OCI Image Encryption Package

Overview

imgcrypt image encryption library and command line tool

Project imgcrypt is a non-core subproject of containerd.

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. An extended version of containerd's ctr tool (`ctr-enc') with support for encrypting and decrypting container images is also provided.

imgcrypt relies on the ocicrypt library for crypto functions on image layers.

Usage

imgcrypt requires containerd 1.3 or later. Containerd 1.4 or later is required when used with Kubernetes. For configuration instructions for kubernetes, please consult the CRI decryption document.

Build and install imgcrypt:

# make
# sudo make install

Start containerd with a configuration file that looks as follows. To avoid interference with a containerd from a Docker installation we use /tmp for directories. Also, we build containerd 1.3 from the source but do not install it.

# cat config.toml
disable_plugins = ["cri"]
root = "/tmp/var/lib/containerd"
state = "/tmp/run/containerd"
[grpc]
  address = "/tmp/run/containerd/containerd.sock"
  uid = 0
  gid = 0
[stream_processors]
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar+gzip"
        path = "/usr/local/bin/ctd-decoder"
    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
        accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
        returns = "application/vnd.oci.image.layer.v1.tar"
        path = "/usr/local/bin/ctd-decoder"

# sudo ~/src/github.com/containerd/containerd/bin/containerd -c config.toml

Create an RSA key pair using the openssl command line tool and encrypted an image:

# openssl genrsa -out mykey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
............................+++++
e is 65537 (0x010001)
# openssl rsa -in mykey.pem -pubout -out mypubkey.pem
writing RSA key
# sudo chmod 0666 /tmp/run/containerd/containerd.sock
# CTR="/usr/local/bin/ctr-enc -a /tmp/run/containerd/containerd.sock"
# $CTR images pull --all-platforms docker.io/library/bash:latest
[...]
# $CTR images layerinfo --platform linux/amd64 docker.io/library/bash:latest
   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
   0   sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609   linux/amd64   2789669                          
   1   sha256:7dd01fd971d4ec7058c5636a505327b24e5fc8bd7f62816a9d518472bd9b15c0   linux/amd64   3174665                          
   2   sha256:691cfbca522787898c8b37f063dd20e5524e7d103e1a3b298bd2e2b8da54faf5   linux/amd64       340                          
# $CTR images encrypt --recipient jwe:mypubkey.pem --platform linux/amd64 docker.io/library/bash:latest bash.enc:latest
Encrypting docker.io/library/bash:latest to bash.enc:latest
$ $CTR images layerinfo --platform linux/amd64 bash.enc:latest
   #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
   0   sha256:360be141b01f69b25427a9085b36ba8ad7d7a335449013fa6b32c1ecb894ab5b   linux/amd64   2789669          jwe        [jwe]
   1   sha256:ac601e66cdd275ee0e10afead03a2722e153a60982122d2d369880ea54fe82f8   linux/amd64   3174665          jwe        [jwe]
   2   sha256:41e47064fd00424e328915ad2f7f716bd86ea2d0d8315edaf33ecaa6a2464530   linux/amd64       340          jwe        [jwe]

Start a local image registry so we can push the encrypted image to it. A recent versions of the registry is required to accept encrypted container images.

# docker pull registry:latest
# docker run -d -p 5000:5000 --restart=always --name registry registry

Push the encrypted image to the local registry, pull it using ctr-enc, and then run the image.

# $CTR images tag bash.enc:latest localhost:5000/bash.enc:latest
# $CTR images push localhost:5000/bash.enc:latest
# $CTR images rm localhost:5000/bash.enc:latest bash.enc:latest
# $CTR images pull localhost:5000/bash.enc:latest
# sudo $CTR run --rm localhost:5000/bash.enc:latest test echo 'Hello World!'
ctr: you are not authorized to use this image: missing private key needed for decryption
# sudo $CTR run --rm --key mykey.pem localhost:5000/bash.enc:latest test echo 'Hello World!'
Hello World!

Project details

imgcrypt is a non-core containerd sub-project, licensed under the Apache 2.0 license. As a containerd sub-project, you will find the:

information in our containerd/project repository.

Issues
  • ctd-decoder unknown file descriptors in K8s with Containerd runtime

    ctd-decoder unknown file descriptors in K8s with Containerd runtime

    Hi,

    I'll try to run enc img under k8s, use kubeasz deploy a one manager & two worker node Kubernetes with Containerd runtime. When run a Deployment, ctd-decoder print a error.

