SIF — Containing Your Containers
One of Singularity’s design concepts in architecting a container solution is to store a container as a single run-time file. This decision makes a container, which may consist of several hundreds or thousands of files, easier to manage, and provides a conduit for some really interesting features, such as: it is fast to access any segment, can easily be “classified” within a system that implements rigorous file access controls, and of course it has excellent mobility and reproducibility attributes whereby moving or copying a container means moving or copying one file.
With feature enhancements in continual development, and with the team’s desire to offer better overall security model to all Singularity users, it became clear that a container would soon be more than just one Operating System partition image in a file. We wanted to augment our containers with cryptographic signatures and cleverly store metadata outside of the OS partition, to be reserved for runtime and application environments. This is how SIF, the new Singularity Image Format came to be!
Well what is it?!
SIF is a new file format tailored to container images. It allows for the storage of different parts that makes up a container. For example, our containers may include OS partitions images (read-only), user writable sections, recipes used to create the container, cryptographic signatures for data integrity and authenticity, and whatever else the community can think of… a SIF file resembles a general file system by its structure. A global header identifies the SIF file and holds information about what one can expect to find in the container file. Next to this is a list of data object descriptors that hold information for each region of data that a SIF file contains. The primary goal of the descriptors is to identify the kind of data stored and where to find it within the container file. Following those descriptors is the actual data for these descriptors namely the OS partition image, recipe, environment variables and signature blocks. The picture below demonstrate and example of what an actual SIF file would look like: