Hello!

I've been bounced around a couple of forums and was told that this was
probably the best place to ask the question...

https://discussion.fedoraproject.org/t/chicken-and-egg-problem-with-image-signatures-on-coreos/40432/1

Essentially:

* I want to set up multiple CoreOS VMs.

* CoreOS depends on being able to run all services from containers.

* I want to use podman, because all of my services can run without
  privileges, and podman seems "better" in general.

* I only want to run code from signed images from sources that I trust.
  Running random Docker images doesn't really cut it.

* Setting up a registry appears to require running unsigned code,
  because podman can't check the docker.io signatures, and podman
  and docker "should not" be run alongside each other on the same
  system.

* Securing communications to the registry with TLS realistically
  involves running an ACME client.

* Paradoxically, running an ACME client probably involves grabbing an
  ACME client image from the registry that I'm trying to set up. :)

I can see a few ways out of this situation, but all of the various
approaches seem to involve running rather a lot of infrastructure just
to get roughly the same level of security that I'd get with ordinary
signed packages "for free" on FreeBSD or a Debian-based distro.

Is there a better way to do this?

--
Mark Raynsford | https://www.io7m.com
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io