Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[prototype] feat: add ratify containerd plugin #125

Open
wants to merge 190 commits into
base: main
Choose a base branch
from
Open

[prototype] feat: add ratify containerd plugin #125

wants to merge 190 commits into from

Conversation

akashsinghal
Copy link
Owner

@akashsinghal akashsinghal commented May 27, 2023
edited
Loading

This is a very experimental and rudimentary ratify binary for the new image verifier containerd plugin proposal. It's purely used as POC.

Setup:

Use containerd version on main branch

Use a custom config.toml with contents:

version = 2

[plugins]
  [plugins."io.containerd.image-verifier.v1.bindir"]
    bin_dir = "/home/devuser/code/ratify/containerd-plugins"
    max_verifiers = 10
    per_verifier_timeout = "10s"

Start containerd:

sudo bin/containerd -c config.toml -l debug

Sample ctr command of image being blocked:

> sudo bin/ctr image pull --local=false wabbitnetworks.azurecr.io/test/notary-image:unsigned
ctr: rpc error: code = Unknown desc = image verifier bindir blocked pull of wabbitnetworks.azurecr.io/test/notary-image:unsigned with digest sha256:17490f904cf278d4314a1ccba407fc8fd00fb45303589b8cc7f5174ac35554f4 for reason: verifier ratify rejected image (exit code 1): {
  "isSuccess": false,
  "verifierReports": [
    {
      "subject": "wabbitnetworks.azurecr.io/test/notary-image:unsigned@sha256:17490f904cf278d4314a1ccba407fc8fd00fb45303589b8cc7f5174ac35554f4",
      "isSuccess": false,
      "message": "verification failed: no referrers found for this artifact"
    }
  ]
}

Sample ctr command of image passing verification:

> sudo bin/ctr image pull --local=false wabbitnetworks.azurecr.io/test/notary-image:signed

# Output from the containerd logs
DEBU[2023-05-27T00:36:52.223126601Z] Verifying image pull                          digest="sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b" name="wabbitnetworks.azurecr.io/test/notary-image:signed" verifier=bindir
DEBU[2023-05-27T00:36:52.252267490Z] time="2023-05-27T00:36:52Z" level=info msg="Setting log level to info"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.252314489Z] warning: GOCOVERDIR not set, no coverage data emitted  image_verifier=ratify
DEBU[2023-05-27T00:36:52.252633187Z] time="2023-05-27T00:36:52Z" level=info msg="selected default auth provider: dockerConfig"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.278756698Z] time="2023-05-27T00:36:52Z" level=info msg="defaultPluginPath set to /home/devuser/.ratify/plugins"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.278918597Z] time="2023-05-27T00:36:52Z" level=info msg="selected policy provider: configPolicy"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.511484911Z] time="2023-05-27T00:36:52Z" level=info msg="Resolve of the image completed successfully the digest is sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.546894954Z] time="2023-05-27T00:36:52Z" level=info msg="1 notary verification certificates loaded from path '/home/devuser/code/ratify/notary.crt'"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.546933254Z] time="2023-05-27T00:36:52Z" level=warning msg="Invalid path '/home/devuser/.ratify/ratify-certs/notary/truststore' skipped, error lstat /home/devuser/.ratify/ratify-certs/notary/truststore: no such file or directory"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.546955753Z] time="2023-05-27T00:36:52Z" level=info msg="0 notary verification certificates loaded from path '/home/devuser/.ratify/ratify-certs/notary/truststore'"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.552758811Z] Image verifier allowed pull                   digest="sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b" name="wabbitnetworks.azurecr.io/test/notary-image:signed" ok=true reason="ratify => { \"isSuccess\": true, \"verifierReports\": [ { \"subject\": \"wabbitnetworks.azurecr.io/test/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b\", \"isSuccess\": true, \"name\": \"notaryv2\", \"message\": \"signature verification success\", \"extensions\": { \"Issuer\": \"CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US\", \"SN\": \"CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US\" }, \"artifactType\": \"application/vnd.cncf.notary.signature\" } ] }\nratify verification succeeded" verifier=bindir

Note: if you have an existing containerd instance running, you may need to stop the service temporarily so the custom instance can use the same sock. I'm sure there are better ways to get around this but I just did this: sudo systemctl stop containerd.service

@akashsinghal akashsinghal changed the title basic ratify containerd plugin [prototype] feat: add ratify containerd plugin May 27, 2023
@akashsinghal akashsinghal mentioned this pull request Jun 1, 2023
Merged
binbin-li and others added 27 commits April 9, 2024 04:59
@binbin-li
refactor: refactor verifiers to support namespaced
84cb90c 
Signed-off-by: Binbin Li <[email protected]>
@binbin-li
feat: add verifiers interface to wrap up operations on namespaced ver…
e716f54 
…ifiers
@binbin-li
feat: add context to getExecutor method
2061199
@binbin-li
chore: address comments
810c93e
@dependabot
chore: Bump codecov/codecov-action from 4.2.0 to 4.3.0
d1acec0 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@7afa10e...8450866)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@binbin-li
Merge branch 'staging' into multi-tenancy-pr-2
73ef709
@binbin-li
Merge pull request ratify-project#1358 from binbin-li/multi-tenancy-pr-2
6a93bbf 
feat: add verifiers interface to wrap up operations on namespaced verifiers [multi-tenancy PR 2]
@binbin-li
Merge branch 'staging' into dependabot/github_actions/codecov/codecov…
8c87951 
…-action-4.3.0
@binbin-li
Merge pull request ratify-project#1379 from deislabs/dependabot/githu…
9ac7d5a 
…b_actions/codecov/codecov-action-4.3.0