    Question

    running enc image but give this error: failed to create containerd container: error unpacking image: failed to extract layer sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f: read payload: read configFd: bad file descriptor\n: unknown seem like ctd-decoder can't find the pipe stream, and I don't know how to debug this...

    Error log:

    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.331751257+08:00" level=debug msg="Container \"f179555a4c12b46bf5a5611d1c62be9f37543c66fc1a6267ca91acfc909081c5\" spec: (*specs.Spec)(0xc0000e8100){Version:(string)1.0.1-dev Process:(*specs.Process)(0xc00055c540){Terminal:(bool)false ConsoleSize:(*specs.Box)<nil> User:(specs.User){UID:(uint32)0 GID:(uint32)0 AdditionalGids:([]uint32)<nil> Username:(string)} Args:([]string)[nginx -g daemon off;] CommandLine:(string) Env:([]string)[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=enc-nginx-deployment-6757f774f9-2nhsd NGINX_VERSION=1.17.6 NJS_VERSION=0.3.7 PKG_RELEASE=1~buster KUBERNETES_PORT_443_TCP=tcp://10.68.0.1:443 KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_PORT_443_TCP_ADDR=10.68.0.1 KUBERNETES_SERVICE_HOST=10.68.0.1 KUBERNETES_SERVICE_PORT=443 KUBERNETES_SERVICE_PORT_HTTPS=443 KUBERNETES_PORT=tcp://10.68.0.1:443] Cwd:(string)/ Capabilities:(*specs.LinuxCapabilities)(0xc0000e8300){Bounding:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Effective:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Inheritable:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Permitted:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Ambient:([]string)<nil>} Rlimits:([]specs.POSIXRlimit)<nil> NoNewPrivileges:(bool)false ApparmorProfile:(string) OOMScoreAdj:(*int)(0xc0004b8858)1000 SelinuxLabel:(string)} Root:(*specs.Root)(0xc0002ec760){Path:(string)rootfs Readonly:(bool)false} Hostname:(string) Mounts:([]specs.Mount)[{Destination:(string)/proc Type:(string)proc Source:(string)proc Options:([]string)[nosuid noexec nodev]} {Destination:(string)/dev Type:(string)tmpfs Source:(string)tmpfs Options:([]string)[nosuid strictatime mode=755 size=65536k]} {Destination:(string)/dev/pts Type:(string)devpts Source:(string)devpts Options:([]string)[nosuid noexec newinstance ptmxmode=0666 mode=0620 gid=5]} {Destination:(string)/dev/mqueue Type:(string)mqueue Source:(string)mqueue Options:([]string)[nosuid noexec nodev]} {Destination:(string)/sys Type:(string)sysfs Source:(string)sysfs Options:([]string)[nosuid noexec nodev ro]} {Destination:(string)/sys/fs/cgroup Type:(string)cgroup Source:(string)cgroup Options:([]string)[nosuid noexec nodev relatime ro]} {Destination:(string)/etc/hosts Type:(string)bind Source:(string)/var/lib/kubelet/pods/1c097d52-ebd5-4252-850b-01c1ba27058f/etc-hosts Options:([]string)[rbind rprivate rw]} {Destination:(string)/dev/termination-log Type:(string)bind Source:(string)/var/lib/kubelet/pods/1c097d52-ebd5-4252-850b-01c1ba27058f/containers/nginx/6b59b622 Options:([]string)[rbind rprivate rw]} {Destination:(string)/etc/hostname Type:(string)bind Source:(string)/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes/2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a/hostname Options:([]string)[rbind rprivate rw]} {Destination:(string)/etc/resolv.conf Type:(string)bind Source:(string)/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes/2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a/resolv.conf Options:([]string)[rbind rprivate rw]} {Destination:(string)/dev/shm Type:(string)bind Source:(string)/run/containerd/io.containerd.grpc.v1.cri/sandboxes/2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a/shm Options:([]string)[rbind rprivate rw]} {Destination:(string)/var/run/secrets/kubernetes.io/serviceaccount Type:(string)bind Source:(string)/var/lib/kubelet/pods/1c097d52-ebd5-4252-850b-01c1ba27058f/volumes/kubernetes.io~secret/default-token-dq6wl Options:([]string)[rbind rprivate ro]}] Hooks:(*specs.Hooks)<nil> Annotations:(map[string]string)map[io.kubernetes.cri.container-type:container