Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cosign in compose #1508

Merged
merged 2 commits into from
Nov 18, 2022
Merged

Add cosign in compose #1508

merged 2 commits into from
Nov 18, 2022

Conversation

djdongjin
Copy link
Member

@djdongjin djdongjin commented Nov 15, 2022

Fix #607.

Similar to ##556, #606, #628, this PR adds cosign support to compose:

  • Support cosign in compose run, compose up, compose push, compose pull.
  • Refactor cosign related functions to its own package, so they can be used by both nerdctl and nerdctl compose.
  • Add tests.
  • Update doc.
  • Figure how to add --experimental for cosign support in compose commands.
  • Rebase.

I'm more towards the below method from #607 discussion, since it's less error-prone than cli args and more flexibile (my understanding is we should provide the capability to sign/verify individual images per services and cannot assume user will use the same pair for all images in a compose yaml).

services:
  foo:
    image: bar
    x-nerdctl-verify: cosign
    x-nerdctl-cosign-public-key: /path/to/cosign.pub
    x-nerdctl-sign: cosign
    x-nerdctl-cosign-private-key: /path/to/cosign.key

A running example:

➜  compose-cosign cat docker-compose.yml
services:
  svc0:
    build: .
    image: docker.io/djdongjin95/svc0_image
    x-nerdctl-verify: cosign
    x-nerdctl-cosign-public-key: ./cosign.pub
    x-nerdctl-sign: cosign
    x-nerdctl-cosign-private-key: ./cosign.key
    ports:
    - 8080:80
  svc1:
    build: .
    image: docker.io/djdongjin95/svc1_image
    ports:
    - 8081:80

# compose push
➜  compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose push
WARN[0000] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign"
...
elapsed: 0.2 s                                                                    total:  9.3 Ki (46.2 KiB/s)
INFO[0001] cosign: WARNING: Image reference docker.io/djdongjin95/svc0_image uses a tag, not a digest, to identify the image to sign.
INFO[0001] cosign:
INFO[0001] cosign: This can lead you to sign a different image than the intended one. Please use a
INFO[0001] cosign: digest (example.com/ubuntu@sha256:abc123...) rather than tag
INFO[0001] cosign: (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
INFO[0001] cosign: images by tag will be removed in a future release.
INFO[0001] cosign: Pushing signature to: index.docker.io/djdongjin95/svc0_image
WARN[0001] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign"
INFO[0001] Pushing image docker.io/djdongjin95/svc1_image
...
elapsed: 0.2 s                                                                    total:  9.3 Ki (46.3 KiB/s)

# compose pull
➜  compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose pull
WARN[0000] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign"
INFO[0000] Pulling image docker.io/djdongjin95/svc0_image
INFO[0000] cosign:
INFO[0000] cosign: [{"critical":{"identity":{"docker-reference":"index.docker.io/djdongjin95/svc0_image"},"image":{"docker-manifest-digest":"sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9"},"type":"cosign container image signature"},"optional":null}]
INFO[0000] cosign:
INFO[0000] cosign: Verification for index.docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9 --
INFO[0000] cosign: The following checks were performed on each of these signatures:
INFO[0000] cosign:   - The cosign claims were validated
INFO[0000] cosign:   - The signatures were verified against the specified public key
docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9: resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9:                         done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:abcd9b97b24c8f2f763d937a726a62e39c1ef39574a6c24cc779bea8e08c2519:                           done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.3 s                                                                                            total:  1.7 Ki (5.8 KiB/s)
WARN[0000] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign"
...
elapsed: 0.2 s                                                                    total:   0.0 B (0.0 B/s)

# pulled images
➜  compose-cosign sudo nerdctl images
REPOSITORY                TAG       IMAGE ID        CREATED           PLATFORM       SIZE        BLOB SIZE
djdongjin95/svc0_image    <none>    4329abc3143b    15 seconds ago    linux/amd64    24.5 MiB    9.4 MiB
djdongjin95/svc1_image    latest    4329abc3143b    15 seconds ago    linux/amd64    24.5 MiB    9.4 MiB

