-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add image verifier transfer service plugin system based on a binary directory #8493
Add image verifier transfer service plugin system based on a binary directory #8493
Conversation
Hi @ethan-lowman-dd. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments on documentation.
Is this CRI-specific feature (i.e. should be implemented under pkg/cri
) or does this expand containerd's scope?
docs/image-verification.md
Outdated
```yaml | ||
[plugins] | ||
[plugins."io.containerd.image-verifier.v1.bindir"] | ||
enabled = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any use cases where the plugin is registered but enabled = false
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I primarily added this opt-in flag because I think it's useful to output logs about image verification before/after calling the plugin, but if the binary directory is empty (i.e. no verifications are happening, the logs are basically noise.
docs/image-verification.md
Outdated
|
||
## Image Pull Judgement | ||
|
||
Return an exit code of 0 to allow the image to be pulled and any other exit code to reject the image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the expected verification the plugin performs based on name
and digest
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They can do essentially anything, such as:
- compare registry against a trusted list of registries
- block the
latest
tag - block pulling images without digest references.
- check image signatures (this would probably be the most popular use case -- see [transfer] plugin to transfer service for image verification #6691 for details)
@ktock I had previously prototyped an implementation of this feature in the CRI (here: #6994) but the feedback from maintainers was that it should live somewhere closer to the core so all containerd clients can benefit, not just the CRI. In particular, the Transfer service was named as the ideal integration spot. |
CI is failing since the commit is missing a sign-off. See the contribution guidelines for instructions. |
002cf10
to
d7ee4e8
Compare
/cc |
@ruiwen-zhao: GitHub didn't allow me to request PR reviews from the following users: ruiwen-zhao. Note that only containerd members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like a lot of this. As we get closer on a few of the open questions (and this moves from "WIP" to more ready to merge) we'll want to make sure we add some unit and integration tests.
0463b6b
to
0798b6d
Compare
Hi @ethan-lowman-dd :) Appreciate the work you're doing here on adding the verification capability. I actually built a very rudimentary prototype binary for Ratify for this and got it working with notation verifier configured. You can check it out here. Thought I'd point you to it if you're curious. Ratify is a verification engine for supply chain artifacts and can be configured with many different verifiers. It's been primarily used as a service working with an admission controller but the same principal could maybe be applied here. |
@samuelkarp @dmcgowan It seems like there's consensus on the design, so I went ahead and added tests, which takes this PR from WIP to something looking for a proper review. |
Hi @ethan-lowman-dd, Great job on the plugin btw! |
@vishal-chdhry This plugin system does not assume that the verification involves signatures at all. There could be an implementation of a plugin that validates using a policy.json somewhere on disk, but I believe that would be outside the scope of containerd. |
5fb72d0
to
1905eff
Compare
I think 1905eff should do the trick. I was killing the exec'ed process, but by default on Unix systems, that doesn't kill grand-child processes, leaving them orphaned if they don't exit quickly on their own. I added a unit test to check for orphaned processes similar to the one that was failing by chance in a different package. Also, since I'm not super familiar with the Windows process model, I wanted to make sure the bindir tests ran on Windows too. I updated the testing strategy in |
It might take me a bit of time to get this working on Windows (this is my first time building anything against Windows). I need to wrap my head around the differences in the Windows process model to avoid the two issues we have remaining affecting only Windows:
|
I made an attempt to avoid orphan processes on Windows in this commit (not currently part of this PR): It's based on ideas I found here: https://devblogs.microsoft.com/oldnewthing/20131209-00/?p=2433 That commit doesn't current work -- Or alternatively, we could let it be the case that orphan processes are a possibility on Windows. There doesn't seem to be good native Go support for avoiding that -- everything's through the Windows syscall package. |
With the advice of some colleagues, I got things working on Windows in: 6e83767 |
/retest |
The failing e2e tests looks to be this flake: kubernetes/kubernetes#119600 But otherwise CI is green now. @dmcgowan This probably needs another look since I had to change a few things related to process management. I will squash the commits, but I'll keep them for now so it's easy to see what changed since the first approvals. |
/retest |
@ethan-lowman-dd looks good, if the Windows stuff works, I'll believe the tests. Otherwise some Windows folks can comment on it. Can you squash some of those middle commits down and then I think it looks ready to go. |
…irectory Signed-off-by: Ethan Lowman <[email protected]>
ca29881
to
ac1d556
Compare
Squashed! |
Implements #6691
See the added docs for configuration details. To test, run a command like
ctr image pull --local=false index.docker.io/library/alpine@sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69
.The simplest verifier binaries for testing can be something like this:
or
Real implementations would need to parse the
-name
and-digest
flags.