oras-project · sajayantony · Oct 25, 2022 · Sep 13, 2022 · Sep 14, 2022 · Sep 14, 2022
@@ -1,5 +1,15 @@
 # ORAS Blog Index
 
+<h2>ORAS 0.15: A fully functional OCI registry client</h2>
+
+_Feynman Zhou，Yi Zha_
+
+The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers announced two releases for the ORAS CLI recently. ORAS v0.15.0 introduces four new top-level commands and new options to manage tags and repos in registries and provides capabilities to alter the OCI content for advanced use cases. Three weeks later, ORAS 0.15.1 also released with known bug fixes. Since the release of v0.15, ORAS CLI has evolved into a fully functional OCI registry client.
+
+[Read More...][3]
+
+  [3]: oras-0.15-a-fully-functional-registry-client.md
+
 <h2>ORAS 0.14 and Future: Empower Container Secure Supply Chain</h2>
 
 _Feynman Zhou_

@@ -0,0 +1,189 @@
+# ORAS 0.15: A fully Functional OCI Registry Client
+
+_Author: [Feynman Zhou](https://twitter.com/FeynmanZhou), [Yi Zha](https://github.com/yizha1)_
+
+The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers announced two releases of v0.15 for the ORAS CLI recently. ORAS [v0.15.0](https://github.com/oras-project/oras/releases/tag/v0.15.0) introduces four new top-level commands and new options to manage tags and repositories in registries and provides capabilities to alter the OCI content for advanced use cases. Three weeks later, [ORAS 0.15.1](https://github.com/oras-project/oras/releases/tag/v0.15.1) also released with a few known bug fixes. Since the release of v0.15, ORAS CLI has evolved into a fully functional OCI registry client.
+
+## What's new in ORAS 0.15
+
+![ What's new in ORAS 0.15](oras-0.15/what's-new-in-oras-0.15.png)
+
+As ORAS has been adopted by more and more OCI implementors and registry vendors, we have seen increased community requirements in providing fine-grained capabilities to alter the content of OCI supply chain artifacts. ORAS 0.15 now supports operate the blob and manifest of an artifact in the registry. Please see the [Release Notes](https://github.com/oras-project/oras/releases/tag/v0.15.0) for details.
+
+This blog post will demonstrate how to use ORAS CLI v0.15 to convert a Docker image stored in Docker Hub into an OCI image，then push it to the Distribution registry.
+
+## Run a local Distribution registry
+
+Run a local instance of the CNCF Distribution Registry, with ORAS Artifacts support:
+
+```
+docker run -d -p 5000:5000 ghcr.io/oras-project/registry:v1.0.0-rc.2
+```
+
+## Fetch and view the manifest of a sample Docker image
+
+```
+$ oras manifest fetch docker.io/library/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
+
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+   "config": {
+      "mediaType": "application/vnd.docker.container.image.v1+json",
+      "size": 1469,
+      "digest": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+         "size": 2479,
+         "digest": "sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54"
+      }
+   ]
+}
+```
+
+## Fetch and push a blob
+
+Fetch a config blob to a local file from a sample Docker image:
+
+```
+oras blob fetch docker.io/library/hello-world@sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412 --output config-blob.json
+```
+
+Then push this blob file to a new repository in the Distribution registry:
+
+```
+oras blob push localhost:5000/oras-distribution/hello-world:latest@sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a demo-blob.json
+```
+
+Similarly, fetch the layer blob and push it to the Distribution registry:
+
+```
+oras blob fetch docker.io/library/hello-world@sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54 --output layer-blob.json
+```
+
+```
+oras blob push localhost:5000/oras-sample/hello-world layer-blob.json
+```
+
+## Fetch and push a manifest
+
+Similar to blob operations above, fetch a manifest from a Docker image stored in Docker Hub and export it to a JSON file:
+
+```
+oras manifest fetch docker.io/library/hello-world@sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4 --output hello-manifest.json
+```
+
+Modify the manifest file `hello-manifest.json` from Docker to OCI type in each `mediatype` field of config and layer:
+
+```
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.manifest.v1+json",
+   "config": {
+      "mediaType": "application/vnd.oci.image.config.v1+json",
+      "size": 1469,
+      "digest": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+         "size": 2479,
