From 9a7d3ef3bdde4fc32e8913e1f5f681cd6d0b5a30 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Wed, 24 Jan 2024 13:37:39 +0100 Subject: [PATCH] keyprovider: extend docker image and documentation The keyprovider docker image has been extended to bundle a keyprovider-capable skopeo and include a convenience script that simplifies the creation of encrypted images for usage in CoCo. Documentation has been added to use the image. Signed-off-by: Magnus Kulke --- attestation-agent/coco_keyprovider/README.md | 41 ++++++++++++ .../docker/Dockerfile.keyprovider | 64 +++++++++++++------ attestation-agent/hack/encrypt-image.sh | 45 +++++++++++++ 3 files changed, 132 insertions(+), 18 deletions(-) create mode 100755 attestation-agent/hack/encrypt-image.sh diff --git a/attestation-agent/coco_keyprovider/README.md b/attestation-agent/coco_keyprovider/README.md index e4bfbc9e9..b71c88a57 100644 --- a/attestation-agent/coco_keyprovider/README.md +++ b/attestation-agent/coco_keyprovider/README.md @@ -13,6 +13,47 @@ The following guide will help make an encrypted image using [skopeo](https://git ## Encryption +### Docker + +A docker image provides prebuilt CoCo keyprovider and skopeo to simplify image encryption: + +```bash +$ docker run ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh -h +usage: /encrypt.sh [-k ] [-i ] [-s ] [-d ] +``` + +Source and destination have to be provided as [container/image](https://github.com/containers/image/blob/main/docs/containers-transports.5.md) transport URIs. + +This example will encrypt an image from docker/library and buffer the resulting encrypted image in a local `./output` folder: + +```bash +head -c 32 /dev/urandom | openssl enc > image_key +mkdir output +docker run -v "$PWD/output:/output" ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh \ + -k "$(base64 < image_key)" \ + -i kbs:///some/key/id \ + -s docker://nginx:stable \ + -d dir:/output +``` + +The image can then be pushed to a registry using skopeo: + +```bash +skopeo copy dir:output docker://ghcr.io/confidential-containers/nginx-encrypted +``` + +Alternatively, an authorization file can be mounted to the container to be able to access private registries directly: + +```bash +docker run -v ~/.docker/config.json:/root/.docker/config.json ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh \ + -k "$(base64 < image_key)" \ + -i kbs:///some/key/id \ + -s docker://private.registry.io/nginx:stable \ + -d docker://private.registry.io/nginx:encrypted +``` + +### Detailed instructions + Build and run CoCo keyprovider at localhost on port 50000: ```shell diff --git a/attestation-agent/docker/Dockerfile.keyprovider b/attestation-agent/docker/Dockerfile.keyprovider index e032458c9..bdd5a5a73 100644 --- a/attestation-agent/docker/Dockerfile.keyprovider +++ b/attestation-agent/docker/Dockerfile.keyprovider @@ -1,26 +1,54 @@ # Copyright (c) 2023 by Alibaba. # Licensed under the Apache License, Version 2.0, see LICENSE for details. # SPDX-License-Identifier: Apache-2.0 - -FROM rust:1.67 as builder - -WORKDIR /usr/src/coco-keyprovider - -RUN apt-get update && apt-get install protobuf-compiler -y && \ - rustup component add rustfmt - -COPY . . +FROM rust:1.75-slim-bookworm as builder LABEL org.opencontainers.image.source="https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docker/Dockerfile.keyprovider" -RUN cd attestation-agent/coco_keyprovider && cargo install --path . - -FROM ubuntu:20.04 - -RUN apt-get update && apt install openssl -y && rm -rf /var/lib/apt/lists/* - -COPY --from=builder /usr/local/cargo/bin/coco_keyprovider /usr/local/bin/coco_keyprovider - +RUN apt-get update && apt-get install -y \ + build-essential \ + git \ + libssl-dev \ + pkg-config \ + protobuf-compiler +WORKDIR /build +COPY . . +RUN cargo build --release -p coco_keyprovider +RUN mv target/release/coco_keyprovider . + +FROM golang:1.21.6-bookworm as skopeo +RUN apt-get update && apt-get install -y \ + make\ + libgpgme-dev \ + libassuan-dev \ + libbtrfs-dev \ + libdevmapper-dev \ + pkg-config +RUN git clone https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo +WORKDIR $GOPATH/src/github.com/containers/skopeo +RUN git checkout v1.14.1 +ENV DISABLE_DOCS=1 +RUN make bin/skopeo +RUN make install + +FROM debian:bookworm-slim +RUN apt-get update && apt-get install -y \ + ca-certificates \ + libdevmapper1.02.1 \ + libgpgme11 \ + --no-install-recommends +COPY --from=builder /build/coco_keyprovider /usr/local/bin/coco_keyprovider +COPY --from=skopeo /usr/local/bin/skopeo /usr/local/bin/skopeo +COPY <&2; exit 1 + fi + ;; + i) + key_id=${OPTARG} + ;; + s) + src=${OPTARG} + ;; + d) + dst=${OPTARG} + ;; + h) + echo "$usage"; exit 0 + ;; + *) + echo "$usage" 1>&2; exit 1 + ;; + esac +done +shift $((OPTIND-1)) + +if [ -z "${key-}" ] || [ -z "${key_id-}" ] || [ -z "${src-}" ] || [ -z "${dst-}" ]; then + echo "$usage" 1>&2; exit 1 +fi + +key_path=/key +echo "$key" | base64 -d > "$key_path" + +coco_keyprovider --socket 127.0.0.1:50000 & +sleep 1 + +params="provider:attestation-agent:keypath=${key_path}::keyid=${key_id}::algorithm=A256GCM" +skopeo copy --insecure-policy --encryption-key "$params" "$src" "$dst"