io.kubernetes.cri.sandbox-id:2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a] Linux:(*specs.Linux)(0xc00055c620){UIDMappings:([]specs.LinuxIDMapping)<nil> GIDMappings:([]specs.LinuxIDMapping)<nil> Sysctl:(map[string]string)<nil> Resources:(*specs.LinuxResources)(0xc000a0e120){Devices:([]specs.LinuxDeviceCgroup)[{Allow:(bool)false Type:(string) Major:(*int64)<nil> Minor:(*int64)<nil> Access:(string)rwm}] Memory:(*specs.LinuxMemory)(0xc000838780){Limit:(*int64)<nil> Reservation:(*int64)<nil> Swap:(*int64)<nil> Kernel:(*int64)<nil> KernelTCP:(*int64)<nil> Swappiness:(*uint64)<nil> DisableOOMKiller:(*bool)<nil>} CPU:(*specs.LinuxCPU)(0xc000728690){Shares:(*uint64)(0xc0004b8848)2 Quota:(*int64)<nil> Period:(*uint64)(0xc0004b8828)100000 RealtimeRuntime:(*int64)<nil> RealtimePeriod:(*uint64)<nil> Cpus:(string) Mems:(string)} Pids:(*specs.LinuxPids)<nil> BlockIO:(*specs.LinuxBlockIO)<nil> HugepageLimits:([]specs.LinuxHugepageLimit)<nil> Network:(*specs.LinuxNetwork)<nil> Rdma:(map[string]specs.LinuxRdma)<nil>} CgroupsPath:(string)/kubepods/besteffort/pod1c097d52-ebd5-4252-850b-01c1ba27058f/f179555a4c12b46bf5a5611d1c62be9f37543c66fc1a6267ca91acfc909081c5 Namespaces:([]specs.LinuxNamespace)[{Type:(specs.LinuxNamespaceType)pid Path:(string)} {Type:(specs.LinuxNamespaceType)ipc Path:(string)/proc/21576/ns/ipc} {Type:(specs.LinuxNamespaceType)uts Path:(string)/proc/21576/ns/uts} {Type:(specs.LinuxNamespaceType)mount Path:(string)} {Type:(specs.LinuxNamespaceType)network Path:(string)/proc/21576/ns/net}] Devices:([]specs.LinuxDevice)<nil> Seccomp:(*specs.LinuxSeccomp)<nil> RootfsPropagation:(string) MaskedPaths:([]string)[/proc/acpi /proc/kcore /proc/keys /proc/latency_stats /proc/timer_list /proc/timer_stats /proc/sched_debug /proc/scsi /sys/firmware] ReadonlyPaths:([]string)[/proc/asound /proc/bus /proc/fs /proc/irq /proc/sys /proc/sysrq-trigger] MountLabel:(string) IntelRdt:(*specs.LinuxIntelRdt)<nil>} Solaris:(*specs.Solaris)<nil> Windows:(*specs.Windows)<nil> VM:(*specs.VM)<nil>}"
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.332058695+08:00" level=debug msg="Composed container full log path \"/var/log/pods/default_enc-nginx-deployment-6757f774f9-2nhsd_1c097d52-ebd5-4252-850b-01c1ba27058f/nginx/0.log\" using sandbox log dir \"/var/log/pods/default_enc-nginx-deployment-6757f774f9-2nhsd_1c097d52-ebd5-4252-850b-01c1ba27058f\" and container log path \"nginx/0.log\""
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.340989635+08:00" level=debug msg="event published" ns=k8s.io topic=/snapshot/prepare type=containerd.events.SnapshotPrepare
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.349801745+08:00" level=debug msg="received signal" signal="broken pipe"
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.354487067+08:00" level=info msg="apply failure, attempting cleanup" error="failed to extract layer sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f: read payload: read configFd: bad file descriptor\n: unknown" key="extract-336515533-Ry_C sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.360466528+08:00" level=debug msg="event published" ns=k8s.io topic=/snapshot/remove type=containerd.events.SnapshotRemove
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.363388989+08:00" level=error msg="CreateContainer within sandbox \"2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a\" for &ContainerMetadata{Name:nginx,Attempt:0,} failed" error="failed to create containerd container: error unpacking image: failed to extract layer sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f: read payload: read configFd: bad file descriptor\n: unknown"
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.753668091+08:00" level=debug msg="schedule snapshotter cleanup" snapshotter=overlayfs
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.756036172+08:00" level=debug msg="removed snapshot" key="k8s.io/345/extract-336515533-Ry_C sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" snapshotter=overlayfs
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.756432457+08:00" level=debug msg="snapshot garbage collected" d=2.681766ms snapshotter=overlayfs
    10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.756470327+08:00" level=debug msg="garbage collected" d=2.216775ms
    