+         "digest": "sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54"
+      }
+   ]
+}
+```
+
+Push the modified manifest file to the repository in the Distribution registry. It will also create a new repository automatically:
+
+```
+oras manifest push localhost:5000/oras-repo/hello-world:latest hello-manifest.json
+```
+
+## Validate the new image 
+
+View the manifest of this Docker image from the Distribution registry, you will find all `mediatype` are changed to OCI type: 
+
+```
+$ oras manifest fetch localhost:5000/oras-repo/hello-world:latest
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.oci.image.manifest.v1+json",
+   "config": {
+      "mediaType": "application/vnd.oci.image.config.v1+json",
+      "size": 1469,
+      "digest": "sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+         "size": 2479,
+         "digest": "sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54"
+      }
+   ]
+}
+```
+
+Run and validate the new OCI image:
+
+```
+$ docker run localhost:5000/oras-repo/hello-world:latest
+
+Hello from Docker!
+This message shows that your installation appears to be working correctly.
+
+To generate this message, Docker took the following steps:
+ 1. The Docker client contacted the Docker daemon.
+ 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
+    (amd64)
+ 3. The Docker daemon created a new container from that image which runs the
+    executable that produces the output you are currently reading.
+ 4. The Docker daemon streamed that output to the Docker client, which sent it
+    to your terminal.
+
+To try something more ambitious, you can run an Ubuntu container with:
+ $ docker run -it ubuntu bash
+
+Share images, automate workflows, and more with a free Docker ID:
+ https://hub.docker.com/
+
+For more examples and ideas, visit:
+ https://docs.docker.com/get-started/
+
+```
+
+It turns out the conversion works.
+
+## Try multi-tagging and view the tags 
+
+Tag the manifest with 'latest' to 'v1.0.0', 'v2.0.0':
+
+```
+$ oras tag localhost:5000/oras-repo/hello-world:latest v1.0.0 v2.0.0
+```
+
+View the newly created tags in the sample repository:
+
+```
+$ oras repo show-tags localhost:5000/oras-repo/hello-world
+latest
+v1.0.0
+v2.0.0
+```
+
+Congratulations! You have experienced all new top-level commands in ORAS CLI 0.15. 
+
+## What's next for ORAS
+
+Recently the OCI and ORAS maintainers submitted a proposal to [unify the ORAS Artifact manifest with an OCI Artifact manifest (pr-934)](https://github.com/opencontainers/image-spec/pull/934) and [pr-335](https://github.com/opencontainers/distribution-spec/pull/335), to consolidate the specs. These changes provide adds new capabilities to OCI registries while maintaining the ability to function on registries that don't yet support the [new Artifact manifest](https://github.com/opencontainers/image-spec/blob/main/artifact.md). This proposal originates from the [ORAS artifact ](https://github.com/oras-project/artifacts-spec) and has been accepted by the OCI group. The OCI group also cut a new release in the distribution-spec and image-spec supporting Reference Types, enabling a breadth of supply chain evidence to benefit from existing registries.
+
+In [ORAS CLI 0.16](https://github.com/oras-project/oras/milestone/9) and [ORAS-go v2.0.0-rc.4](https://github.com/oras-project/oras-go/milestone/10), we'll add support for the [OCI artifact spec](https://github.com/opencontainers/image-spec/blob/main/artifact.md) will be the mostwill be the most significant plan and is targeted to be released at the end of October. You can find the migration proposal from this [doc](https://hackmd.io/zLnCh8WRQDG-3S_jXR626g?view). See also the [ORAS Roadmap](https://github.com/oras-project/community/blob/main/Roadmap.md) for more detailed future plans.
+
+## Join the ORAS community
+
+The ORAS Project was accepted in June 2021 as a Cloud Native Computing Foundation (CNCF) Sandbox project. It is important that we hear from the community as we advance the artifact-spec capability; if you maintain or are implementing a container registry, we are particularly interested in your feedback. Working together, we can improve supply chain artifact security in the cloud native ecosystem. 
+
+- [Follow the ORAS Twitter](https://twitter.com/intent/follow?screen_name=orasproject)
+- [Join the Slack channel in CNCF](https://slack.cncf.io/) and find us at **oras** channel