instance. + attributes: + - id: manifest.digest + type: string + brief: > + The digest of the OCI image manifest. + Follows + [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), + and specifically the + [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). + An example can be found in + [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). + examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] From e1d68bb2afa91266539de599380e4faae7f28d25 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Mon, 31 Jul 2023 11:48:18 +0300 Subject: [PATCH 04/13] fixup Signed-off-by: ChrsMark --- docs/resource/container.md | 1 - docs/resource/oci.md | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index 53ff276a87..c8b8a0e3de 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -14,7 +14,6 @@ | `container.runtime` | string | The container runtime managing this container. | `docker`; `containerd`; `rkt` | Recommended | | `container.image.name` | string | Name of the image the container was built on. | `gcr.io/opentelemetry/operator` | Recommended | | `container.image.tag` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | -| `container.image.digest` | string[] | Container image digests this image is based on. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). | `[prom/prometheus@sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | | `container.image.id` | string | Runtime specific image identifier. Usually a hash algorithm followed by a UUID. [1] | `sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f` | Recommended | | `container.command` | string | The command used to run the container (i.e. the command name). [2] | `otelcontribcol` | Opt-In | | `container.command_line` | string | The full command run by the container as a single string representing the full command. [2] | `otelcontribcol --config config.yaml` | Opt-In | diff --git a/docs/resource/oci.md b/docs/resource/oci.md index 33cffb960a..ec78d4d217 100644 --- a/docs/resource/oci.md +++ b/docs/resource/oci.md @@ -7,7 +7,9 @@ **Description:** An OCI instance. - +| Attribute | Type | Description | Examples | Requirement Level | +|---|---|---|---|---| +| `oci.manifest.digest` | string | The digest of the OCI image manifest. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/blob/v1.21.0/specification/document-status.md From 35812750f4ca2c978ceda09f82f6611ded04cc01 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Thu, 3 Aug 2023 10:09:06 +0300 Subject: [PATCH 05/13] review changes Signed-off-by: ChrsMark --- docs/resource/container.md | 16 +++++++++++++++- docs/resource/oci.md | 15 --------------- model/resource/container.yaml | 4 +++- 3 files changed, 18 insertions(+), 17 deletions(-) delete mode 100644 docs/resource/oci.md diff --git a/docs/resource/container.md b/docs/resource/container.md index c8b8a0e3de..10633e4121 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -21,9 +21,23 @@ **[1]:** Docker defines a sha256 of the image id; `container.image.id` corresponds to the `Image` field from the Docker container inspect [API](https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerInspect) endpoint. K8s defines a link to the container registry repository with digest `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. -OCI defines a digest of manifest. +The ID of the same image running in different environments don't not always match. The `oci.manifest.digest` attribute, however, is the same for a given image in all container runtimes that follow OCI specification. **[2]:** If using embedded credentials or sensitive data, it is recommended to remove them to prevent potential leakage. +## OCI specifics + +**Status**: [Experimental][DocumentStatus] + +**type:** `oci` + +**Description:** An OCI instance. + + +| Attribute | Type | Description | Examples | Requirement Level | +|---|---|---|---|---| +| `oci.manifest.digest` | string | The digest of the OCI image manifest. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | + + [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/tree/v1.22.0/specification/document-status.md diff --git a/docs/resource/oci.md b/docs/resource/oci.md deleted file mode 100644 index ec78d4d217..0000000000 --- a/docs/resource/oci.md +++ /dev/null @@ -1,15 +0,0 @@ -# OCI - -**Status**: [Experimental][DocumentStatus] - -**type:** `oci` - -**Description:** An OCI instance. - - -| Attribute | Type | Description | Examples | Requirement Level | -|---|---|---|---|---| -| `oci.manifest.digest` | string | The digest of the OCI image manifest. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | - - -[DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/blob/v1.21.0/specification/document-status.md diff --git a/model/resource/container.yaml b/model/resource/container.yaml index 24602d7322..fdb9c18a17 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -47,7 +47,9 @@ groups: K8s defines a link to the container registry repository with digest `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. - OCI defines a digest of manifest. + The ID of the same image running in different environments don't not always match. + The `oci.manifest.digest` attribute, however, is the same for a given image + in all container runtimes that follow OCI specification. examples: ['sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f'] - id: command type: string From adacd834d42b142c536e49e9ad08e769084c3821 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Thu, 3 Aug 2023 10:48:00 +0300 Subject: [PATCH 06/13] Make fields plurals and enhance descriptions Signed-off-by: ChrsMark --- docs/resource/container.md | 4 ++-- model/resource/container.yaml | 2 +- model/resource/oci.yaml | 8 ++++++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index 10633e4121..d3aa5b2e3f 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -13,7 +13,7 @@ | `container.id` | string | Container ID. Usually a UUID, as for example used to [identify Docker containers](https://docs.docker.com/engine/reference/run/#container-identification). The UUID might be abbreviated. | `a3bf90e006b2` | Recommended | | `container.runtime` | string | The container runtime managing this container. | `docker`; `containerd`; `rkt` | Recommended | | `container.image.name` | string | Name of the image the container was built on. | `gcr.io/opentelemetry/operator` | Recommended | -| `container.image.tag` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | +| `container.image.tags` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | | `container.image.id` | string | Runtime specific image identifier. Usually a hash algorithm followed by a UUID. [1] | `sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f` | Recommended | | `container.command` | string | The command used to run the container (i.e. the command name). [2] | `otelcontribcol` | Opt-In | | `container.command_line` | string | The full command run by the container as a single string representing the full command. [2] | `otelcontribcol --config config.yaml` | Opt-In | @@ -37,7 +37,7 @@ The ID of the same image running in different environments don't not always matc | Attribute | Type | Description | Examples | Requirement Level | |---|---|---|---|---| -| `oci.manifest.digest` | string | The digest of the OCI image manifest. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | +| `oci.manifest.digests` | string | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/tree/v1.22.0/specification/document-status.md diff --git a/model/resource/container.yaml b/model/resource/container.yaml index fdb9c18a17..5b2fc4fcc6 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -27,7 +27,7 @@ groups: brief: > Name of the image the container was built on. examples: ['gcr.io/opentelemetry/operator'] - - id: image.tag + - id: image.tags type: string[] brief: > Container image tags. An example can be found in diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml index 969632a4de..9a425f1bd1 100644 --- a/model/resource/oci.yaml +++ b/model/resource/oci.yaml @@ -5,14 +5,18 @@ groups: brief: > An OCI instance. attributes: - - id: manifest.digest + - id: manifest.digests type: string brief: > - The digest of the OCI image manifest. + The digest(s) of the OCI image manifest. For container images specifically it can be one or more + digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). + [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and + [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) + reports those under the `RepoDigests` field. examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] From 45d21bbff25c5dd730bc46a944a170526cede565 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Thu, 3 Aug 2023 10:55:11 +0300 Subject: [PATCH 07/13] fixup Signed-off-by: ChrsMark --- docs/resource/container.md | 4 ++-- model/resource/container.yaml | 2 +- model/resource/oci.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index d3aa5b2e3f..d07feff1d6 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -21,7 +21,7 @@ **[1]:** Docker defines a sha256 of the image id; `container.image.id` corresponds to the `Image` field from the Docker container inspect [API](https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerInspect) endpoint. K8s defines a link to the container registry repository with digest `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. -The ID of the same image running in different environments don't not always match. The `oci.manifest.digest` attribute, however, is the same for a given image in all container runtimes that follow OCI specification. +The ID of the same image running in different environments don't not always match. The `oci.manifest.digests` attribute, however, is the same for a given image in all container runtimes that follow OCI specification. **[2]:** If using embedded credentials or sensitive data, it is recommended to remove them to prevent potential leakage. @@ -37,7 +37,7 @@ The ID of the same image running in different environments don't not always matc | Attribute | Type | Description | Examples | Requirement Level | |---|---|---|---|---| -| `oci.manifest.digests` | string | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | +| `oci.manifest.digests` | string | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/tree/v1.22.0/specification/document-status.md diff --git a/model/resource/container.yaml b/model/resource/container.yaml index 5b2fc4fcc6..259f5d3c69 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -48,7 +48,7 @@ groups: /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. The ID of the same image running in different environments don't not always match. - The `oci.manifest.digest` attribute, however, is the same for a given image + The `oci.manifest.digests` attribute, however, is the same for a given image in all container runtimes that follow OCI specification. examples: ['sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f'] - id: command diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml index 9a425f1bd1..a62a048273 100644 --- a/model/resource/oci.yaml +++ b/model/resource/oci.yaml @@ -16,7 +16,7 @@ groups: [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). - [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and - [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) + [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and + [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] From 9e3d8fb4ada03898a25f03085a3495cf2d9535b8 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Thu, 3 Aug 2023 18:11:24 +0300 Subject: [PATCH 08/13] Fix digest type to string[] Signed-off-by: ChrsMark --- docs/resource/container.md | 2 +- model/resource/oci.