Add encryption decryption feature

[gupttaru]

This PR adds encryption decryption functionality, just like those present in buildah and skopeo. containers/common/libimage already supports encryption-decryption of images, so its a Podman only change.

This would allow us to encrypt the image while pushing it to a registry and decrypt the image while pulling it from a registry.

The commands would be as follows:

podman push --encryption-key protocol:keyfile IMAGE
podman pull --decyrption-key protocol:keyfile IMAGE 

Additionally,

podman run --decryption-key <key> IMAGE [command [arg …]]
would automatically pull the image from a registry, decrypt it using decryption key and run the container.

Signed-off-by: Tarun Gupta [email protected]

Does this PR introduce a user-facing change?

Yes.

This PR adds the flag `--encryption-key` and `--encrypt-layer` to the push command, and `--decryption-key` to pull and run command.

[rhatdan]

Remove this blank line to make linter happy.

[gupttaru]

Fixed

[rhatdan]

I am fine with this.

podman build --decryption-key is already supported.

[rhatdan]

Why is this Experimental? It is not in Buildah?

[gupttaru]

Removed "Experimental"

[rhatdan]

Remove "Experimental"

[gupttaru]

Done

[rhatdan]

Remove Experimental

[gupttaru]

Done

[rhatdan]

Remove Experimental

[gupttaru]

Done

[rhatdan]

Needs tests.

[rhatdan]

Overall @gupttaru this looks good, thanks.

[gupttaru]

Addressed comments by @rhatdan , and added tests

[gupttaru]

Removed "Experimental"

[gupttaru]

Fixed

[gupttaru]

Done

[gupttaru]

Done

[gupttaru]

Done

[gupttaru]

In the Cirrus CI pipeline, some of the tests related to things I haven't touched are failing:

[+1357s] [Fail] Podman search [It] podman search format json list tags 
[+1357s] /var/tmp/go/src/github.com/containers/podman/test/e2e/search_test.go:137

[+1513s] [Fail] Podman run networking [It] podman do not tamper with joined network ns interfaces 
[+1513s] /var/tmp/go/src/github.com/containers/podman/test/e2e/run_networking_test.go:834

[+1513s] [Fail] Podman create with --ip flag [It] Podman create with specified static IP has correct IP 
[+1513s] /var/tmp/go/src/github.com/containers/podman/test/e2e/create_staticip_test.go:75

[+1469s] [Fail] Podman search [It] podman search format json list tags 
[+1469s] /var/tmp/go/src/github.com/containers/podman/test/e2e/search_test.go:1

Could someone help with the above errors?

Also the tests I have added for checking the encryption-decryption feature are passing except one: podman-remote is able to pull encrypted image without providing decryption key (link to CI logs). So the following is NOT throwing an error:

# podman-remote [options] run -d --name registry -p 5000:5000 quay.io/libpod/registry:2.8 /entrypoint.sh /etc/docker/registry/config.yml
# podman-remote [options] push --encryption-key jwe:/tmp/podman_test2360113671/key.rsa.pub --tls-verify=false --remove-signatures quay.io/libpod/alpine:latest localhost:5000/my-alpine
# podman-remote [options] rmi quay.io/libpod/alpine:latest
# podman-remote [options] pull localhost:5000/my-alpine

I am unable to at the moment exactly find the reason for this. Trying to debug this at the moment.

[rhatdan]

First can you squash your commits

git rebase -i origin
git push --force

@mtrmac @vrothberg PTAL

[mtrmac]

ACK to the non-test code, based on a fairly cursory skim.

podman-remote is able to pull encrypted image without providing decryption key

That sounds like a blocker for now. It might not be a bug at all, but it does need to be understood, so that we are certain we are not publishing unencrypted images when the user asks for encrypted. (OTOH I didn’t now read any part of the tests — this is admittedly just an emphasis of the known without contributing anything new.)

[gupttaru]

It might not be a bug at all, but it does need to be understood, so that we are certain we are not publishing unencrypted images when the user asks for encrypted.

Most probably there might be a problem with test code (link), which might be pushing unencrypted images somehow, even though I am passing the --encryption-key flag. Though I am unable to exactly see why this problem is occurring only in podman-remote, and not podman.

Also, what could be the reason for failing of other unit-tests not related to this added feature, as mentioned above?

[mtrmac]

> which might be pushing unencrypted images somehow… I am unable to exactly see why this problem is occurring only in podman-remote,

I can’t see any new fields added in pkg/bindings, so my first guess is that the RPC to pass options to the remote server is simply missing in this PR. (But I’m only slightly familiar with how the remote mode works.)

Does it even make sense to support this on remote? Compare #15163 (comment) . (But if it is not supported, the request to push with encryption must fail instead of pushing without encryption.)

[rhatdan]

Yes you need to change pkg/api and maybe pkg/bindings to pass the option accross the protocol to the server.