    Version

    Kubernetes:

    Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:52:00Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
    Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
    

    Containerd:

    containerd github.com/containerd/containerd v1.3.4 814b7956fafc7a0980ea07e950f983d0837e5578
    

    Refrence

    Refer to decryption.md use How Encrypted Images brings about compliance in Kubernetes (via CRI-O) demo img and key

    opened by Gsealy 12
  • ctr-enc support PKCS#11 module

    ctr-enc support PKCS#11 module

    Related: https://github.com/containers/ocicrypt/pull/18

    usage like:

    $CTR i encrypt --recipient pkcs11:/usr/local/lib/softhsm/libsofthsm2.so docker.io/library/registry:2.7.1 registry.enc:2.7.1
    Encrypting docker.io/library/registry:2.7.1 to registry.enc:2.7.1
    Enter Module Password:
    $CTR i decrypt --p11-module /usr/local/lib/softhsm/libsofthsm2.so registry.enc:2.7.1 registry:2.7.1
    Decrypting registry.enc:2.7.1 to registry:2.7.1
    Enter Module Password:
    

    encrypted image layerinfo

    $CTR i layerinfo registry.enc:2.7.1
       #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
       0   sha256:e6ac8f3a588c0ea847f5e24562e4b5c80adbfcbfeac2733c2c1c4b790c6c0840   linux/amd64   2813316       pkcs11     [pkcs11]
       1   sha256:6871cd043567f1e28fcd8d45d2a3b475a47b80ea9e3015bed6ea48e853b4d94c   linux/amd64    299598       pkcs11     [pkcs11]
       2   sha256:d97482644a8cf0f49f5d37caf65e01baf0f3f015c50cfacdfc9390e38c3ad4d8   linux/amd64   6823927       pkcs11     [pkcs11]
       3   sha256:4c25c56fdce776c347352b118476618c2e0534fcd21253fded29b4cb096d1c14   linux/amd64       370       pkcs11     [pkcs11]
       4   sha256:893980826f2572d9070e4fc93a245ae9b8a9df2f14df21ae848cf632e8bf22c7   linux/amd64       213       pkcs11     [pkcs11]
    
    

    Signed-off-by: Gsealy Jiao [email protected]

    opened by Gsealy 11
  • encryption.CheckAuthorization not working for multi-arch images

    encryption.CheckAuthorization not working for multi-arch images

    When a multi-arch index descriptor is provided to the imgcrypt's CheckAuthorization func (e.g. via image.Target()), the library iterates over the manifests it refers to with the cryptoOpUnwrapOnly option set to true to perform a check only. That causes the cycle to stop on the first manifest in the collection as the condition here will always be evaluated to true error-regardless. Additionally, if reading any of the referred manifest's children returns an errdefs.IsNotFound(err), the cycle will exit with a nil error, thus, the authorization check passes incorrectly. Let's take for example the case where the cycle checks the first manifest in the collection (e.g. for amd64) on an arm/arm64 machine, the children of this manifest are not found since this is not the target platform and they are not pulled -> the authorization check passes incorrectly. This issue is rarely reproducible on an amd64 machine as usually, this is the first manifest in the index descriptor.

    opened by dimitar-dimitrow 10
  • need an updated release and

    need an updated release and

    two part...

    Current version reports: 1.5.0-beta.1+unknown

    • there have been changes to the ctr command that need to be synched up... and we should rebase this repo on the 1.5.0 GA to pick that up.. we are going to do a service refresh and imgcrypt binaries are included now so... we should vendor to pick up the new ctr changes, make a release, and set the new release over in containerd/containerd/script/setup/imgcrypt-version

    • longer term.. now that we are building this into the release, need a better way to do this and to get the version tag right :-)

    cc @dmcgowan

    opened by mikebrow 9
  • github.com/containerd/imgcrypt@v1.1.2/go.mod: checksum mismatch when GOPROXY=direct

    github.com/containerd/[email protected]/go.mod: checksum mismatch when GOPROXY=direct

    The checksum for github.com/containerd/[email protected]/go.mod does not match usage in importing modules (like nerdctl) when skipping the Go module proxy:

    verifying github.com/containerd/[email protected]/go.mod: checksum mismatch
    	downloaded: h1:/zRIwdIOlnS1oJhKdq4/9LB9pFv+U1ziMvIBkCRoQuE=
    	go.sum:     h1:maqDE8PxC8IpBdEIXVe5Y0nghLVMv6wkAbcFRyvO+1M=
    
    SECURITY ERROR
    This download does NOT match an earlier download recorded in go.sum.
    The bits may have been replaced on the origin server, or an attacker may
    have intercepted the download attempt.
    
