forked from osbuild/osbuild
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tristate container verification #7
Closed
lukewarmtemp
wants to merge
10
commits into
dustymabe:dusty-ostree-deploy-container
from
lukewarmtemp:tristate-container-verification
Closed
Add tristate container verification #7
lukewarmtemp
wants to merge
10
commits into
dustymabe:dusty-ostree-deploy-container
from
lukewarmtemp:tristate-container-verification
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Similar to the cleanups in 4e99e80, let's start using the library code for the calls to ostree here.
Similar to the cleanups in 4e99e80, let's start using the library code for the calls to ostree here.
This moves the setup_remote function from the ostree source into util/ostree. This is prep for sharing this function with an mpp helper in the future.
This will make it easier to resolve OSTree refs into commits similar to how mpp-resolve-images works for container image references to SHA256 digests.
This adds an early return to the `_process_ostree_commits` function to prevent an empty ostree commit object from being created in the deploy stage which causes violations to the deploy stage input schema.
The ostree.deploy stage now accepts either a ostree input: ``` - type: org.osbuild.ostree.deploy options: osname: fedora-coreos remote: fedora mounts: - /boot - /boot/efi kernel_opts: - rw - console=tty0 - console=ttyS0 - ignition.platform.id=qemu - '$ignition_firstboot' inputs: commits: type: org.osbuild.ostree origin: org.osbuild.source references: f2824f5801f1fb85c8dc08dd0e7394031362b504ec48a2658e8ea459f52209a3: ref: fedora/x86_64/coreos/stable ``` or a containers input: ``` - type: org.osbuild.ostree.deploy options: osname: fedora-coreos mounts: - /boot - /boot/efi kernel_opts: - rw - console=tty0 - console=ttyS0 - ignition.platform.id=qemu - '$ignition_firstboot' inputs: images: type: org.osbuild.containers origin: org.osbuild.source references: sha256:f5ab2e0456ff52b0e95e99c59a1cc70fb690153f146c1c4163c4916781ac3ad5: name: quay.io/fedora/fedora-coreos:stable ``` In the containers input case we will run `ostree container image deploy` wheras for ostree commits input we will continue to execute `ostree admin deploy`. Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
If specified, the ostree remote settings can be used for signature verification of the commits inside the OSTree, which is a good substitute if the containers in the registry aren't signed. Let's take advantage of this if the user specified the remote.
cgwalters
reviewed
Oct 17, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks sane to me
The target image reference should be set to pull signed container images by default. There are still use cases for unsigned container images but verfication should be explicitly disabled should the need arise.
These examples show how to run a pipeline with ostree containers as inputs. One of them pulls from a remote registry and the other builds an ostree commit first, then encapsulates it, then deploys from that.
9b5bc42
to
2e7e553
Compare
LGTM |
ae894fa
to
f742e5e
Compare
merged into osbuild#1402 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changed
target_signature_verification
from a boolean to a tristate variable, modifiedfedora-coreos-container.mpp.yaml
to reflect the tristate variable change, and modified the container deployment function to properly accept:ostree-remote-registry:{remote}:{image_name}
ostree-image-signed:registry:{image_name}
ostree-unverified-registry:{image_name}