diff --git a/examples/docker.yml b/examples/docker.yml index 1f1f70110..54f0634e7 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -56,5 +56,8 @@ daemon: binds: - /dev:/dev - /lib/modules:/lib/modules +trust: + image: + - mobylinux/kernel outputs: - format: kernel+initrd diff --git a/examples/gcp.yml b/examples/gcp.yml index 02c6cb9d0..4bcc9a235 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -72,6 +72,9 @@ daemon: - CAP_SETGID - CAP_DAC_OVERRIDE net: host +trust: + image: + - mobylinux/kernel files: - path: etc/docker/daemon.json contents: '{"debug": true}' diff --git a/examples/sshd.yml b/examples/sshd.yml index 3fa46ae61..2b1dc2cde 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -50,6 +50,9 @@ daemon: binds: - /root/.ssh:/root/.ssh - /etc/resolv.conf:/etc/resolv.conf +trust: + image: + - mobylinux/kernel files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' diff --git a/examples/vmware.yml b/examples/vmware.yml index 7f01435de..c9fc9f338 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -47,6 +47,9 @@ daemon: - CAP_SETGID - CAP_DAC_OVERRIDE net: host +trust: + image: + - mobylinux/kernel files: - path: etc/docker/daemon.json contents: '{"debug": true}' diff --git a/moby.yml b/moby.yml index b63a5d0b8..c315c1c76 100644 --- a/moby.yml +++ b/moby.yml @@ -50,6 +50,9 @@ daemon: files: - path: etc/docker/daemon.json contents: '{"debug": true}' +trust: + image: + - mobylinux/kernel outputs: - format: kernel+initrd - format: iso-bios diff --git a/src/cmd/moby/build.go b/src/cmd/moby/build.go index 10ff1c29b..2de9c146d 100644 --- a/src/cmd/moby/build.go +++ b/src/cmd/moby/build.go @@ -10,6 +10,7 @@ import ( "io/ioutil" "os" "path/filepath" + "strings" log "github.com/Sirupsen/logrus" "github.com/docker/moby/src/initrd" @@ -49,6 +50,26 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) { } } +func enforceContentTrust(fullImageName string, config *TrustConfig) bool { + for _, img := range config.Image { + // First check for an exact tag match + if img == fullImageName { + return true + } + // Also check for an image name only match: + if img == strings.TrimSuffix(fullImageName, ":") { + return true + } + } + + for _, org := range config.Org { + if strings.HasPrefix(fullImageName, org+"/") { + } + return true + } + return false +} + // Perform the actual build process func buildInternal(name string, pull bool, conf string) { if name == "" { @@ -72,9 +93,9 @@ func buildInternal(name string, pull bool, conf string) { w := new(bytes.Buffer) iw := initrd.NewWriter(w) - if pull { + if pull || enforceContentTrust(m.Kernel.Image, &m.Trust) { log.Infof("Pull kernel image: %s", m.Kernel.Image) - err := dockerPull(m.Kernel.Image) + err := dockerPull(m.Kernel.Image, enforceContentTrust(m.Kernel.Image, &m.Trust)) if err != nil { log.Fatalf("Could not pull image %s: %v", m.Kernel.Image, err) } @@ -100,9 +121,9 @@ func buildInternal(name string, pull bool, conf string) { // convert init images to tarballs log.Infof("Add init containers:") for _, ii := range m.Init { - if pull { + if pull || enforceContentTrust(ii, &m.Trust) { log.Infof("Pull init image: %s", ii) - err := dockerPull(ii) + err := dockerPull(ii, enforceContentTrust(ii, &m.Trust)) if err != nil { log.Fatalf("Could not pull image %s: %v", ii, err) } @@ -118,9 +139,9 @@ func buildInternal(name string, pull bool, conf string) { log.Infof("Add system containers:") for i, image := range m.System { - if pull { + if pull || enforceContentTrust(image.Image, &m.Trust) { log.Infof(" Pull: %s", image.Image) - err := dockerPull(image.Image) + err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust)) if err != nil { log.Fatalf("Could not pull image %s: %v", image.Image, err) } @@ -142,9 +163,9 @@ func buildInternal(name string, pull bool, conf string) { log.Infof("Add daemon containers:") for _, image := range m.Daemon { - if pull { + if pull || enforceContentTrust(image.Image, &m.Trust) { log.Infof(" Pull: %s", image.Image) - err := dockerPull(image.Image) + err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust)) if err != nil { log.Fatalf("Could not pull image %s: %v", image.Image, err) } diff --git a/src/cmd/moby/config.go b/src/cmd/moby/config.go index ae7ddab07..9c93767df 100644 --- a/src/cmd/moby/config.go +++ b/src/cmd/moby/config.go @@ -27,6 +27,7 @@ type Moby struct { Init []string System []MobyImage Daemon []MobyImage + Trust TrustConfig Files []struct { Path string Directory bool @@ -43,6 +44,12 @@ type Moby struct { } } +// TrustConfig is the type of a content trust config +type TrustConfig struct { + Image []string + Org []string +} + // MobyImage is the type of an image config type MobyImage struct { Name string diff --git a/src/cmd/moby/docker.go b/src/cmd/moby/docker.go index 617a54a5e..6400b922e 100644 --- a/src/cmd/moby/docker.go +++ b/src/cmd/moby/docker.go @@ -236,13 +236,18 @@ func dockerRm(container string) error { return nil } -func dockerPull(image string) error { +func dockerPull(image string, trustedPull bool) error { log.Debugf("docker pull: %s", image) docker, err := exec.LookPath("docker") if err != nil { return errors.New("Docker does not seem to be installed") } - args := []string{"pull", image} + var args = []string{"pull"} + if trustedPull { + log.Debugf("pulling %s with content trust", image) + args = append(args, "--disable-content-trust=false") + } + args = append(args, image) cmd := exec.Command(docker, args...) stderrPipe, err := cmd.StderrPipe() @@ -294,7 +299,7 @@ func dockerInspectImage(cli *client.Client, image string) (types.ImageInspect, e inspect, _, err := cli.ImageInspectWithRaw(context.Background(), image, false) if err != nil { if client.IsErrImageNotFound(err) { - pullErr := dockerPull(image) + pullErr := dockerPull(image, false) if pullErr != nil { return types.ImageInspect{}, pullErr }