    For more information, see 'go help module-auth'.
    

    This suggests that the v1.1.2 tag may have been changed after an initial tag was cached by the module proxy.

    Would it be possible to either (a) restore the old tag or (b) release a new version of the module so that new version can be cached in the Go module proxy?

    Reproduction steps
    $ docker run -it --rm public.ecr.aws/docker/library/golang:latest
    [email protected]:/go# go env -w GOPROXY=direct
    [email protected]:/go# mkdir -p src/github.com/containerd/nerdctl
    [email protected]:/go# git clone https://github.com/containerd/nerdctl src/github.com/containerd/nerdctl 
    Cloning into 'src/github.com/containerd/nerdctl'...
    remote: Enumerating objects: 5146, done.
    remote: Counting objects: 100% (227/227), done.
    remote: Compressing objects: 100% (131/131), done.
    remote: Total 5146 (delta 114), reused 165 (delta 77), pack-reused 4919
    Receiving objects: 100% (5146/5146), 2.08 MiB | 4.59 MiB/s, done.
    Resolving deltas: 100% (3159/3159), done.
    [email protected]:/go# cd src/github.com/containerd/nerdctl/
    [email protected]:/go/src/github.com/containerd/nerdctl# make
    GO111MODULE=on CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w -X github.com/containerd/nerdctl/pkg/version.Version=v0.14.0-79-ge671087 -X github.com/containerd/nerdctl/pkg/version.Revision=e671087161ed3e22cf9c9d67b9606bd69e53fbbe"  -o /go/src/github.com/containerd/nerdctl/_output/nerdctl github.com/containerd/nerdctl/cmd/nerdctl
    verifying github.com/containerd/[email protected]/go.mod: checksum mismatch
    	downloaded: h1:/zRIwdIOlnS1oJhKdq4/9LB9pFv+U1ziMvIBkCRoQuE=
    	go.sum:     h1:maqDE8PxC8IpBdEIXVe5Y0nghLVMv6wkAbcFRyvO+1M=
    
    SECURITY ERROR
    This download does NOT match an earlier download recorded in go.sum.
    The bits may have been replaced on the origin server, or an attacker may
    have intercepted the download attempt.
    
    For more information, see 'go help module-auth'.
    make: *** [Makefile:50: nerdctl] Error 1
    
    opened by samuelkarp 7
  • Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2

    Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2

    Bumps github.com/opencontainers/image-spec from 1.0.1 to 1.0.2.

    Release notes

    Sourced from github.com/opencontainers/image-spec's releases.

    v1.0.2

    This release was voted on by the maintainers and PASSED (+5 -0 #2), to mitigate the CVE-2021-41190 advisory.

    This release is rebased directly on the prior tagged release (not including the commits that have occurred on main). Corresponding commits have been added to main, such that main is ready for a future next release.

    R

    Commits
    • 67d2d56 version: release 1.0.2
    • dcdcb7f specs-go: adding mediaType to the index and manifest structures
    • 5f31485 *.md: bring mediaType out of reserved status
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 6
  • Start container with port and volumes

    Start container with port and volumes

    Hi everyone, I'm trying to use this useful library but can't figure out how to run an encrypted image with port mapping. What is the equivalent of docker run -p <host_port>: <container_port> ...? Also, I can't figure out how to specify volumes when starting the encrypted container.

    thanks for your help.

    opened by GiorgioBelli 6
  • Migrate to GitHub Actions for CI

    Migrate to GitHub Actions for CI

    This enables GitHub actions for both Linux and Windows and runs the same checks/tests as currently implemented via Travis and Appveyor. If acceptable, Travis and Appveyor can be removed once validated; a successful run is here in my fork: https://github.com/estesp/imgcrypt/actions/runs/615320837

    opened by estesp 5
  • minify/compress manifest json

    minify/compress manifest json

    https://github.com/containerd/imgcrypt/blob/36840ad3a650af64eb6e8a7428256823df05ac67/images/encryption/encryption.go#L320

    Was the indentation used before for testing? maybe we can compress it to save a little bit size 🤔

    opened by Gsealy 4
  • Add containerd version requirement for kubernetes

    Add containerd version requirement for kubernetes

    As highlighted in https://github.com/containerd/imgcrypt/issues/21, it is not clear the required version for kubernetes use.

