Add cosign in compose #1508
Add cosign in compose #1508
Conversation
djdongjin
changed the title
|
cc @AkihiroSuda @developer-guy @Dentrax @ktock. I think the functionality should work now, but thanks for any comments&suggestions as I don't have much experience with cosign :) Also any suggestion on how to check Thanks! (I'll update related docs after the implementation looks okay :)) |
|
Thanks!
Yes, should be added in Options |
| // 4. compose run | ||
| const sttyPartialOutput = "speed 38400 baud" | ||
| // unbuffer(1) emulates tty, which is required by `nerdctl run -t`. | ||
| // unbuffer(1) can be installed with `apt-get install expect`. |
There was a problem hiding this comment.
Any reason to check the TTY functionality here?
There was a problem hiding this comment.
I followed compose run testcases in the same folder. Seems they all use this scenario. Should I change to something else? thanks.
There was a problem hiding this comment.
Just "echo hi" should suffice, unless the cosign stuff relates to tty
There was a problem hiding this comment.
I tested echo hi but seems have some issue in test(below, maybe due to some unimplemented feature in compose run as mentioned in #1340).
If it's okay I'll keep this test consistent with other compose run testcases (i.e., use unbuffer) in this file.
time="2022-11-17T01:49:58Z" level=fatal msg="error while creating container nerdctl-compose-test2565186661_svc0_run_6af98b73d3b0: exit status 2"
djdongjin
force-pushed
the
compose-cosign
branch
from
069aa92
to
2a47031
Compare
|
If people are going to try that feature in lima VM, they will fail as we did not add cosign binary into the VM image yet 👇 |
Signed-off-by: Jin Dong <jindon@amazon.com> Add compose cosign test Signed-off-by: Jin Dong <jindon@amazon.com> Fix naming bug Signed-off-by: Jin Dong <jindon@amazon.com> Add compose cosign test [pass] Signed-off-by: Jin Dong <jindon@amazon.com> Add compose experimental flag Signed-off-by: Jin Dong <jindon@amazon.com> Refactor cosign func Signed-off-by: Jin Dong <jindon@amazon.com> Add compose cosign doc Signed-off-by: Jin Dong <jindon@amazon.com>
Signed-off-by: Jin Dong <jindon@amazon.com>
djdongjin
force-pushed
the
compose-cosign
branch
from
48d64ef
to
cfa27df
Compare
Thanks for pointing this out! This will be the same for cosign support in other commands right? (e.g. |
Fix #607.
Similar to ##556, #606, #628, this PR adds cosign support to compose:
compose run,compose up,compose push,compose pull.nerdctlandnerdctl compose.--experimentalfor cosign support incomposecommands.I'm more towards the below method from #607 discussion, since it's less error-prone than cli args and more flexibile (my understanding is we should provide the capability to sign/verify individual images per services and cannot assume user will use the same pair for all images in a compose yaml).