chore: Bump codecov/codecov-action from 4.2.0 to 4.3.0
@akashsinghal
feat: add key support to key management provider (ratify-project#1333)
2894b51
@susanshi
fix: enable workflow for staging (ratify-project#1369)
3872e05
@binbin-li
feat: add PolicyManager interface to wrap operations on namespaced po…
7958056 
…licies [multi-tenancy PR 3] (ratify-project#1359)
@binbin-li
feat: add ReferrerStoreManager interface to wrap operations on namesp…
003fe00 
…aced stores [multi-tenancy PR 4] (ratify-project#1380)
@akashsinghal
fix: update azure tenantId casing (ratify-project#1385)
8acd52b
@akashsinghal
Merge branch 'main' into staging
f201712
@dependabot
chore: Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 (ratify…
a1a739f 
…-project#1383)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@akashsinghal
build: update Bridge to Kubernetes debugging steps (ratify-project#1384)
9c11f81
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2 from 1.26.0 to 1.26.1 (ratif…
f5089fc 
…y-project#1394)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.9 to 1…
62c00fb 
….17.11 (ratify-project#1393)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @binbin-li
chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5…
03bde0e 
….1 to 1.5.2 (ratify-project#1392)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Binbin Li <[email protected]>
@dependabot
chore: Bump google.golang.org/grpc from 1.62.1 to 1.62.2 (ratify-proj…
bce6b4c 
…ect#1391)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.9 to 1.27.11 (
7c75d59 
ratify-project#1390)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@luisdlp
Merge pull request ratify-project#1388 from deislabs/staging
6a5f10c 
feat: merge from `staging` to `main`
@akashsinghal
chore: bump oras go to 2.5.0 (ratify-project#1389)
7c34a1a
@binbin-li
feat: add certStoreManager interface to wrap operations on namespaced…
3e656b1 
… certStores [multi-tenancy PR 5] (ratify-project#1382)
@dependabot
chore: Bump azure/login from 2.0.0 to 2.1.0 (ratify-project#1400)
cc7d780 
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@susanshi @binbin-li
fix: rename staging to dev branch (ratify-project#1401)
4fed7a0 
Co-authored-by: Binbin Li <[email protected]>
dependabot bot and others added 23 commits June 17, 2024 11:18
@dependabot
chore: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (ratify-projec…
80ffa1f 
…t#1577)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@yizha1
docs: add a proposal for periodic retrieval (ratify-project#1510)
6c197b8 
Signed-off-by: Yi Zha <[email protected]>
@susanshi @binbin-li
doc: update minor release branching strategy (ratify-project#1456)
2d3a8e0 
Signed-off-by: Susan Shi <[email protected]>
Co-authored-by: Binbin Li <[email protected]>
@step-security-bot @akashsinghal
ci: harden github actions (ratify-project#1579)
f536f68 
Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: Akash Singhal <[email protected]>
@dependabot @akashsinghal @susanshi
chore: Bump github.com/google/go-containerregistry from 0.19.1 to 0.1…
91b9889 
…9.2 (ratify-project#1575)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Akash Singhal <[email protected]>
Co-authored-by: [email protected] <[email protected]>
@akashsinghal
chore: remodule ratify package (ratify-project#1552)
4a5fee5
@susanshi
fix: enable automated pr to main (ratify-project#1582)
ad69840 
Signed-off-by: Susan Shi <[email protected]>
@junczhu
chore: update a flag in makefile (ratify-project#1584)
a89d00d
@dependabot
chore: Bump golang from 2eb85b8 to b405b62 in /httpserver
1581bcd 
Bumps golang from `2eb85b8` to `b405b62`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
chore: Bump alpine from 77726ef to b89d9c9
27ca126 
Bumps alpine from `77726ef` to `b89d9c9`.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@binbin-li
Merge pull request ratify-project#1590 from ratify-project/dependabot…
e4c58e2 
…/docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0

chore: Bump alpine from `77726ef` to `b89d9c9`
@binbin-li
Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62
cca0a13
@binbin-li
Merge pull request ratify-project#1589 from ratify-project/dependabot…
47b3331 
…/docker/httpserver/golang-b405b62

chore: Bump golang from `2eb85b8` to `b405b62` in /httpserver
@binbin-li
ci: switch region from eastus to westus2 (ratify-project#1591)
efe84cf
@junczhu @binbin-li
feat: Support more trust store types (ratify-project#1538)
ae4385b 
Signed-off-by: Juncheng Zhu <[email protected]>
Co-authored-by: Binbin Li <[email protected]>
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.18 to 1.27.…
374d187 
…21 (ratify-project#1586)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (
cf7a111 
…ratify-project#1592)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.5 to 1…
45430c7 
….28.6 (ratify-project#1587)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.21 to …
aeceddc 
…1.17.22 (ratify-project#1594)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.22 to …
8af013d 
…1.17.23 (ratify-project#1600)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @susanshi
chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.21 to 1.27.…
54e92a4 
…23 (ratify-project#1602)

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Susan Shi <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Susan Shi <[email protected]>
@dependabot
chore: Bump github/codeql-action from 3.25.10 to 3.25.11 (ratify-proj…
d862e04 
…ect#1598)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@akashsinghal
merge dev
5b913b3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@akashsinghal @binbin-li @susanshi @luisdlp @mannbiher @fseldow @yizha1 @step-security-bot @junczhu