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index d07feff1d6..ca21412015 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -37,7 +37,7 @@ The ID of the same image running in different environments don't not always matc | Attribute | Type | Description | Examples | Requirement Level | |---|---|---|---|---| -| `oci.manifest.digests` | string | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4`; `sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b` | Recommended | +| `oci.manifest.digests` | string[] | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/tree/v1.22.0/specification/document-status.md diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml index a62a048273..75d8f6ab79 100644 --- a/model/resource/oci.yaml +++ b/model/resource/oci.yaml @@ -6,7 +6,7 @@ groups: An OCI instance. attributes: - id: manifest.digests - type: string + type: string[] brief: > The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. From 088c36419d8a175631e4fd8b8bdf28f08d612eba Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Fri, 4 Aug 2023 11:14:18 +0300 Subject: [PATCH 09/13] review fixes Signed-off-by: ChrsMark --- docs/resource/container.md | 15 +++++++++++---- model/resource/container.yaml | 6 +++--- model/resource/oci.yaml | 6 +++--- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index ca21412015..2794ee26db 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -21,20 +21,27 @@ **[1]:** Docker defines a sha256 of the image id; `container.image.id` corresponds to the `Image` field from the Docker container inspect [API](https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerInspect) endpoint. K8s defines a link to the container registry repository with digest `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. -The ID of the same image running in different environments don't not always match. The `oci.manifest.digests` attribute, however, is the same for a given image in all container runtimes that follow OCI specification. +The ID is assinged by the container runtime and can vary in different environments. Consider using `oci.manifest.digests` if it is important to identify the same image in different environments/runtimes. **[2]:** If using embedded credentials or sensitive data, it is recommended to remove them to prevent potential leakage. -## OCI specifics +## Open Container Initiative (OCI) + +The [Open Container Initiative](https://opencontainers.org/) defines open industry standards around container formats and runtimes. + +### OCI Image Manifest + +This section refers to the [specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md) +that defines an OCI Image manifest. **Status**: [Experimental][DocumentStatus] **type:** `oci` -**Description:** An OCI instance. +**Description:** Attributes of an OCI image manifest. - + | Attribute | Type | Description | Examples | Requirement Level | |---|---|---|---|---| | `oci.manifest.digests` | string[] | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | diff --git a/model/resource/container.yaml b/model/resource/container.yaml index 259f5d3c69..ceea40aeff 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -47,9 +47,9 @@ groups: K8s defines a link to the container registry repository with digest `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. - The ID of the same image running in different environments don't not always match. - The `oci.manifest.digests` attribute, however, is the same for a given image - in all container runtimes that follow OCI specification. + The ID is assinged by the container runtime and can vary in different environments. + Consider using `oci.manifest.digests` if it is important to identify the same + image in different environments/runtimes. examples: ['sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f'] - id: command type: string diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml index 75d8f6ab79..dc39bb1047 100644 --- a/model/resource/oci.yaml +++ b/model/resource/oci.yaml @@ -1,11 +1,11 @@ groups: - - id: oci - prefix: oci + - id: oci.manifest + prefix: oci.manifest type: resource brief: > An OCI instance. attributes: - - id: manifest.digests + - id: digests type: string[] brief: > The digest(s) of the OCI image manifest. For container images specifically it can be one or more From 74490d8a2edfa9a0f3372685f1105813ff8a38ae Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Fri, 4 Aug 2023 11:19:23 +0300 Subject: [PATCH 10/13] Shorten brief and move content to note section Signed-off-by: ChrsMark --- docs/resource/container.md | 5 ++++- model/resource/oci.yaml | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index 2794ee26db..b43236a1b6 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -44,7 +44,10 @@ that defines an OCI Image manifest. | Attribute | Type | Description | Examples | Requirement Level | |---|---|---|---|---| -| `oci.manifest.digests` | string[] | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) reports those under the `RepoDigests` field. | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | +| `oci.manifest.digests` | string[] | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. [1] | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | + +**[1]:** Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). +An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) which report those under the `RepoDigests` field. [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/tree/v1.22.0/specification/document-status.md diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml index dc39bb1047..62e66a33f6 100644 --- a/model/resource/oci.yaml +++ b/model/resource/oci.yaml @@ -3,20 +3,22 @@ groups: prefix: oci.manifest type: resource brief: > - An OCI instance. + An OCI image manifest. attributes: - id: digests type: string[] brief: > The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. + note: > Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). + An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) - reports those under the `RepoDigests` field. + which report those under the `RepoDigests` field. examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] From 60c9fced1e63d26e7f662a7ec1e08aa19ca85bb0 Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Fri, 4 Aug 2023 13:43:42 +0300 Subject: [PATCH 11/13] Add changelog entry Signed-off-by: ChrsMark --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ec2227460..b934a01f57 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ release. - Update `.count` metric naming convention so that it only applies to UpDownCounters, and add that `.total` should not be used by either Counters or UpDownCounters ([#107](https://github.com/open-telemetry/opentelemetry-specification/pull/107)) +- Add `oci.manifest.digests` attribute. Make `container.image.tag` array and in plural form. + ([#159](https://github.com/open-telemetry/semantic-conventions/pull/159)) ## v1.21.0 (2023-07-13) From c883557c1846182272d95e1bdc09030a3a30e1dc Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Wed, 30 Aug 2023 11:08:08 +0300 Subject: [PATCH 12/13] Make oci digest singular and add runtime repo_digests Signed-off-by: ChrsMark --- CHANGELOG.md | 2 +- docs/resource/container.md | 13 ++++++++----- model/resource/container.yaml | 11 ++++++++++- model/resource/oci.yaml | 13 +++++-------- 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 10fc09622b..34e4383411 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ release. - Update `.count` metric naming convention so that it only applies to UpDownCounters, and add that `.total` should not be used by either Counters or UpDownCounters ([#107](https://github.com/open-telemetry/semantic-conventions/pull/107)) -- Add `oci.manifest.digests` attribute. Make `container.image.tag` array and in plural form. +- Add `oci.manifest.digest`, `container.image.repo_digests` attributes. Make `container.image.tag` array and in plural form. ([#159](https://github.com/open-telemetry/semantic-conventions/pull/159)) - BREAKING: Rename `http.client.duration` and `http.server.duration` metrics to `http.client.request.duration` and `http.server.request.duration` respectively. diff --git a/docs/resource/container.md b/docs/resource/container.md index b43236a1b6..f65fbf84e3 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -15,15 +15,18 @@ | `container.image.name` | string | Name of the image the container was built on. | `gcr.io/opentelemetry/operator` | Recommended | | `container.image.tags` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | | `container.image.id` | string | Runtime specific image identifier. Usually a hash algorithm followed by a UUID. [1] | `sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f` | Recommended | -| `container.command` | string | The command used to run the container (i.e. the command name). [2] | `otelcontribcol` | Opt-In | +| `container.image.repo_digests` | string[] | Repo digests of the container image as provided by the container runtime. [2] | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | +| `container.command` | string | The command used to run the container (i.e. the command name). [3] | `otelcontribcol` | Opt-In | | `container.command_line` | string | The full command run by the container as a single string representing the full command. [2] | `otelcontribcol --config config.yaml` | Opt-In | | `container.command_args` | string[] | All the command arguments (including the command/executable itself) run by the container. [2] | `[otelcontribcol, --config, config.yaml]` | Opt-In | **[1]:** Docker defines a sha256 of the image id; `container.image.id` corresponds to the `Image` field from the Docker container inspect [API](https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerInspect) endpoint. K8s defines a link to the container registry repository with digest `"imageID": "registry.azurecr.io /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. -The ID is assinged by the container runtime and can vary in different environments. Consider using `oci.manifest.digests` if it is important to identify the same image in different environments/runtimes. +The ID is assinged by the container runtime and can vary in different environments. Consider using `oci.manifest.digest` if it is important to identify the same image in different environments/runtimes. -**[2]:** If using embedded credentials or sensitive data, it is recommended to remove them to prevent potential leakage. +**[2]:** [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) report those under the `RepoDigests` field. + +**[3]:** If using embedded credentials or sensitive data, it is recommended to remove them to prevent potential leakage. ## Open Container Initiative (OCI) @@ -44,10 +47,10 @@ that defines an OCI Image manifest. | Attribute | Type | Description | Examples | Requirement Level | |---|---|---|---|---| -| `oci.manifest.digests` | string[] | The digest(s) of the OCI image manifest. For container images specifically it can be one or more digests by which the container image is known. [1] | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | +| `oci.manifest.digest` | string | The digest of the OCI image manifest. For container images specifically is the digest by which the container image is known. [1] | `sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4` | Recommended | **[1]:** Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), and