A running example:
➜ compose-cosign cat docker-compose.yml services: svc0: build: . image: docker.io/djdongjin95/svc0_image x-nerdctl-verify: cosign x-nerdctl-cosign-public-key: ./cosign.pub x-nerdctl-sign: cosign x-nerdctl-cosign-private-key: ./cosign.key ports: - 8080:80 svc1: build: . image: docker.io/djdongjin95/svc1_image ports: - 8081:80 # compose push ➜ compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose push WARN[0000] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign" ... elapsed: 0.2 s total: 9.3 Ki (46.2 KiB/s) INFO[0001] cosign: WARNING: Image reference docker.io/djdongjin95/svc0_image uses a tag, not a digest, to identify the image to sign. INFO[0001] cosign: INFO[0001] cosign: This can lead you to sign a different image than the intended one. Please use a INFO[0001] cosign: digest (example.com/ubuntu@sha256:abc123...) rather than tag INFO[0001] cosign: (example.com/ubuntu:latest) for the input to cosign. The ability to refer to INFO[0001] cosign: images by tag will be removed in a future release. INFO[0001] cosign: Pushing signature to: index.docker.io/djdongjin95/svc0_image WARN[0001] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign" INFO[0001] Pushing image docker.io/djdongjin95/svc1_image ... elapsed: 0.2 s total: 9.3 Ki (46.3 KiB/s) # compose pull ➜ compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose pull WARN[0000] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign" INFO[0000] Pulling image docker.io/djdongjin95/svc0_image INFO[0000] cosign: INFO[0000] cosign: [{"critical":{"identity":{"docker-reference":"index.docker.io/djdongjin95/svc0_image"},"image":{"docker-manifest-digest":"sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9"},"type":"cosign container image signature"},"optional":null}] INFO[0000] cosign: INFO[0000] cosign: Verification for index.docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9 -- INFO[0000] cosign: The following checks were performed on each of these signatures: INFO[0000] cosign: - The cosign claims were validated INFO[0000] cosign: - The signatures were verified against the specified public key docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9: resolved |++++++++++++++++++++++++++++++++++++++| manifest-sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9: done |++++++++++++++++++++++++++++++++++++++| config-sha256:abcd9b97b24c8f2f763d937a726a62e39c1ef39574a6c24cc779bea8e08c2519: done |++++++++++++++++++++++++++++++++++++++| elapsed: 0.3 s total: 1.7 Ki (5.8 KiB/s) WARN[0000] build.config should be relative path, got "/home/ec2-user/tmp/compose-cosign" ... elapsed: 0.2 s total: 0.0 B (0.0 B/s) # pulled images ➜ compose-cosign sudo nerdctl images REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE djdongjin95/svc0_image <none> 4329abc3143b 15 seconds ago linux/amd64 24.5 MiB 9.4 MiB djdongjin95/svc1_image latest 4329abc3143b 15 seconds ago linux/amd64 24.5 MiB 9.4 MiB # compose up ➜ compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose up ... INFO[0000] Ensuring image docker.io/djdongjin95/svc0_image INFO[0000] cosign: INFO[0000] cosign: [{"critical":{"identity":{"docker-reference":"index.docker.io/djdongjin95/svc0_image"},"image":{"docker-manifest-digest":"sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9"},"type":"cosign container image signature"},"optional":null}] INFO[0000] cosign: INFO[0000] cosign: Verification for index.docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9 -- INFO[0000] cosign: The following checks were performed on each of these signatures: INFO[0000] cosign: - The cosign claims were validated INFO[0000] cosign: - The signatures were verified against the specified public key INFO[0000] Ensuring image docker.io/djdongjin95/svc1_image INFO[0000] Creating container compose-cosign_svc1_1 INFO[0000] Creating container compose-cosign_svc0_1 INFO[0001] Attaching to logs # compose run ➜ compose-cosign sudo env "COSIGN_PASSWORD="$COSIGN_PASSWORD"" nerdctl compose run svc0 -- echo "hello" ... INFO[0000] Ensuring image docker.io/djdongjin95/svc0_image INFO[0000] cosign: INFO[0000] cosign: [{"critical":{"identity":{"docker-reference":"index.docker.io/djdongjin95/svc0_image"},"image":{"docker-manifest-digest":"sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9"},"type":"cosign container image signature"},"optional":null}] INFO[0000] cosign: INFO[0000] cosign: Verification for index.docker.io/djdongjin95/svc0_image@sha256:4329abc3143b1545835de17e1302c8313a9417798b836022f4c8c8dc8b10a3e9 -- INFO[0000] cosign: The following checks were performed on each of these signatures: INFO[0000] cosign: - The cosign claims were validated INFO[0000] cosign: - The signatures were verified against the specified public key INFO[0000] Creating container compose-cosign_svc0_run_a516dddd5769 hello INFO[0000] Stopping containers (forcibly) INFO[0000] Stopping container compose-cosign_svc0_run_a516dddd5769Signed-off-by: Jin Dong jindon@amazon.com