Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image sign using per user registries.d #7357

Merged
merged 1 commit into from
Dec 7, 2020

Conversation

QiWang19
Copy link
Contributor

Support per user ~/.config/containers/registries.d to allow rootless image sign configurations.

Signed-off-by: Qi Wang [email protected]

@rhatdan
Copy link
Member

rhatdan commented Aug 18, 2020

@QiWang19 Rebase and you should be able to pass the tests.

docs/source/markdown/podman-image-sign.1.md Outdated Show resolved Hide resolved
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 18, 2020
@QiWang19 QiWang19 force-pushed the rootless-sign branch 2 times, most recently from e1bc559 to 54bf987 Compare August 18, 2020 19:03
@QiWang19 QiWang19 force-pushed the rootless-sign branch 3 times, most recently from d7f9355 to b508366 Compare August 27, 2020 19:40
@QiWang19
Copy link
Contributor Author

@mtrmac @rhatdan PTAL

@rhatdan
Copy link
Member

rhatdan commented Aug 28, 2020

LGTM
@mtrmac PTAL

@QiWang19 QiWang19 force-pushed the rootless-sign branch 2 times, most recently from e2703b0 to 725bb9b Compare September 2, 2020 18:46
@rhatdan
Copy link
Member

rhatdan commented Sep 3, 2020

@mtrmac @vrothberg PTAL

Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really want a head nod from @mtrmac. I may very well miss details/side effects I am may not be aware of.

@@ -38,7 +40,7 @@ Sign the busybox image with the identify of [email protected] with a user's keyring an
## RELATED CONFIGURATION

The write (and read) location for signatures is defined in YAML-based
configuration files in /etc/containers/registries.d/. When you sign
configuration files in /etc/containers/registries.d/ for root user, or $HOME/.config/containers/registries.d for non-root user. When you sign
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
configuration files in /etc/containers/registries.d/ for root user, or $HOME/.config/containers/registries.d for non-root user. When you sign
configuration files in /etc/containers/registries.d/ for root, or $HOME/.config/containers/registries.d for non-root users. When you sign

derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists, otherwise `/etc/containers/registries.d` (unless overridden at compile-time), see **containers-registries.d(5)** for more information.
By default, the signature will be written into `/var/lib/containers/sigstore` from `/etc/containers/registries.d/default.yaml`, if the rootless user has no privilege to write the signature, the YAML format files
under `$HOME/.config/containers/registries.d` can be configured, otherwise, `$HOME/.local/share/containers/sigstore` will be used.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment doesn't seem to match the code. We don't seem to check for permissions but use the rootless paths if they exist even for root.

Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’d prefer for this to be merged only after or together with containers/image#1035 to make sure the two are consistent.

Right now, the code LGTM, though the documentation does not match the code and needs updating.


The path lookup logic is complex enough that it probably makes sense to export c/image/docker.configuredSignatureStorageBase (with a better name) now, and use it here instead of maintaining a second copy of the code. (While overall we do want readers/writers to use the c/image API to access signatures instead of raw access, this has clearly not stopped podman sign, and modifying podman sign to use a c/image/docker ImageDestination would now incompatibly introduce a requirement to be able to connect to the registry.)

if sys.RootForImplicitAbsolutePaths != "" {
return filepath.Join(sys.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
}
userRegistriesDir := filepath.FromSlash(".config/containers/registries.d")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these two be a top-level commented variables like the others?

if rootless.IsRootless() {
sigStoreURI = trust.RootlessSignatureStoreURL()
} else {
sigStoreURI = trust.DefaultSignatureStoreURL()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dealing with URLs here seems to be an unnecessary complication; move the localPathFromURI call to the registryInfo != nil case, and this can just work with the sigStoreDir path.

@QiWang19 QiWang19 marked this pull request as draft September 18, 2020 19:46
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 18, 2020
@QiWang19 QiWang19 force-pushed the rootless-sign branch 2 times, most recently from 589485c to ef0f44a Compare September 19, 2020 00:59
@github-actions
Copy link

A friendly reminder that this PR had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Oct 20, 2020

@QiWang19 This needs a rebase. Is this still being worked on?

@QiWang19
Copy link
Contributor Author

@rhatdan still being worked on, waiting to get this commit from c/image containers/image@1a0dda7

@QiWang19 QiWang19 mentioned this pull request Oct 27, 2020
@rhatdan
Copy link
Member

rhatdan commented Oct 27, 2020

@QiWang19 you should have the containers/image PR in podman now.

