? pre-install: skopeo copy [SOME LOCAL FS]<ACME CLIENT IMAGE, ANYTHING ELSE> >> local registry path

On Tue, Jul 12, 2022 at 4:29 AM Mark Raynsford via Podman <podman@lists.podman.io> wrote:

I've been bounced around a couple of forums and was told that this was
probably the best place to ask the question...



* I want to set up multiple CoreOS VMs.

* CoreOS depends on being able to run all services from containers.

* I want to use podman, because all of my services can run without
  privileges, and podman seems "better" in general.

* I only want to run code from signed images from sources that I trust.
  Running random Docker images doesn't really cut it.

* Setting up a registry appears to require running unsigned code,
  because podman can't check the docker.io signatures, and podman
  and docker "should not" be run alongside each other on the same

* Securing communications to the registry with TLS realistically
  involves running an ACME client.

* Paradoxically, running an ACME client probably involves grabbing an
  ACME client image from the registry that I'm trying to set up. :)

I can see a few ways out of this situation, but all of the various
approaches seem to involve running rather a lot of infrastructure just
to get roughly the same level of security that I'd get with ordinary
signed packages "for free" on FreeBSD or a Debian-based distro.

Is there a better way to do this?

Mark Raynsford | https://www.io7m.com
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io




Red Hat ACT

Level 11, Canberra House

40 Marcus Clarke Street

dhatchet@redhat.com    M: +61422276484    

@RedHat   Red Hat   Red Hat