    Signed-off-by: Brandon Lum [email protected]

    opened by lumjjb 4
  • Is it possible to encrypt local image?

    Is it possible to encrypt local image?

    I tried to encrypt the local images, but it alway check the image from docker.io. Is it possible to encrypt local image? As in some network configuration, it is not convenient to visit docker.io. Thank you.

    opened by lannyyip 2
  • [WIP / RFC] separate command-line to a separate module

    [WIP / RFC] separate command-line to a separate module

    (This is a very quick attempt at "what this will look like")

    This repository provides both command-line utilities, and a module for external consumers.

    Currently, both are part of the same module; as a result, dependencies of both the module and the command-line utilities are listed in the repositories go.mod. This affects consumers of this project, because (due to go module's nature of dependency (version) resolution), those consumers will inherit all dependencies, or will be "forced" to use the same version of the CLI dependencies.

    This is a very quick attempt at separating the CLI utilities from the "module", by creating a separate go.mod (and module) for the CLI utilities.

    I'm not fond of the name (github.com/containerd/imgcrypt/cmd) for that module (possibly renaming to github.com/containerd/imgcrypt/cli would be slightly clearer).

    This change will add some additional work when tagging releases; a separate tag should be created for the cli utilities (tagging as cmd/vX.Y.Z), and the "github.com/containerd/imgcrypt" dependency in the go.mod inside the cmd directory may need to be updated to reflect the latest version of the main module when tagging new releases (as the replace rule is non-transitional); something like:

    1. update github.com/containerd/imgcrypt version in cmd/go.mod to "next release"
    2. tag both v<new release> and cmd/v<new version> in tandem.

    CI / validation also needs to be updated to verify both go.mod and go.sum files are correct / up-to-date. Possibly checks should be added to make sure the main module is isolated from the cmd module (i.e., the "module" should not import any path from the cmd directory: the reverse is of course OK (and expected)).

    Finally; use of the 'vendor' directory may need to be discussed; it is common to only use a vendor directory for projects that produce binaries, but omit the vendor directory for "library" projects. In this case (if vendoring is still desired), the vendor directory should be removed from the root of the repository, and moved inside the cmd directory.

    Signed-off-by: Sebastiaan van Stijn [email protected]

    opened by thaJeztah 5
Releases(v1.1.6)
  • v1.1.6(Jun 8, 2022)

  • v1.1.5(May 18, 2022)

    v1.1.5:

    • Update to ocicrypt v1.1.4; sha256 is the default now for padding in OAEP for pkcs11; Set OCICRYPT_OAEP_HASHALG=sha1 environment variable to force sha1 usage, which is required for example for SoftHSM 2.6.1.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.4(Mar 25, 2022)

    v1.1.4:

    • Fixed issue in CheckAuthorization() callpath for images with a ManifestList
      • CVE-2022-24778
      • Fix: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
      • Added test case covering this
    • Updated to ocicrypt 1.1.3
    • Updated to containerd 1.6.1
    Source code(tar.gz)
    Source code(zip)
  • v1.1.3(Mar 24, 2022)

    v1.1.3:

    • Release v1.1.3 addresses issue #62 due to re-tagging of v1.1.2
    • docs: update referenced containerd project branch to main
    • Update linter to match containerd repo
    • Update CI golang version
    • Updated to containerd 1.5.8
    Source code(tar.gz)
    Source code(zip)
  • v1.1.2(Mar 24, 2022)

    v1.1.2:

    • Decouple CreateCryptoConfig() from github.com/urfave/cli
    • Updated to containerd 1.5.7
    • Implemented ConvertFunc for image en- and decryption
    • Replace pkg/errors with errors package
    • Updated to ocicrypt 1.1.2
    • Sync'ed ctr-enc with ctr of containerd-1.5.0
    Source code(tar.gz)
    Source code(zip)
  • v1.1.1(Mar 24, 2022)

  • v1.1.0(Apr 13, 2021)

