? pre-install: skopeo copy [SOME LOCAL FS]<ACME CLIENT IMAGE, ANYTHING
ELSE> >> local registry path
On Tue, Jul 12, 2022 at 4:29 AM Mark Raynsford via Podman <
I've been bounced around a couple of forums and was told that this was
probably the best place to ask the question...
* I want to set up multiple CoreOS VMs.
* CoreOS depends on being able to run all services from containers.
* I want to use podman, because all of my services can run without
privileges, and podman seems "better" in general.
* I only want to run code from signed images from sources that I trust.
Running random Docker images doesn't really cut it.
* Setting up a registry appears to require running unsigned code,
because podman can't check the docker.io signatures, and podman
and docker "should not" be run alongside each other on the same
* Securing communications to the registry with TLS realistically
involves running an ACME client.
* Paradoxically, running an ACME client probably involves grabbing an
ACME client image from the registry that I'm trying to set up. :)
I can see a few ways out of this situation, but all of the various
approaches seem to involve running rather a lot of infrastructure just
to get roughly the same level of security that I'd get with ordinary
signed packages "for free" on FreeBSD or a Debian-based distro.
Is there a better way to do this?
Mark Raynsford | https://www.io7m.com
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
Red Hat ACT <https://www.redhat.com/>
Level 11, Canberra House
40 Marcus Clarke Street
dhatchet(a)redhat.com M: +61422276484