[gupttaru]

Yes you need to change pkg/api and maybe pkg/bindings to pass the option accross the protocol to the server.

Thanks, I am not well acquainted with the podman-remote mode, so missed this.

Does it even make sense to support this on remote? Compare #15163 (comment) . (But if it is not supported, the request to push with encryption must fail instead of pushing without encryption.)

I do agree with this comment. Sending the key over a protocol would be risky. The keys are usually made available on the machine which is pushing/pulling the image, in a secure manner, using some KMS (Key Management Service) or some Secret Manager. For example: Ocicrypt keyprovider protocol allows using a KMS for providing keys in a secure manner.

Similar to other flags which are not supported on podman-remote, I think we could hide the encryption related flags for remote mode, for example as done here. If we hide the flag for remote mode, I don't think we would need any changes in pkg/api and pkg/bindings

[mtrmac]

I’d still like to see code in the remote client that makes sure that request fails: a field in pkg/domains/entities that is silently ignored is a time bomb otherwise.

Admittedly we apparently don’t do that in other cases, like --sign-by; we probably should. The failure case with ignoring the --encryption-key option is so much worse, though, that this is much more important to do for that option.

[rhatdan]

SGTM
Reject these commands in remote mode. BTW This means they would not be able to be used on MAC and Windows platforms.
You can make podman-remote throw an error when using any of these options, including --sign-by.
The man pages should reflect that these are not supported for Remote as well.

[gupttaru]

Admittedly we apparently don’t do that in other cases, like --sign-by; we probably should. The failure case with ignoring the --encryption-key option is so much worse

You can make podman-remote throw an error when using any of these options, including --sign-by.

Given that we need to make this change for all the options that are not supported by podman-remote (--sign-by, --encryption-key etc.) can we make that a part of a separate issue/PR? For now, I can make the encryption-key flag conform with how other flags are treated. Admittedly, currently I am not well acquainted with the remote side of Podman, and not sure how this change would look.

[rhatdan]

Yes we can fix the others in a different commit, but for now you have to fix the new options to not run tests in remote mode.

[mtrmac]

For now, I can make the encryption-key flag conform with how other flags are treated.

I think the encryption-key flag must cause an error at the API level (not just the CLI), as part of this PR. The consequences of silently ignoring it are materially worse than the others.

[gupttaru]

I think the encryption-key flag must cause an error at the API level (not just the CLI), as part of this PR.

Understood.

Based on my current understanding of API code of Podman, this change would involve defining a query parameter for encryption-key in Podman libpod API's PushImage function (here), and then if the encryption-key is actually passed as a query parameter by the user, then raising an error.

Likewise, defining query parameters for options encrypt-layer and decryption-key, and then raising errors from libpod's API's functions PushImage and ImagesPull.

So these would only involve changes in files pkg/api/handlers/libpod/{images_push,images_pull}.go

I couldn't think of any changes in pkg/bindings/images/{push,pull}.go

[mtrmac]

If you want to do all the work to add an actual query parameter to the HTTP API, send it and parse it, you might just as well hook it up right through to the actual server implementation (but, per the other discussion, I’m not sure that would actually work at all).

Instead, just modify the client binary; the PR adds fields to pkg/domain/entities.ImagePushOptions, so all consumers of that struct should either implement the new fields or reject it. E.g. https://github.com/gupttaru/podman/blob/613789a9e5eace8e005fbddd1e2ca7ac2a818ed1/pkg/domain/infra/tunnel/images.go#L242 needs to check for the new fields, and fail if they are set.

If we don’t add the field to the HTTP API, the pkg/bindings clients to the HTTP API will remain unaffected, because there would be no new field to reject.

---

(The package names are very confusing to me. I’m increasingly tempted to recommend renaming to pkg/http/server, pkg/http/client, pkg/engine/local, pkg/engine/remote, even with all the churn that would cause.)

[gupttaru]

Thanks @mtrmac for your help.

I have made the requisite changes in /pkg/domain/infra/tunnel/images.go to raise an error if the encryption or decryption related variables are set. You can see these changes here and here.

The package names are very confusing to me

I also find them quite confusing because of which I was finding it hard to understand the changes requried which you mentioned above. Would it be possible add a small README.md file for such folders to explain what they do? For example, I don't know the full-form of abi in pkg/domain/infra/abi; nor was it very clear to me that the tunnel folder would be handling the remote client related things. A small README.md (similar to what we have for pkg/bindings) would be quite helpful for future open-source collaborators I believe.

[mtrmac]

Thanks!

The implementation seems reasonable. (I didn’t review the tests in detail.)

I’ll leave the final approval to actual Podman maintainers.

[mtrmac]

So much for me reviewing…

The tests show actual failures that need fixing.

[gupttaru]

Thanks @mtrmac. The tests are passing now.

[rhatdan]

/approve
/lgtm
Thanks @gupttaru

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gupttaru, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment