2:16 p.m.
Hello!
I've been bounced around a couple of forums and was told that this was
probably the best place to ask the question...
https://discussion.fedoraproject.org/t/chicken-and-egg-problem-with-image...
Essentially:
* I want to set up multiple CoreOS VMs.
* CoreOS depends on being able to run all services from containers.
* I want to use podman, because all of my services can run without
privileges, and podman seems "better" in general.
* I only want to run code from signed images from sources that I trust.
Running random Docker images doesn't really cut it.
* Setting up a registry appears to require running unsigned code,
because podman can't check the docker.io signatures, and podman
and docker "should not" be run alongside each other on the same
system.
* Securing communications to the registry with TLS realistically
involves running an ACME client.
* Paradoxically, running an ACME client probably involves grabbing an
ACME client image from the registry that I'm trying to set up. :)
I can see a few ways out of this situation, but all of the various
approaches seem to involve running rather a lot of infrastructure just
to get roughly the same level of security that I'd get with ordinary
signed packages "for free" on FreeBSD or a Debian-based distro.
Is there a better way to do this?
--
Mark Raynsford | https://www.io7m.com
4:44 p.m.
? pre-install: skopeo copy [SOME LOCAL FS]<ACME CLIENT IMAGE, ANYTHING
ELSE> >> local registry path
On Tue, Jul 12, 2022 at 4:29 AM Mark Raynsford via Podman <
podman(a)lists.podman.io> wrote:
Hello!
I've been bounced around a couple of forums and was told that this was
probably the best place to ask the question...
https://discussion.fedoraproject.org/t/chicken-and-egg-problem-with-image...
Essentially:
* I want to set up multiple CoreOS VMs.
* CoreOS depends on being able to run all services from containers.
* I want to use podman, because all of my services can run without
privileges, and podman seems "better" in general.
* I only want to run code from signed images from sources that I trust.
Running random Docker images doesn't really cut it.
* Setting up a registry appears to require running unsigned code,
because podman can't check the docker.io signatures, and podman
and docker "should not" be run alongside each other on the same
system.
* Securing communications to the registry with TLS realistically
involves running an ACME client.
* Paradoxically, running an ACME client probably involves grabbing an
ACME client image from the registry that I'm trying to set up. :)
I can see a few ways out of this situation, but all of the various
approaches seem to involve running rather a lot of infrastructure just
to get roughly the same level of security that I'd get with ordinary
signed packages "for free" on FreeBSD or a Debian-based distro.
Is there a better way to do this?
--
Mark Raynsford | https://www.io7m.com
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
--
DAMON HATCHETT
SENIOR CONSULTANT
Red Hat ACT <https://www.redhat.com/>
Level 11, Canberra House
40 Marcus Clarke Street
dhatchet(a)redhat.com M: +61422276484
<https://red.ht/sig>
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
5:18 p.m.
On Mon, Jul 11, 2022, at 2:16 PM, Mark Raynsford via Podman wrote:
* Setting up a registry appears to require running unsigned code,
You can bootstrap your system by using pull-by-digest on the registry container, or more
generally, all the infrastructure containers you need to get to your "phase 2"
that uses signed containers.
1208
days inactive
1208
days old
2 comments
3 participants
participants (3)
-
Colin Walters -
Damon Hatchett -
Mark Raynsford