specifically the [Digest property](https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests). -An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) which report those under the `RepoDigests` field. +An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). [DocumentStatus]: https://github.com/open-telemetry/opentelemetry-specification/tree/v1.22.0/specification/document-status.md diff --git a/model/resource/container.yaml b/model/resource/container.yaml index ceea40aeff..f7a22b566e 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -48,9 +48,18 @@ groups: /namespace/service/dockerfile@sha256:bdeabd40c3a8a492eaf9e8e44d0ebbb84bac7ee25ac0cf8a7159d25f62555625"`. The ID is assinged by the container runtime and can vary in different environments. - Consider using `oci.manifest.digests` if it is important to identify the same + Consider using `oci.manifest.digest` if it is important to identify the same image in different environments/runtimes. examples: ['sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f'] + - id: image.repo_digests + type: string[] + brief: > + Repo digests of the container image as provided by the container runtime. + note: > + [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect) and + [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) + report those under the `RepoDigests` field. + examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] - id: command type: string requirement_level: opt_in diff --git a/model/resource/oci.yaml b/model/resource/oci.yaml index 62e66a33f6..fc1ff2ebb3 100644 --- a/model/resource/oci.yaml +++ b/model/resource/oci.yaml @@ -5,11 +5,11 @@ groups: brief: > An OCI image manifest. attributes: - - id: digests - type: string[] + - id: digest + type: string brief: > - The digest(s) of the OCI image manifest. For container images specifically it can be one or more - digests by which the container image is known. + The digest of the OCI image manifest. For container images specifically is the + digest by which the container image is known. note: > Follows [OCI Image Manifest Specification](https://github.com/opencontainers/image-spec/blob/main/manifest.md), @@ -18,7 +18,4 @@ groups: An example can be found in [Example Image Manifest](https://docs.docker.com/registry/spec/manifest-v2-2/#example-image-manifest). - [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageCreate) and - [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) - which report those under the `RepoDigests` field. - examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] + examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4' ] From e5a3293a3fd445fc54160037417be4c710fefedd Mon Sep 17 00:00:00 2001 From: ChrsMark Date: Wed, 6 Sep 2023 22:59:35 +0300 Subject: [PATCH 13/13] Fix repo_digests examples Signed-off-by: ChrsMark --- docs/resource/container.md | 2 +- model/resource/container.yaml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/resource/container.md b/docs/resource/container.md index f65fbf84e3..b0017c4b36 100644 --- a/docs/resource/container.md +++ b/docs/resource/container.md @@ -15,7 +15,7 @@ | `container.image.name` | string | Name of the image the container was built on. | `gcr.io/opentelemetry/operator` | Recommended | | `container.image.tags` | string[] | Container image tags. An example can be found in [Docker Image Inspect](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect). Should be only the `` section of the full name for example from `registry.example.com/my-org/my-image:`. | `[v1.27.1, 3.5.7-0]` | Recommended | | `container.image.id` | string | Runtime specific image identifier. Usually a hash algorithm followed by a UUID. [1] | `sha256:19c92d0a00d1b66d897bceaa7319bee0dd38a10a851c60bcec9474aa3f01e50f` | Recommended | -| `container.image.repo_digests` | string[] | Repo digests of the container image as provided by the container runtime. [2] | `[sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4, sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b]` | Recommended | +| `container.image.repo_digests` | string[] | Repo digests of the container image as provided by the container runtime. [2] | `[example@sha256:afcc7f1ac1b49db317a7196c902e61c6c3c4607d63599ee1a82d702d249a0ccb, internal.registry.example.com:5000/example@sha256:b69959407d21e8a062e0416bf13405bb2b71ed7a84dde4158ebafacfa06f5578]` | Recommended | | `container.command` | string | The command used to run the container (i.e. the command name). [3] | `otelcontribcol` | Opt-In | | `container.command_line` | string | The full command run by the container as a single string representing the full command. [2] | `otelcontribcol --config config.yaml` | Opt-In | | `container.command_args` | string[] | All the command arguments (including the command/executable itself) run by the container. [2] | `[otelcontribcol, --config, config.yaml]` | Opt-In | diff --git a/model/resource/container.yaml b/model/resource/container.yaml index f7a22b566e..3dbac9641b 100644 --- a/model/resource/container.yaml +++ b/model/resource/container.yaml @@ -59,7 +59,9 @@ groups: [Docker](https://docs.docker.com/engine/api/v1.43/#tag/Image/operation/ImageInspect) and [CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b473bbe2d0a4fc92f82235efd665ea8e9f/pkg/apis/runtime/v1/api.proto#L1237-L1238) report those under the `RepoDigests` field. - examples: [ 'sha256:e4ca62c0d62f3e886e684806dfe9d4e0cda60d54986898173c1083856cfda0f4', 'sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b' ] + examples: + - 'example@sha256:afcc7f1ac1b49db317a7196c902e61c6c3c4607d63599ee1a82d702d249a0ccb' + - 'internal.registry.example.com:5000/example@sha256:b69959407d21e8a062e0416bf13405bb2b71ed7a84dde4158ebafacfa06f5578' - id: command type: string requirement_level: opt_in