@QiWang19 QiWang19 force-pushed the rootless-sign branch 2 times, most recently from a5236b6 to 6103c23 Compare October 27, 2020 21:30
@QiWang19 QiWang19 marked this pull request as ready for review October 27, 2020 21:33
@QiWang19
Copy link
Contributor Author

@mtrmac @vrothberg PTAL

@QiWang19
Copy link
Contributor Author

QiWang19 commented Nov 3, 2020

@mtrmac PTAL

@QiWang19
Copy link
Contributor Author

QiWang19 commented Dec 2, 2020

@containers/podman-maintainers PTAL

@@ -9,7 +9,9 @@ podman-image-sign - Create a signature for an image
## DESCRIPTION
**podman image sign** will create a local signature for one or more local images that have
been pulled from a registry. The signature will be written to a directory
derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists,
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if it exists,

@@ -9,7 +9,9 @@ podman-image-sign - Create a signature for an image
## DESCRIPTION
**podman image sign** will create a local signature for one or more local images that have
been pulled from a registry. The signature will be written to a directory
derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists,
otherwise `/etc/containers/registries.d` (unless overridden at compile-time), see **containers-registries.d(5)** for more information.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like we don't list containers-registries-d(5) at the bottom of this man page and I think we should.

Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These code changes LGTM.

To be consistent, though, I think this PR should also update getPolicyShowOutput, the other user of trust.LoadAndMergeConfig+trust.HaveMatchRegistry (and then delete them), so that that function also correctly shows the new built-in default paths.

A downside to that is that that function will now always show a sigstore, even for X-R-S-S registries (and there isn’t a way to tell whether a registry supports X-R-S-S without connecting to it), but that’s probably better than not showing a default sigstore path that would get used.

if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String())
}
sigStoreDir = filepath.Join(options.Directory, repo)
}
if sigStoreDir == "" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking: This can just be an else.

@QiWang19
Copy link
Contributor Author

QiWang19 commented Dec 4, 2020

These code changes LGTM.

To be consistent, though, I think this PR should also update getPolicyShowOutput, the other user of trust.LoadAndMergeConfig+trust.HaveMatchRegistry (and then delete them), so that that function also correctly shows the new built-in default paths.

replace the above with docker.SignatureStorageBaseURL needs pass in an ImageReference, is there a good way to form an imageReference from the transports configurations in policy.json?

@mtrmac
Copy link
Collaborator

mtrmac commented Dec 4, 2020

These code changes LGTM.
To be consistent, though, I think this PR should also update getPolicyShowOutput, the other user of trust.LoadAndMergeConfig+trust.HaveMatchRegistry (and then delete them), so that that function also correctly shows the new built-in default paths.

replace the above with docker.SignatureStorageBaseURL needs pass in an ImageReference, is there a good way to form an imageReference from the transports configurations in policy.json?

Ouch… no. There is one case that works ( a policy.json scope that includes a tag or digest); all the rest does not:

  • For a host[:port]/…/repo scope, it would be possible to look up e.g. …/repo:latest, but that might not be correct if :latest has a different configuration section from the rest of the repo.
  • For a host[:port], it is impossible to look up without inventing a repo+tag/digest, and that again could clash with a more specific configuration section.
  • In the worst case, there will be new support for *.domain.com and the like in policy.json, so there could be multiple equally right answers if a.domain.com and b.domain.com are configured with different sigstores.

The last one is essentially unfixable given the current trust.Policy data structure and CLI output, so I suppose returning nothing if the existing code doesn’t find an exact match is as close as we can get.

Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac, QiWang19, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@umohnani8
Copy link
Member

Changes LGTM, @QiWang19 needs a rebase though

Support per user ~/.config/containers/registries.d to allow rootless image sign configurations.

Signed-off-by: Qi Wang <[email protected]>
@QiWang19
Copy link
Contributor Author

QiWang19 commented Dec 7, 2020

Needs lgtm label.

@umohnani8
Copy link
Member

/lgtm
/hold

@mheon should we hold for the github-check failure?

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 7, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 7, 2020
@mheon
Copy link
Member

mheon commented Dec 7, 2020

We can't do anything about the RDO check, but it's not a blocking failure, we can merge without it.
/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 7, 2020
@openshift-merge-robot openshift-merge-robot merged commit 51166d0 into containers:master Dec 7, 2020
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants