Add documentation for the signature verification policy files #50
Conversation
(5) Container image signing and verification with a single key
docs/policy.json.md
Outdated
| Signature verification policy files are used to specify policy, e.g. trusted keys, | ||
| applicable when deciding whether to accept an image, or individual signatures of that image, as valid. | ||
|
|
||
| The default policy is stored (unless overridden at compile-time) at `/etc/atomic/policy.json`; |
There was a problem hiding this comment.
Seems odd to have a default file location for a library.
There was a problem hiding this comment.
It does seem odd to have a default file location in a library. I’m thinking that having each user of the library decide on its own, very likely different, location, would be much worse.
Of course a distributor shipping several such applications can patch them to use the same location—but that’s extra work and will still lead to fragmentation if various distributors don’t patch the same applications to use the same paths.
Also, the documentation of the format should be in this repo because that’s where the implementation is maintained, and then it’s a bit awkward to have a documentation for a file format which can’t tell the users where to use the format, or even how to find that out.
If an application wants to always use a different location, all it needs to do is call signature.NewPolicyFromFile instead of signature.DefaultPolicy, or at compile-time set -ldflags '-X github.com/containers/image/signature.systemDefaultPolicyPath=/some/path'. Or there can be a local-ish override via types.SystemContext (all as of #49). There really are quite a few ways not to use the default, but I think it is very valuable to have a default.
I do see the point that this is policy which might not be appropriate for this repo, and I’d be happy to change the PRs if that is the consensus.
If the specific value of the path is the reason for not liking it in a library, I personally really care very little what the path is. A parallel discussion of that might happen in containers/skopeo#157 .
There was a problem hiding this comment.
On Wed, Aug 10, 2016 at 04:53:27PM -0700, Miloslav Trmač wrote:
+The default policy is stored (unless overridden at compile-time) at
/etc/atomic/policy.json;It does seem odd to have a default file location in a library. I’m
thinking that having each user of the library decide on its own,
very likely different, location, would be much worse.
Chipping in from the peanut gallery, I think the best solution to this
sort of thing is to use a set of standard rules for looking up config
files. For example 1.
There was a problem hiding this comment.
is to use a set of standard rules for looking up config files.
The basedir spec is essentially the same hard-coded path as above, + extra environment variable overrides; but it still requires the hard-coded path to be defined (and in typical use of the basedir spec, the environment variables are unset and the hard-coded path applies).
I would love to use a platform-defined API for configuration storage (~ Windows registry or GConf2-like structured storage with documented schema), but I am not really aware of any in sufficiently wide use on Linux, especially outside the desktop space.
Still, even deferring to a third-party standard or configuration management API does not automatically resolve the question whether the signature verification policy “belongs” to the application or to the library — and my primary concern here is for all applications to use the same policy, i.e. for this repo to hard-code the location of the configuration within the configuration management API, whatever API is in use (where our API happens to be ioutil.ReadFile("/etc/$something")).
There was a problem hiding this comment.
I just don't think any library should read any file. We can encourage a default like /etc/containers/fetch-policy.d or something through a const package though. I am also very very hesitant to trust a single file configuration at this point. It places too much burden on tooling to do the right thing. I would rather have systemd style .d directories where you can drop N policies in place.
There was a problem hiding this comment.
I like the idea of users being able to define policy in their home dirs. We are working on atomic pull --user as we speak for running containers fully without privileges. But I worry about system policy being overridden by user policy.
There was a problem hiding this comment.
On Thu, Aug 11, 2016 at 05:15:44AM -0700, Daniel J Walsh wrote:
I like the idea of users being able to define policy in their home
dirs. We are working on atomic pull --user as we speak for running
containers fully without privileges. But I worry about system
policy being overridden by user policy.
The only situation I can think of where you'd be concerned about user
overrides is:
- The library is compiled into a binary that is setuid root or
otherwise enhances the caller's privileges, and - The user-configurable settings would allow the user to abuse those
elevated privileges.
Without a setuid binary, the user could accomplish the same override
by recompiling the program/library with their alternative
configuration. That's more work than dropping some files in
$XDG_CONFIG_HOME/containers/signature-verification.d/, but “it's a bit
more work for the user to override these” shouldn't be part of your
sysadmin policy ;).
There was a problem hiding this comment.
Yes I figure it is easy to ignore see "rpm --nogpgcheck"
There was a problem hiding this comment.
I just don't think any library should read any file.
Literally no io.Open calls? That seems both horrifying and gloriously great at the same time to me—but, I think, hardly tenable without a dependency injection framework.
Or do you just mean “should not hardcode any path”? If so, then…
We can encourage a default like /etc/containers/fetch-policy.d or something through a const package though.
… AFAICS there the following is exactly equivalent in its semantics and capabiliities:
policy, err = signature.DefaultPolicy(nil)
// and either of
policy, err = signature.NewPolicyFromFile(customPath)
policy, err = signature.DefaultPolicy(&types.SystemContext{SignaturePolicyPath:customPath})(what #49 does)
policy, err = signature.NewPolicyFromFile(consts.DefaultPolicyPath)
// and
policy, err = signature.NewPolicyFromFile(customPath)(using a const package)
The only difference is that signature.DefaultPolicy makes the default case simpler, and consts.DefaultPolicyPath makes the non-default case simpler.
I am also very very hesitant to trust a single file configuration at this point. It places too much burden on tooling to do the right thing. I would rather have systemd style .d directories where you can drop N policies in place.
That’s a very reasonable feature request; can we merge documentation for what the code currently does first, and not block that on implementing new features, please?
There was a problem hiding this comment.
I like the idea of users being able to define policy in their home dirs. We are working on atomic pull --user as we speak for running containers fully without privileges. But I worry about system policy being overridden by user policy.
As of containers/skopeo#157 users can do that explicitly via skopeo --policy $any_path.
As @wking says, this should mostly not give users any new privileges, though there are some a possibly worrisome cases to consider (sudo skopeo copy silently using the unprivileged $HOME might defeat attempts to audit changes to the system-wide policy file).
Again, please let’s not block adding this documentation on new feature requests. The documented semantics of signature.DefaultPolicy in #49 does gives us the leeway to implement this later, and for all users of the library to benefit transparently.
mtrmac
force-pushed
the
policy-docs
branch
2 times, most recently
from
4c7be70 to
d38b7b3
Compare
|
Updated for #49 moving the default policy path to |
mtrmac
force-pushed
the
policy-docs
branch
3 times, most recently
from
3c0be09 to
b2f7e2b
Compare
mtrmac
force-pushed
the
policy-docs
branch
2 times, most recently
from
2ec313f to
1e2e0e3
Compare
|
How can we move this forward? |
mtrmac
force-pushed
the
policy-docs
branch
3 times, most recently
from
4829d34 to
d7bb82e
Compare
|
Note to self: Need to somehow improve the examples to that they don’t use a comment syntax invalid in JSON. |
|
lgtm |
|
@rhatdan PTAL at this |
mtrmac
force-pushed
the
policy-docs
branch
2 times, most recently
from
dc5538c to
34f0a11
Compare
aweiteka
left a comment
aweiteka
left a comment
There was a problem hiding this comment.
This is important documentation for users of the library. Any other issues?
docs/policy.json.md
Outdated
| @@ -0,0 +1,251 @@ | |||
| <!-- NOTE: Keep this in sync with signature/policy_types.go! --> | |||
There was a problem hiding this comment.
We want to support md2man format. HTML comment syntax breaks conversion. Need to add man headers per #121. For example:
% POLICY.JSON(5) policy.json Man Page
% Miloslav Trmac
% September 2016
|
Updated:
The result of processing this with |
mtrmac
force-pushed
the
policy-docs
branch
3 times, most recently
from
33f8708 to
10217fe
Compare
docs/policy.json.md
Outdated
| "transports": { | ||
| "docker": { | ||
| /* Allow installing images from a specific repository namespace, without cryptographic verification */ | ||
| "docker.io/openshift": [{"type": "insecureAcceptAnything"}] |
There was a problem hiding this comment.
This should be maybe docker.io/library/openshift as per https://github.com/containers/image/pull/50/files#diff-47e5cc71f8440761aa6de049b5f54e8cR87
I just tried with:
"docker.io/fedora": [{"type": "insecureAcceptAnything"}]
and it fails to verify the image unless I use:
"docker.io/library/fedora": [{"type": "insecureAcceptAnything"}]
There was a problem hiding this comment.
No, this would apply to images like openshift/hello-openshift and openshift/origin.
There was a problem hiding this comment.
(There is no docker.io/library/openshift.)
The comment does say “repository namespace” but perhaps it needs to be clarified further?
There was a problem hiding this comment.
I get that but for images on Docker Hub that are under the hidden library ns, you need to specify library in that as shown in my example above. So better change this example with an image like library/fedora.
There was a problem hiding this comment.
Sorry don't change this example just add another if you can
There was a problem hiding this comment.
Sorry don't change this example just add another if you can
There was a problem hiding this comment.
Updated to document example images under /openshift/ and added a docker.io/library/busybox example (using busybox because busybox has already been used to demonstrate the same thing earlier in the scopes section).
Signed-off-by: Miloslav Trmač <[email protected]>
|
👍 |
|
🎉 #99 will update this whole doc when it lands |
6 participants
No description provided.