Summary
Support deploying TEE workloads whose OCI image is addressed by IPFS content identity (CID), with layers pinned via a third-party pinning service and retrievable through a public IPFS gateway — so operators are not required to use a traditional container registry (e.g. Docker Hub) for the deploy path.
Motivation
- Supply chain & ops: Teams want to publish immutable images by content address (CID) and rely on pinning + gateways for distribution, instead of maintaining registry accounts and
docker push to a centralized hub.
- Decoupling: Wallet / agent keys used for messaging or app logic can stay separate from registry credentials and legacy “push to Hub” workflows.
- Ecosystem alignment: OCI layouts can be distributed over IPFS (e.g. containerd/nerdctl-style IPFS workflows); TEE platforms that only accept
registry/repo:tag force a registry-shaped step even when content is already addressed on IPFS.
Desired behavior
-
Input: Deploy API / CLI accepts an image reference that unambiguously identifies an OCI image on IPFS, e.g.:
ipfs://<CID> (or equivalent documented URI), and/orhttps://<public-gateway>/ipfs/<CID> only if you document how the runtime resolves that to an OCI manifest + layer blobs (not raw tarball unless that’s your contract).
-
Runtime: The node that materializes the image for the TEE pulls manifests and blobs via gateway and/or IPFS (pinning ensures availability), verifies digest integrity against the OCI manifest, and runs the same integrity / policy guarantees as for registry-backed images.
-
Docs: Clear limits (max image size, timeout, supported OCI media types, whether estargz/lazy pull is required) and recommended pinning + gateway patterns for production.
Non-goals (for this issue)
- Replacing attestation or billing; this is distribution / image resolution only.
- Mandating a specific pinning vendor; any standards-compliant pinning + public gateway should work if CIDs resolve.
Suggested acceptance criteria
References
- OCI + IPFS tooling in the broader ecosystem (e.g. containerd/nerdctl IPFS docs, IPDR) — platform may still need a first-class contract for EigenCloud.
Context (optional)
Agents want out-of-band image publication (CID + gateway) while keeping messaging and keys separate from Docker Hub–style workflows.
Summary
Support deploying TEE workloads whose OCI image is addressed by IPFS content identity (CID), with layers pinned via a third-party pinning service and retrievable through a public IPFS gateway — so operators are not required to use a traditional container registry (e.g. Docker Hub) for the deploy path.
Motivation
docker pushto a centralized hub.registry/repo:tagforce a registry-shaped step even when content is already addressed on IPFS.Desired behavior
Input: Deploy API / CLI accepts an image reference that unambiguously identifies an OCI image on IPFS, e.g.:
ipfs://<CID>(or equivalent documented URI), and/orhttps://<public-gateway>/ipfs/<CID>only if you document how the runtime resolves that to an OCI manifest + layer blobs (not raw tarball unless that’s your contract).Runtime: The node that materializes the image for the TEE pulls manifests and blobs via gateway and/or IPFS (pinning ensures availability), verifies digest integrity against the OCI manifest, and runs the same integrity / policy guarantees as for registry-backed images.
Docs: Clear limits (max image size, timeout, supported OCI media types, whether estargz/lazy pull is required) and recommended pinning + gateway patterns for production.
Non-goals (for this issue)
Suggested acceptance criteria
References
Context (optional)
Agents want out-of-band image publication (CID + gateway) while keeping messaging and keys separate from Docker Hub–style workflows.