Description
Used OS is Ubuntu 22.04.2 LTS.
- followed the documentation to install Docker engine manually. https://docs.docker.com/engine/install/ubuntu/#install-from-a-package
sudo dpkg -i ./containerd.io_1.6.9-1_amd64.deb ./docker-ce_23.0.3-1_ubuntu.22.04_jammy_amd64.deb ./docker-ce-cli_23.0.3-1_ubuntu.22.04_jammy_amd64.deb ./docker-buildx-plugin_0.10.4-1_ubuntu.22.04_jammy_amd64.deb ./docker-compose-plugin_2.6.0_ubuntu-jammy_amd64.deb
- Overwrote docker cli built from master branch of this repo https://github.com/docker/cli/
- followed the documentation given in this url: https://docs.docker.com/build/attestations/slsa-provenance/ to create the provenance attestation json, which is not in the same schema as SLSA provenance schema, version 0.2.
Reproduce
- docker buildx create --name container --driver=docker-container
container
- docker buildx ls
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
container docker-container
container0 unix:///var/run/docker.sock inactive
default * docker
default default running 23.0.3 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
- docker login
......
Login Succeeded
- cat Dockerfile
FROM alpine
CMD ["echo", "Hello StackOverflow!"]
- DOCKER_BUILDKIT=1 docker buildx build --tag opsmx11/prov:v2 --push --attest type=provenance,mode=min,generator=image --builder=container .
[+] Building 5.6s (7/7) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 86B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 1.8s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
=> [1/1] FROM docker.io/library/alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 0.0s
=> => resolve docker.io/library/alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 0.0s
=> exporting to image 3.7s
=> => exporting layers 0.0s
=> => exporting manifest sha256:da8eed841d8afeba7655c7a8903f03d5f112b97a8e52b12d52ee3df35b31d3e7 0.0s
=> => exporting config sha256:ca240bf06400b2bacbba75ba3ba2abab460717559c07a42318f7922e48a48302 0.0s
=> => exporting attestation manifest sha256:1c7a48f2b9a3cd260a22e0f9b30a6f7c73556a5a0fdd360117cd0ed70b0c4383 0.0s
=> => exporting manifest list sha256:2d35bafec6bd5e73dde42cd8eca3bfee8de11178c455a37e28370d34faf5bb82 0.0s
=> => pushing layers 2.0s
=> => pushing manifest for docker.io/opsmx11/prov:v2@sha256:2d35bafec6bd5e73dde42cd8eca3bfee8de11178c455a37e28370d34faf5bb82 1.6s
=> [auth] opsmx11/prov:pull,push token for registry-1.docker.io 0.0s
- docker buildx imagetools inspect opsmx11/prov:v2 --format "{{ json .Provenance.SLSA }}"
{
"buildType": "https://mobyproject.org/buildkit@v1",
"builder": {
"id": ""
},
"invocation": {
"configSource": {
"entryPoint": "Dockerfile"
},
"environment": {
"platform": "linux/amd64"
},
"parameters": {
"frontend": "dockerfile.v0",
"locals": [
{
"name": "context"
},
{
"name": "dockerfile"
}
]
}
},
"materials": [
{
"digest": {
"sha256": "124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"
},
"uri": "pkg:docker/alpine@latest?platform=linux%2Famd64"
}
],
"metadata": {
"buildFinishedOn": "2023-04-14T11:29:54.416420339Z",
"buildInvocationID": "7avam11c99v99dwggp920n3w0",
"buildStartedOn": "2023-04-14T11:29:52.551035942Z",
"completeness": {
"environment": true,
"materials": false,
"parameters": true
},
"https://mobyproject.org/buildkit@v1#metadata": {
"vcs": {
"revision": "1454aef05d05a448b6695897be7baa951ed6989d",
"source": "https://github.com/gopaljayanthi/provenance.git"
}
},
"reproducible": false
}
Expected behavior
Output should be in SLSA provenance schema, Version 0.2, as shown below
{
// Standard attestation fields:
"_type": "https://in-toto.io/Statement/v0.1",
"subject": [{ ... }],
// Predicate:
"predicateType": "https://slsa.dev/provenance/v0.2",
"predicate": {
"builder": {
"id": ""
},
"buildType": "",
"invocation": {
"configSource": {
"uri": "",
"digest": { /* DigestSet / },
"entryPoint": ""
},
"parameters": { / object / },
"environment": { / object / }
},
"buildConfig": { / object / },
"metadata": {
"buildInvocationId": "",
"buildStartedOn": "",
"buildFinishedOn": "",
"completeness": {
"parameters": true/false,
"environment": true/false,
"materials": true/false
},
"reproducible": true/false
},
"materials": [
{
"uri": "",
"digest": { / DigestSet */ }
}
]
}
}
docker version
Client:
Version: 24.0.0-beta.1-78-g60d0659e40.m
API version: 1.42 (downgraded from 1.43)
Go version: go1.20.3
Git commit: 60d0659e40
Built: Fri Apr 14 08:58:12 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.3
API version: 1.42 (minimum version 1.12)
Go version: go1.19.7
Git commit: 59118bf
Built: Tue Apr 4 22:05:48 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.9
GitCommit: 1c90a442489720eec95342e1789ee8a5e1b9536f
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Version: 24.0.0-beta.1-78-g60d0659e40.m
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.10.4
Path: /usr/local/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.6.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
scan: Docker Scan (Docker Inc.)