# compose up
➜  compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose up
...
INFO[0000] Ensuring image docker.io/djdongjin95/svc0_image
INFO[0000] cosign:
INFO[0000] cosign: [{"critical":{"identity":{"docker-reference":"index.docker.io/djdongjin95/svc0_image"},"image":{"docker-manifest-digest":"sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9"},"type":"cosign container image signature"},"optional":null}]
INFO[0000] cosign:
INFO[0000] cosign: Verification for index.docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9 --
INFO[0000] cosign: The following checks were performed on each of these signatures:
INFO[0000] cosign:   - The cosign claims were validated
INFO[0000] cosign:   - The signatures were verified against the specified public key
INFO[0000] Ensuring image docker.io/djdongjin95/svc1_image
INFO[0000] Creating container compose-cosign_svc1_1
INFO[0000] Creating container compose-cosign_svc0_1
INFO[0001] Attaching to logs

# compose run
➜  compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose run svc0 -- echo "hello"
...
INFO[0000] Ensuring image docker.io/djdongjin95/svc0_image
INFO[0000] cosign:
INFO[0000] cosign: [{"critical":{"identity":{"docker-reference":"index.docker.io/djdongjin95/svc0_image"},"image":{"docker-manifest-digest":"sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9"},"type":"cosign container image signature"},"optional":null}]
INFO[0000] cosign:
INFO[0000] cosign: Verification for index.docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9 --
INFO[0000] cosign: The following checks were performed on each of these signatures:
INFO[0000] cosign:   - The cosign claims were validated
INFO[0000] cosign:   - The signatures were verified against the specified public key
INFO[0000] Creating container compose-cosign_svc0_run_a516dddd5769
hello
INFO[0000] Stopping containers (forcibly)
INFO[0000] Stopping container compose-cosign_svc0_run_a516dddd5769

Signed-off-by: Jin Dong [email protected]

@djdongjin djdongjin changed the title Add cosign in compose run, up, pull, push Add cosign in compose Nov 15, 2022
@djdongjin djdongjin marked this pull request as ready for review November 16, 2022 02:28
@djdongjin
Copy link
Member Author

cc @AkihiroSuda @developer-guy @Dentrax @ktock. I think the functionality should work now, but thanks for any comments&suggestions as I don't have much experience with cosign :)

Also any suggestion on how to check experimental (from cmd) for compose cosign? In compose the cosign feature is visible till in pkg (i.e., not in cmd). One way might be passing experimental to related Options (e.g., PullOptions, UpOptions, etc), but it'll change every compose Options struct (pull, push, up, run).

Thanks!

(I'll update related docs after the implementation looks okay :))

@AkihiroSuda
Copy link
Member

Thanks!

One way might be passing experimental to related Options (e.g., PullOptions, UpOptions, etc)

Yes, should be added in Options

// 4. compose run
const sttyPartialOutput = "speed 38400 baud"
// unbuffer(1) emulates tty, which is required by `nerdctl run -t`.
// unbuffer(1) can be installed with `apt-get install expect`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to check the TTY functionality here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed compose run testcases in the same folder. Seems they all use this scenario. Should I change to something else? thanks.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just "echo hi" should suffice, unless the cosign stuff relates to tty

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested echo hi but seems have some issue in test(below, maybe due to some unimplemented feature in compose run as mentioned in #1340).

If it's okay I'll keep this test consistent with other compose run testcases (i.e., use unbuffer) in this file.

time="2022-11-17T01:49:58Z" level=fatal msg="error while creating container nerdctl-compose-test2565186661_svc0_run_6af98b73d3b0: exit status 2"

pkg/cosignutil/cosignutil.go Outdated Show resolved Hide resolved
cmd/nerdctl/compose.go Outdated Show resolved Hide resolved
@developer-guy
Copy link
Contributor

If people are going to try that feature in lima VM, they will fail as we did not add cosign binary into the VM image yet 👇

#680

Signed-off-by: Jin Dong <[email protected]>

Add compose cosign test

Signed-off-by: Jin Dong <[email protected]>

Fix naming bug

Signed-off-by: Jin Dong <[email protected]>

Add compose cosign test [pass]

Signed-off-by: Jin Dong <[email protected]>

Add compose experimental flag

Signed-off-by: Jin Dong <[email protected]>

Refactor cosign func

Signed-off-by: Jin Dong <[email protected]>

Add compose cosign doc

Signed-off-by: Jin Dong <[email protected]>
@djdongjin
Copy link
Member Author

If people are going to try that feature in lima VM, they will fail as we did not add cosign binary into the VM image yet 👇

#680

Thanks for pointing this out! This will be the same for cosign support in other commands right? (e.g. nerdctl push|run|pull)? If so, maybe we can just track the cosign support for lima as a whole in #679/#680.

Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Compose: support cosign
4 participants