Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyprovider: extend docker image and documentation #451

Merged
merged 1 commit into from
Jan 30, 2024
Merged

keyprovider: extend docker image and documentation #451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions attestation-agent/coco_keyprovider/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,47 @@ The following guide will help make an encrypted image using [skopeo](https://git

## Encryption

### Docker

A docker image provides prebuilt CoCo keyprovider and skopeo to simplify image encryption:

```bash
$ docker run ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh -h
usage: /encrypt.sh [-k <b64-encoded key>] [-i <key id>] [-s <source>] [-d <destination>]
```

Source and destination have to be provided as [container/image](https://github.com/containers/image/blob/main/docs/containers-transports.5.md) transport URIs.

This example will encrypt an image from docker/library and buffer the resulting encrypted image in a local `./output` folder:

```bash
head -c 32 /dev/urandom | openssl enc > image_key
mkdir output
docker run -v "$PWD/output:/output" ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh \
-k "$(base64 < image_key)" \
-i kbs:///some/key/id \
-s docker://nginx:stable \
-d dir:/output
```

The image can then be pushed to a registry using skopeo:

```bash
skopeo copy dir:output docker://ghcr.io/confidential-containers/nginx-encrypted
```

Alternatively, an authorization file can be mounted to the container to be able to access private registries directly:

```bash
docker run -v ~/.docker/config.json:/root/.docker/config.json ghcr.io/confidential-containers/coco-keyprovider /encrypt.sh \
-k "$(base64 < image_key)" \
-i kbs:///some/key/id \
-s docker://private.registry.io/nginx:stable \
-d docker://private.registry.io/nginx:encrypted
```

### Detailed instructions

Build and run CoCo keyprovider at localhost on port 50000:

```shell
Expand Down
64 changes: 46 additions & 18 deletions attestation-agent/docker/Dockerfile.keyprovider
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,54 @@
# Copyright (c) 2023 by Alibaba.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

FROM rust:1.67 as builder

WORKDIR /usr/src/coco-keyprovider

RUN apt-get update && apt-get install protobuf-compiler -y && \
rustup component add rustfmt

COPY . .
FROM rust:1.75-slim-bookworm as builder

LABEL org.opencontainers.image.source="https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docker/Dockerfile.keyprovider"

RUN cd attestation-agent/coco_keyprovider && cargo install --path .

FROM ubuntu:20.04

RUN apt-get update && apt install openssl -y && rm -rf /var/lib/apt/lists/*

COPY --from=builder /usr/local/cargo/bin/coco_keyprovider /usr/local/bin/coco_keyprovider

RUN apt-get update && apt-get install -y \
build-essential \
git \
libssl-dev \
pkg-config \
protobuf-compiler
WORKDIR /build
COPY . .
RUN cargo build --release -p coco_keyprovider
RUN mv target/release/coco_keyprovider .

FROM golang:1.21.6-bookworm as skopeo
RUN apt-get update && apt-get install -y \
make\
libgpgme-dev \
libassuan-dev \
libbtrfs-dev \
libdevmapper-dev \
pkg-config
RUN git clone https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo
WORKDIR $GOPATH/src/github.com/containers/skopeo
RUN git checkout v1.14.1
ENV DISABLE_DOCS=1
RUN make bin/skopeo
RUN make install

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y \
ca-certificates \
libdevmapper1.02.1 \
libgpgme11 \
--no-install-recommends
COPY --from=builder /build/coco_keyprovider /usr/local/bin/coco_keyprovider
COPY --from=skopeo /usr/local/bin/skopeo /usr/local/bin/skopeo
COPY <<EOF /etc/ocicrypt.conf
{
"key-providers": {
"attestation-agent": {
"grpc": "localhost:50000"
}
}
}
EOF
COPY attestation-agent/hack/encrypt-image.sh /encrypt.sh
ENV OCICRYPT_KEYPROVIDER_CONFIG="/etc/ocicrypt.conf"
CMD ["coco_keyprovider", "--socket", "0.0.0.0:50000"]

EXPOSE 50000
45 changes: 45 additions & 0 deletions attestation-agent/hack/encrypt-image.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
#!/bin/bash

set -euo pipefail

usage="usage: $0 [-k <b64-encoded key>] [-i <key id>] [-s <source>] [-d <destination>]"

while getopts ":k:i:s:d:h" o; do
case "${o}" in
k)
key=${OPTARG}
if [ "$(echo "$key" | base64 -d | wc --bytes)" != "32" ]; then
echo "key should be a b64-encoded 32 byte key" 1>&2; exit 1
fi
;;
i)
key_id=${OPTARG}
;;
s)
src=${OPTARG}
;;
d)
dst=${OPTARG}
;;
h)
echo "$usage"; exit 0
;;
*)
echo "$usage" 1>&2; exit 1
;;
esac
done
shift $((OPTIND-1))

if [ -z "${key-}" ] || [ -z "${key_id-}" ] || [ -z "${src-}" ] || [ -z "${dst-}" ]; then
echo "$usage" 1>&2; exit 1
fi

key_path=/key
echo "$key" | base64 -d > "$key_path"

coco_keyprovider --socket 127.0.0.1:50000 &
sleep 1

params="provider:attestation-agent:keypath=${key_path}::keyid=${key_id}::algorithm=A256GCM"
skopeo copy --insecure-policy --encryption-key "$params" "$src" "$dst"
Loading