github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 18:11:35 +00:00
Code Issues Projects Releases Wiki Activity

Enforce content trust with trust key and yaml subkeys for image and org

Browse Source 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2017-04-07 15:36:43 -07:00
parent 799879d76d
commit 68d8788e3b
3 changed files with 44 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/cmd/moby/build.go
View File

@ -10,6 +10,7 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"strings"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
"github.com/docker/moby/src/initrd" "github.com/docker/moby/src/initrd"
@ -49,6 +50,26 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) {
} }
} }
func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
for _, img := range config.Image {
// First check for an exact tag match
if img == fullImageName {
return true
}
// Also check for an image name only match:
if img == strings.TrimSuffix(fullImageName, ":") {
return true
}
}
for _, org := range config.Org {
if strings.HasPrefix(fullImageName, org+"/") {
}
return true
}
return false
}
// Perform the actual build process // Perform the actual build process
func buildInternal(name string, pull bool, conf string) { func buildInternal(name string, pull bool, conf string) {
if name == "" { if name == "" {
@ -72,9 +93,9 @@ func buildInternal(name string, pull bool, conf string) {
w := new(bytes.Buffer) w := new(bytes.Buffer)
iw := initrd.NewWriter(w) iw := initrd.NewWriter(w)
if pull { if pull || enforceContentTrust(m.Kernel.Image, &m.Trust) {
log.Infof("Pull kernel image: %s", m.Kernel.Image) log.Infof("Pull kernel image: %s", m.Kernel.Image)
err := dockerPull(m.Kernel.Image) err := dockerPull(m.Kernel.Image, enforceContentTrust(m.Kernel.Image, &m.Trust))
if err != nil { if err != nil {
log.Fatalf("Could not pull image %s: %v", m.Kernel.Image, err) log.Fatalf("Could not pull image %s: %v", m.Kernel.Image, err)
} }
@ -100,9 +121,9 @@ func buildInternal(name string, pull bool, conf string) {
// convert init images to tarballs // convert init images to tarballs
log.Infof("Add init containers:") log.Infof("Add init containers:")
for _, ii := range m.Init { for _, ii := range m.Init {
if pull { if pull || enforceContentTrust(ii, &m.Trust) {
log.Infof("Pull init image: %s", ii) log.Infof("Pull init image: %s", ii)
err := dockerPull(ii) err := dockerPull(ii, enforceContentTrust(ii, &m.Trust))
if err != nil { if err != nil {
log.Fatalf("Could not pull image %s: %v", ii, err) log.Fatalf("Could not pull image %s: %v", ii, err)
} }
@ -118,9 +139,9 @@ func buildInternal(name string, pull bool, conf string) {
log.Infof("Add system containers:") log.Infof("Add system containers:")
for i, image := range m.System { for i, image := range m.System {
if pull { if pull || enforceContentTrust(image.Image, &m.Trust) {
log.Infof(" Pull: %s", image.Image) log.Infof(" Pull: %s", image.Image)
err := dockerPull(image.Image) err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust))
if err != nil { if err != nil {
log.Fatalf("Could not pull image %s: %v", image.Image, err) log.Fatalf("Could not pull image %s: %v", image.Image, err)
} }
@ -142,9 +163,9 @@ func buildInternal(name string, pull bool, conf string) {
log.Infof("Add daemon containers:") log.Infof("Add daemon containers:")
for _, image := range m.Daemon { for _, image := range m.Daemon {
if pull { if pull || enforceContentTrust(image.Image, &m.Trust) {
log.Infof(" Pull: %s", image.Image) log.Infof(" Pull: %s", image.Image)
err := dockerPull(image.Image) err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust))
if err != nil { if err != nil {
log.Fatalf("Could not pull image %s: %v", image.Image, err) log.Fatalf("Could not pull image %s: %v", image.Image, err)
} }

7
src/cmd/moby/config.go
View File

@ -27,6 +27,7 @@ type Moby struct {
Init []string Init []string
System []MobyImage System []MobyImage
Daemon []MobyImage Daemon []MobyImage
Trust TrustConfig
Files []struct { Files []struct {
Path string Path string
Directory bool Directory bool
@ -43,6 +44,12 @@ type Moby struct {
} }
} }
// TrustConfig is the type of a content trust config
type TrustConfig struct {
Image []string
Org []string
}
// MobyImage is the type of an image config // MobyImage is the type of an image config
type MobyImage struct { type MobyImage struct {
Name string Name string

11
src/cmd/moby/docker.go
View File

@ -236,13 +236,18 @@ func dockerRm(container string) error {
return nil return nil
} }
func dockerPull(image string) error { func dockerPull(image string, trustedPull bool) error {
log.Debugf("docker pull: %s", image) log.Debugf("docker pull: %s", image)
docker, err := exec.LookPath("docker") docker, err := exec.LookPath("docker")
if err != nil { if err != nil {
return errors.New("Docker does not seem to be installed") return errors.New("Docker does not seem to be installed")
} }
args := []string{"pull", image} var args = []string{"pull"}
if trustedPull {
log.Debugf("pulling %s with content trust", image)
args = append(args, "--disable-content-trust=false")
}
args = append(args, image)
cmd := exec.Command(docker, args...) cmd := exec.Command(docker, args...)
stderrPipe, err := cmd.StderrPipe() stderrPipe, err := cmd.StderrPipe()
@ -294,7 +299,7 @@ func dockerInspectImage(cli *client.Client, image string) (types.ImageInspect, e
inspect, _, err := cli.ImageInspectWithRaw(context.Background(), image, false) inspect, _, err := cli.ImageInspectWithRaw(context.Background(), image, false)
if err != nil { if err != nil {
if client.IsErrImageNotFound(err) { if client.IsErrImageNotFound(err) {
pullErr := dockerPull(image) pullErr := dockerPull(image, false)
if pullErr != nil { if pullErr != nil {
return types.ImageInspect{}, pullErr return types.ImageInspect{}, pullErr
} }