github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-09-11 05:19:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation on a demo SSH image

Browse Source 
There is now a public container image for the SSH demo with publicised
keys. Add the respective references.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This commit is contained in:
Jakob Naucke
2021-12-01 18:26:33 +01:00
committed by Samuel Ortiz
parent 4090df7b60
commit 127b9a4fca
5 changed files with 36 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
demos/ssh-demo/README.md
View File

@@ -7,6 +7,21 @@ It cannot be established by unauthorized parties, such as someone who controls t
The container image contains the SSH host key that can be used for impersonating the host we will connect to. The container image contains the SSH host key that can be used for impersonating the host we will connect to.
Because this container image is encrypted, and the key to decrypting this image is only provided in measurable ways (e.g. attestation or encrypted initrd), and because the pod/guest memory is protected, even someone who controls the node cannot steal this key. Because this container image is encrypted, and the key to decrypting this image is only provided in measurable ways (e.g. attestation or encrypted initrd), and because the pod/guest memory is protected, even someone who controls the node cannot steal this key.
## Using a pre-provided container image
If you would rather build the image with your own keys, skip to [Building the container image](#building-the-container-image).
A demo image is provided at [docker.io/katadocker/ccv0-ssh](https://hub.docker.com/r/katadocker/ccv0-ssh).
It is encrypted with [Attestation Agent](https://github.com/confidential-containers/attestation-agent)'s [offline file system key broker](https://github.com/confidential-containers/attestation-agent/tree/64c12fbecfe90ba974d5fe4896bf997308df298d/src/kbc_modules/offline_fs_kbc) and [`aa-offline_fs_kbc-keys.json`](./aa-offline_fs_kbc-keys.json) as its key file.
The private key for establishing an SSH connection to this container is given in [`ccv0-ssh`](./ccv0-ssh).
To use it with SSH, its permissions should be adjusted: `chmod 600 ccv0-ssh`.
The host key fingerprint is `SHA256:wK7uOpqpYQczcgV00fGCh+X97sJL3f6G1Ku4rvlwtR0`.
All keys shown here are for demonstration purposes.
To achieve actually confidential containers, use a hardware trusted execution environment and **do not** reuse these keys.
Continue at [Connecting to the guest](#connecting-to-the-guest).
## Building the container image ## Building the container image
The image built should be encrypted. The image built should be encrypted.
@@ -22,7 +37,7 @@ generates an SSH key `ccv0-ssh` and the correspondent public key `ccv0-ssh.pub`.
### Building the image ### Building the image
The provided `Dockerfile` expects `ccv0-sh.pub` to exist. The provided [`Dockerfile`](./Dockerfile) expects `ccv0-sh.pub` to exist.
Using Docker, you can build with Using Docker, you can build with
```sh ```sh
@@ -34,8 +49,9 @@ The SSH host key fingerprint is displayed during the build.
## Connecting to the guest ## Connecting to the guest
Running the image depends on your exact confidential containers setup. A [Kubernetes YAML file](./k8s-cc-ssh.yaml) specifying the [Kata Containers](https://github.com/kata-containers/kata-containers) runtime is included.
A Kubernetes YAML file specifying the [Kata Containers](https://github.com/kata-containers/kata-containers) runtime is included, but the image is still a placeholder at this time. If you use a [self-built image](#building-the-container-image), you should replace the image specification with the image you built.
The default tag points to an `amd64` image, an `s390x` tag is also available.
With common CNI setups, on the same host, with the service running, you can connect via SSH with With common CNI setups, on the same host, with the service running, you can connect via SSH with
```sh ```sh
@@ -43,6 +59,6 @@ $ ssh -i ccv0-ssh root@$(kubectl get service ccv0-ssh -o jsonpath="{.spec.cluste
``` ```
You will be prompted about whether the host key fingerprint is correct. You will be prompted about whether the host key fingerprint is correct.
This fingerprint should match the one displayed in the Docker build. This fingerprint should match the one specified above/displayed in the Docker build.
A `crictl`-compatible sandbox configuration is also included, which forwards the pod SSH port (22) to 2222 on the host (use the `-p` flag in SSH). `crictl`-compatible [sandbox](./cri-sandbox-config.yaml) and [container](./cri-container-config.yaml) configurations are also included, which forward the pod SSH port (22) to 2222 on the host (use the `-p` flag in SSH).

3
demos/ssh-demo/aa-offline_fs_kbc-keys.json Normal file
View File

@@ -0,0 +1,3 @@
{
"key_id": "HUlOu8NWz8si11OZUzUJMnjiq/iZyHBJZMSD3BaqgMc="
}

7
demos/ssh-demo/ccv0-ssh Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQwAAAIhawtHJWsLR
yQAAAAtzc2gtZWQyNTUxOQAAACAfiGV2X4o+6AgjVBaY/ZR2UvZp84dVYF5bpNZGMLylQw
AAAEAwWYIBvBxQZgk0irFku3Lj1Xbfb8dHtVM/kkz/Uz/l2h+IZXZfij7oCCNUFpj9lHZS
9mnzh1VgXluk1kYwvKVDAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----

4
demos/ssh-demo/cri-container-config.yaml Normal file
View File

@@ -0,0 +1,4 @@
metadata:
name: ccv0-ssh
image:
image: docker.io/katadocker/ccv0-ssh

2
demos/ssh-demo/k8s-cc-ssh.yaml
View File

@@ -24,5 +24,5 @@ spec:
runtimeClassName: kata runtimeClassName: kata
containers: containers:
- name: ccv0-ssh - name: ccv0-ssh
image: ${to_be_filled} image: docker.io/katadocker/ccv0-ssh
imagePullPolicy: Always imagePullPolicy: Always