Version: v0.7.0
Path: /usr/libexec/docker/cli-plugins/docker-scan
Server:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 2
Server Version: 23.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 1c90a442489720eec95342e1789ee8a5e1b9536f
runc version: v1.1.4-0-g5fd4c4d
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.0-69-generic
Operating System: Ubuntu 22.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.21GiB
Name: opsmx-blr-l-078
ID: 7BES:UPJW:T2B2:UBRJ:W4V2:VHGP:ZBYN:IXQU:N2PS:VWMK:P6FX:3AZ2
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: opsmx11
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
It is not clear how to generate the SLSA provenance attestation from the documentation. Please provide a step by step example for the same.
Description
Used OS is Ubuntu 22.04.2 LTS.
sudo dpkg -i ./containerd.io_1.6.9-1_amd64.deb ./docker-ce_23.0.3-1_ubuntu.22.04_jammy_amd64.deb ./docker-ce-cli_23.0.3-1_ubuntu.22.04_jammy_amd64.deb ./docker-buildx-plugin_0.10.4-1_ubuntu.22.04_jammy_amd64.deb ./docker-compose-plugin_2.6.0_ubuntu-jammy_amd64.deb
Reproduce
container
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
container docker-container
container0 unix:///var/run/docker.sock inactive
default * docker
default default running 23.0.3 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
......
Login Succeeded
FROM alpine
CMD ["echo", "Hello StackOverflow!"]
[+] Building 5.6s (7/7) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 86B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 1.8s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
=> [1/1] FROM docker.io/library/alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 0.0s
=> => resolve docker.io/library/alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 0.0s
=> exporting to image 3.7s
=> => exporting layers 0.0s
=> => exporting manifest sha256:da8eed841d8afeba7655c7a8903f03d5f112b97a8e52b12d52ee3df35b31d3e7 0.0s
=> => exporting config sha256:ca240bf06400b2bacbba75ba3ba2abab460717559c07a42318f7922e48a48302 0.0s
=> => exporting attestation manifest sha256:1c7a48f2b9a3cd260a22e0f9b30a6f7c73556a5a0fdd360117cd0ed70b0c4383 0.0s
=> => exporting manifest list sha256:2d35bafec6bd5e73dde42cd8eca3bfee8de11178c455a37e28370d34faf5bb82 0.0s
=> => pushing layers 2.0s
=> => pushing manifest for docker.io/opsmx11/prov:v2@sha256:2d35bafec6bd5e73dde42cd8eca3bfee8de11178c455a37e28370d34faf5bb82 1.6s
=> [auth] opsmx11/prov:pull,push token for registry-1.docker.io 0.0s
{
"buildType": "https://mobyproject.org/buildkit@v1",
"builder": {
"id": ""
},
"invocation": {
"configSource": {
"entryPoint": "Dockerfile"
},
"environment": {
"platform": "linux/amd64"
},
"parameters": {
"frontend": "dockerfile.v0",
"locals": [
{
"name": "context"
},
{
"name": "dockerfile"
}
]
}
},
"materials": [
{
"digest": {
"sha256": "124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126"
},
"uri": "pkg:docker/alpine@latest?platform=linux%2Famd64"
}
],
"metadata": {
"buildFinishedOn": "2023-04-14T11:29:54.416420339Z",
"buildInvocationID": "7avam11c99v99dwggp920n3w0",
"buildStartedOn": "2023-04-14T11:29:52.551035942Z",
"completeness": {
"environment": true,
"materials": false,
"parameters": true
},
"https://mobyproject.org/buildkit@v1#metadata": {
"vcs": {
"revision": "1454aef05d05a448b6695897be7baa951ed6989d",
"source": "https://github.com/gopaljayanthi/provenance.git"
}
},
"reproducible": false
}
Expected behavior
Output should be in SLSA provenance schema, Version 0.2, as shown below
{
// Standard attestation fields:
"_type": "https://in-toto.io/Statement/v0.1",
"subject": [{ ... }],
// Predicate:
"predicateType": "https://slsa.dev/provenance/v0.2",
"predicate": {
"builder": {
"id": ""
},
"buildType": "",
"invocation": {
"configSource": {
"uri": "",
"digest": { /* DigestSet / },
"entryPoint": ""
},
"parameters": { / object / },
"environment": { / object / }
},
"buildConfig": { / object / },
"metadata": {
"buildInvocationId": "",
"buildStartedOn": "",
"buildFinishedOn": "",
"completeness": {
"parameters": true/false,
"environment": true/false,
"materials": true/false
},
"reproducible": true/false
},
"materials": [
{
"uri": "",
"digest": { / DigestSet */ }
}
]
}
}
docker version
Client: Version: 24.0.0-beta.1-78-g60d0659e40.m API version: 1.42 (downgraded from 1.43) Go version: go1.20.3 Git commit: 60d0659e40 Built: Fri Apr 14 08:58:12 2023 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 23.0.3 API version: 1.42 (minimum version 1.12) Go version: go1.19.7 Git commit: 59118bf Built: Tue Apr 4 22:05:48 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.9 GitCommit: 1c90a442489720eec95342e1789ee8a5e1b9536f runc: Version: 1.1.4 GitCommit: v1.1.4-0-g5fd4c4d docker-init: Version: 0.19.0 GitCommit: de40ad0docker info
Additional Info
It is not clear how to generate the SLSA provenance attestation from the documentation. Please provide a step by step example for the same.