diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md index 62f5855..8611bd7 100644 --- a/containers-policy.json.5.md +++ b/containers-policy.json.5.md @@ -149,20 +149,21 @@ This requirement rejects every image, and every signature. ### `signedBy` -This requirement requires an image to be signed with an expected identity, or accepts a signature if it is using an expected identity and key. +This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key. ```js { "type": "signedBy", "keyType": "GPGKeys", /* The only currently supported value */ "keyPath": "/path/to/local/keyring/file", + "keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…], "keyData": "base64-encoded-keyring-data", "signedIdentity": identity_requirement } ``` -Exactly one of `keyPath` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted. +Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted. The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image. One of the following alternatives are supported: @@ -236,6 +237,24 @@ used with `exactReference` or `exactRepository`. + +### `sigstoreSigned` + +This requirement requires an image to be signed using a sigstore signature with an expected identity and key. + +```js +{ + "type": "sigstoreSigned", + "keyPath": "/path/to/local/keyring/file", + "keyData": "base64-encoded-keyring-data", + "signedIdentity": identity_requirement +} +``` +Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key. Only signatures made by this key is accepted. + +The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. +Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). + ## Examples It is *strongly* recommended to set the `default` policy to `reject`, and then @@ -255,9 +274,24 @@ selectively allow individual transports and scopes as desired. "docker.io/openshift": [{"type": "insecureAcceptAnything"}], /* Similarly, allow installing the “official” busybox images. Note how the fully expanded form, with the explicit /library/, must be used. */ - "docker.io/library/busybox": [{"type": "insecureAcceptAnything"}] + "docker.io/library/busybox": [{"type": "insecureAcceptAnything"}], /* Allow installing images from all subdomains */ - "*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}] + "*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}], + /* A sigstore-signed repository */ + "hostname:5000/myns/sigstore-signed-with-full-references": [ + { + "type": "sigstoreSigned", + "keyPath": "/path/to/sigstore-pubkey.key" + } + ], + /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */ + "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [ + { + "type": "sigstoreSigned", + "keyPath": "/path/to/sigstore-pubkey.key", + "signedIdentity": {"type": "matchRepository"} + } + ] /* Other docker: images use the global default policy and are rejected */ }, "dir": { @@ -301,7 +335,7 @@ selectively allow individual transports and scopes as desired. "signedIdentity": { "type": "remapIdentity", "prefix": "private-mirror:5000/vendor-mirror", - "signedPrefix": "vendor.example.com", + "signedPrefix": "vendor.example.com" } } ] diff --git a/containers-registries.d.5.md b/containers-registries.d.5.md index 0707961..04434de 100644 --- a/containers-registries.d.5.md +++ b/containers-registries.d.5.md @@ -63,25 +63,31 @@ more general scopes is ignored. For example, if _any_ configuration exists for ### Built-in Defaults -If no `docker` section can be found for the container image, and no `default-docker` section is configured, -the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures. +If no `docker` section can be found for the container image, and no `default-docker` section is configured: + +- The default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user, will be used for reading and writing signatures. +- Sigstore attachments will not be read/written. ## Individual Configuration Sections A single configuration section is selected for a container image using the process described above. The configuration section is a YAML mapping, with the following keys: -- `sigstore-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures). + - This key is optional; if it is missing, `sigstore` below is used. +- `lookaside-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures). -- `sigstore` defines an URL of the signature storage. + This key is optional; if it is missing, `lookaside` below is used. + +- `lookaside` defines an URL of the signature storage. This URL is used for reading existing signatures, - and if `sigstore-staging` does not exist, also for adding or removing them. + and if `lookaside-staging` does not exist, also for adding or removing them. This key is optional; if it is missing, no signature storage is defined (no signatures - are download along with images, adding new signatures is possible only if `sigstore-staging` is defined). + are download along with images, adding new signatures is possible only if `lookaside-staging` is defined). +- `use-sigstore-attachments` specifies whether sigstore image attachments (signatures, attestations and the like) are going to be read/written along with the image. + If disabled, the images are treated as if no attachments exist; attempts to write attachments fail. ## Examples @@ -92,11 +98,11 @@ The following demonstrates how to to consume and run images from various registr ```yaml docker: registry.database-supplier.com: - sigstore: https://sigstore.database-supplier.com + lookaside: https://lookaside.database-supplier.com distribution.great-middleware.org: - sigstore: https://security-team.great-middleware.org/sigstore + lookaside: https://security-team.great-middleware.org/lookaside docker.io/web-framework: - sigstore: https://sigstore.web-framework.io:8080 + lookaside: https://lookaside.web-framework.io:8080 ``` ### Developing and Signing Containers, Staging Signatures @@ -110,13 +116,13 @@ For developers in `example.com`: ```yaml docker: registry.example.com: - sigstore: https://registry-sigstore.example.com + lookaside: https://registry-lookaside.example.com registry.example.com/mydepartment: - sigstore: https://sigstore.mydepartment.example.com - sigstore-staging: file:///mnt/mydepartment/sigstore-staging + lookaside: https://lookaside.mydepartment.example.com + lookaside-staging: file:///mnt/mydepartment/lookaside-staging registry.example.com/mydepartment/myproject:mybranch: - sigstore: http://localhost:4242/sigstore - sigstore-staging: file:///home/useraccount/webroot/sigstore + lookaside: http://localhost:4242/lookaside + lookaside-staging: file:///home/useraccount/webroot/lookaside ``` ### A Global Default @@ -126,7 +132,7 @@ without listing each domain individually. This is expected to rarely happen, usu ```yaml default-docker: - sigstore-staging: file:///mnt/company/common-sigstore-staging + lookaside-staging: file:///mnt/company/common-lookaside-staging ``` # AUTHORS diff --git a/containers-storage.conf.5.md b/containers-storage.conf.5.md index 8a82bdc..e5cc7c0 100644 --- a/containers-storage.conf.5.md +++ b/containers-storage.conf.5.md @@ -41,7 +41,7 @@ The `storage` table supports the following options: When changing the graphroot location on an SELINUX system, ensure the labeling matches the default locations labels with the following commands: - + ``` # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH # restorecon -R -v /NEWSTORAGEPATH @@ -74,6 +74,29 @@ The `storage.options` table supports the following options: **additionalimagestores**=[] Paths to additional container image stores. Usually these are read/only and stored on remote network shares. +**pull_options** = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + +Allows specification of how storage is populated when pulling images. This +option can speed the pulling process of images compressed with format zstd:chunked. Containers/storage looks +for files within images that are being pulled from a container registry that +were previously pulled to the host. It can copy or create +a hard link to the existing file when it finds them, eliminating the need to pull them from the +container registry. These options can deduplicate pulling of content, disk +storage of content and can allow the kernel to use less memory when running +containers. + +containers/storage supports four keys + * enable_partial_images="true" | "false" + Tells containers/storage to look for files previously pulled in storage + rather then always pulling them from the container registry. + * use_hard_links = "false" | "true" + Tells containers/storage to use hard links rather then create new files in + the image, if an identical file already existed in storage. + * ostree_repos = "" + Tells containers/storage where an ostree repository exists that might have + previously pulled content which can be used when attempting to avoid + pulling content from the container registry + **remap-uids=**"" **remap-gids=**"" Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs. Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container. @@ -236,6 +259,9 @@ based file systems. **mountopt**="" Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page. +**skip_mount_home=""** + Tell storage drivers to not create a PRIVATE bind mount on their home directory. + **size**="" Maximum size of a read/write layer. This flag can be used to set quota on the size of a read/write layer of a container. (format: [], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) @@ -256,9 +282,6 @@ The `storage.options.zfs` table supports the following options: **mountopt**="" Comma separated list of default options to be used to mount container images. Suggested value "nodev". Mount options are documented in the mount(8) man page. -**skip_mount_home=""** - Tell storage drivers to not create a PRIVATE bind mount on their home directory. - **size**="" Maximum size of a container image. This flag can be used to set quota on the size of container images. (format: [], where unit = b (bytes), k (kilobytes), m (megabytes), or g (gigabytes)) diff --git a/containers.conf b/containers.conf index 8a60b87..b246363 100644 --- a/containers.conf +++ b/containers.conf @@ -325,6 +325,13 @@ log_driver = "journald" # #network_config_dir = "/etc/cni/net.d/" +# Port to use for dns forwarding daemon with netavark in rootful bridge +# mode and dns enabled. +# Using an alternate port might be useful if other dns services should +# run on the machine. +# +#dns_bind_port = 53 + [engine] # Index to the active service # diff --git a/containers.conf.5.md b/containers.conf.5.md index a99c179..1f2bd5e 100644 --- a/containers.conf.5.md +++ b/containers.conf.5.md @@ -359,6 +359,13 @@ and "$HOME/.config/cni/net.d" as rootless. For the netavark backend "/etc/containers/networks" is used as root and "$graphroot/networks" as rootless. +**dns_bind_port**=53 + +Port to use for dns forwarding daemon with netavark in rootful bridge +mode and dns enabled. +Using an alternate port might be useful if other dns services should +run on the machine. + ## ENGINE TABLE The `engine` table contains configuration options used to set up container engines such as Podman and Buildah. diff --git a/default.yaml b/default.yaml index 943ea17..fa2ea36 100644 --- a/default.yaml +++ b/default.yaml @@ -1,19 +1,19 @@ # This is a default registries.d configuration file. You may # add to this file or create additional files in registries.d/. # -# sigstore: indicates a location that is read and write -# sigstore-staging: indicates a location that is only for write +# lookaside: indicates a location that is read and write +# lookaside-staging: indicates a location that is only for write # -# sigstore and sigstore-staging take a value of the following: -# sigstore: {schema}://location +# lookaside and lookaside-staging take a value of the following: +# lookaside: {schema}://location # # For reading signatures, schema may be http, https, or file. # For writing signatures, schema may only be file. # This is the default signature write location for docker registries. default-docker: -# sigstore: file:///var/lib/containers/sigstore - sigstore-staging: file:///var/lib/containers/sigstore +# lookaside: file:///var/lib/containers/sigstore + lookaside-staging: file:///var/lib/containers/sigstore # The 'docker' indicator here is the start of the configuration # for docker registries. @@ -21,6 +21,6 @@ default-docker: # docker: # # privateregistry.com: -# sigstore: http://privateregistry.com/sigstore/ -# sigstore-staging: /mnt/nfs/privateregistry/sigstore +# lookaside: http://privateregistry.com/sigstore/ +# lookaside-staging: /mnt/nfs/privateregistry/sigstore diff --git a/seccomp.json b/seccomp.json index f736ccb..fa27f96 100644 --- a/seccomp.json +++ b/seccomp.json @@ -228,6 +228,9 @@ "ipc", "keyctl", "kill", + "landlock_add_rule", + "landlock_create_ruleset", + "landlock_restrict_self", "lchown", "lchown32", "lgetxattr", diff --git a/storage.conf b/storage.conf index 4b44c38..e26d02b 100644 --- a/storage.conf +++ b/storage.conf @@ -40,6 +40,28 @@ graphroot = "/var/lib/containers/storage" additionalimagestores = [ ] +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. + +# containers/storage supports four keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of # a container, to the UIDs/GIDs as they should appear outside of the container, # and the length of the range of UIDs/GIDs. Additional mapped sets can be