  • v1.0.3(Jul 10, 2020)

  • v1.0.1(Feb 24, 2020)

  • v1.0.0(Feb 24, 2020)

Owner
containerd
containerd
The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Oracle 22 Jun 17, 2022
Simple, rootless, "FROM scratch" OCI image builder

zeroimage zeroimage some-program is like building the following Docker image: FROM scratch COPY some-program /some-program ENTRYPOINT ["/some-program"

Alex Hamlin 2 Jun 26, 2022
Executes an OCI image using firecracker.

oci-image-executor Executes an OCI image using Firecracker. Logs from the executed process (both stdout and stderr) are sent to stdout. Logs from the

CodeCrafters 0 Jan 6, 2022
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 77 Jun 21, 2022
OCI transport plugin for apt-get (i.e., apt-get over ghcr.io)

apt-transport-oci: OCI transport plugin for apt-get (i.e., apt-get over ghcr.io) apt-transport-oci is an apt-get plugin to support distributing *.deb

Akihiro Suda 85 Apr 18, 2022
OCI drive, available from home

OCI Drive ... use your storage with Oracle Object Store Quick Start Make sure you have the Object Storage, bucket and you know the compartment id wher

Michal Conos 1 Nov 10, 2021
Docker for Your ML/DL Models Based on OCI Artifacts

English | 中文 ORMB is an open-source model registry to manage machine learning model. ORMB helps you manage your Machine Learning/Deep Learning models

Klever 366 Jun 27, 2022
Web gateway for OCI artifacts

Containerbay Web gateway for OCI artifacts Container images gateway browser and indexer Website static server - Reverse Container image browser Contai

ContainerBay 4 Jan 10, 2022
oci-ccm custom build for both arm64 and amd64

OCI Cloud Controller Manager (CCM) oci-cloud-controller-manager is a Kubernetes Cloud Controller Manager implementation (or out-of-tree cloud-provider

Manasseh Zhou 0 Jan 18, 2022
k8s-image-swapper Mirror images into your own registry and swap image references automatically.

k8s-image-swapper Mirror images into your own registry and swap image references automatically. k8s-image-swapper is a mutating webhook for Kubernetes

Enrico Stahn 307 Jun 22, 2022
This action prints "true" if image is required to update based on the base image update.

container-image-updater This action prints "true" if image is required to update based on the base image update. Inputs Name Type Description base-ima

Manjunath Kumatagi 1 Apr 15, 2022
[WIP] Cheap, portable and secure NAS based on the Raspberry Pi Zero - with encryption, backups, and more

PortaDisk - Affordable Raspberry Pi Portable & Secure NAS Project Project Status: Early work in progress. web-unlock is still not ready for production

null 0 Dec 2, 2021
Dockpin - A tool for pinning Docker image and apt package versions

Dockpin Install dockpin with: go install github.com/Jille/[email protected] Dockpin

Jille Timmermans 8 Jun 12, 2022
Fast docker image distribution plugin for containerd, based on CRFS/stargz

[ ⬇️ Download] [ ?? Browse images] [ ☸ Quick Start (Kubernetes)] [ ?? Quick Start (nerdctl)] Stargz Snapshotter Read also introductory blog: Startup C

containerd 625 Jun 22, 2022
A tool to restart a Docker container with a newer version of the image

repull A tool to restart a Docker container with a newer version of an image used by the container Often you may need to pull a newer version of an im

Eugene 23 May 14, 2022
Triggers an update to a Koyeb app service to re-deploy the latest docker image

Triggers an update to a Koyeb app service to re-deploy the latest docker image

Reece May 3 May 5, 2021
Kubernetes workload controller for container image deployment

kube-image-deployer kube-image-deployer는 Docker Registry의 Image:Tag를 감시하는 Kubernetes Controller입니다. Keel과 유사하지만 단일 태그만 감시하며 더 간결하게 동작합니다. Container, I

PUBG Corporation 2 Mar 8, 2022
Image clone controller is a kubernetes controller to safe guard against the risk of container images disappearing

Image clone controller image clone controller is a kubernetes controller to safe guard against the risk of container images disappearing from public r

Jayadeep KM 0 Oct 10, 2021
Docker image for setting up one or multiple TCP ports forwarding, using socat

Docker socat Port Forward Docker image for setting up one or multiple TCP ports forwarding, using socat. Getting started The ports mappings are set wi

David Lorenzo 4 May 15, 2022