[merged] verify: validate layers of system image stored on disk#531
[merged] verify: validate layers of system image stored on disk#531imsteev wants to merge 1 commit intoprojectatomic:masterfrom imsteev:image_validation
Conversation
|
@vbatts here is an integration of |
Atomic/verify.py
Outdated
| continue | ||
| tmp_dir = tempfile.mkdtemp() | ||
| ref = os.path.join("ociimage", layer) | ||
| cmd = ['ostree','checkout','--union','--repo=%s' % "/ostree/repo",ref,tmp_dir] |
There was a problem hiding this comment.
can we make syscontainers._get_repo_location() a non protected function?
imsteev
changed the title
Atomic/syscontainers.py
Outdated
| os.makedirs(root) | ||
| manifestname = os.path.join(root, "%s.mtree" % layer) | ||
| if os.path.isfile(manifestname): | ||
| util.write_out("validation manifest for layer %s alredy created" % layer) |
|
in For images stored in an OSTree repository, how does this compare to |
| if not success: | ||
| shutil.rmtree(temp_dir) | ||
|
|
||
| return temp_dir |
|
@baude PTAL |
|
@giuseppe |
|
pushed revisions based off feedback. removed the -V flag to make the system validation default behavior. |
|
revised this PR so that now on an |
|
|
||
| ATOMIC_LIBEXEC = os.environ.get('ATOMIC_LIBEXEC', '/usr/libexec/atomic') | ||
| ATOMIC_VAR = '/var/lib/atomic' | ||
|
|
There was a problem hiding this comment.
Should this be under /var/lib/containers? As used below?
There was a problem hiding this comment.
ok I will change this to /var/lib/containers/atomic
|
We need some tests to make sure this works. |
|
when are these files deleted? Shouldn't the manifest be deleted on prune if the layer is not present anymore? |
Integrate go-mtree tool into atomic CLI command, `atomic verify -V <imagename>`. (Note that `gomtree` is still in development and thus we would need some way of obtaining updated gomtree binaries) When a user does an atomic pull, validation manifests for that system image's layers are created and stored in /var/lib/atomic. When user does `atomic verify -V <system image>`, these manifests are then validated against the image that is on disk (which would be stored in ostree). Signed-off-by: Stephen Chung <schung@redhat.com>
|
added a simple test case to check if |
|
Ok we can merge this, but @lsm5 is going to have to add gomtree to the atomic build, or we need to get this accepted as a new package into Fedora. |
|
📌 Commit d741e92 has been approved by |
| verifyp.add_argument("-V", "--validate", default=True, | ||
| action="store_false", | ||
| help=_("disable validating system images")) | ||
| verifyp.add_argument("-g", "--generate", default=False, |
There was a problem hiding this comment.
It seems weird to have this option under verify. I'd expect it to be a system-wide setting one can turn on by default.
Also...I'm a bit concerned about the performance of all of this. Our intent with OSTree BTW is to drive immutability down into the storage stack - then you don't really need verify since the files are truly immutable. See discussion in O_OBJECT
There was a problem hiding this comment.
Maybe we should move this to another verb
atomic images generate
Which would generate new checksums.
There was a problem hiding this comment.
The immutable bit, could be a problem where a user could not remove a file that a hacker had placed on a file system.
There was a problem hiding this comment.
That sort of thing is why I'm not using the immutable bit in ostree today. The semantics are annoying. My proposal for O_OBJECT does allow root to unlink the file (and to create new links to it). I.e. the inode can change, but not the contents.
There was a problem hiding this comment.
Also, the immutable bit can be removed. With O_OBJECT at least you'd have to have compromised the kernel (or have CAP_SYS_ADMIN to write to the raw disk).
In the bigger picture of course if someone has CAP_SYS_ADMIN on your machine, they can inject code into the kernel to lie to whatever userspace validation tools you have, or things like inject malware into the hard drive controller.
That said, if we did have the mtree data in OCI images we built, one could use them to more efficiently perform offline forensics too. Mount a disk with libguestfs or whatever, download just the mtree metadata from a layer rather than the whole layer tar.
|
☀️ Test successful - status-atomicjenkins |
rh-atomic-bot
changed the title
5 participants
Integrated the gomtree filesystem verification tool into
atomic verify -V <system_image>.The idea behind this integration of a filesystem verification tool is so that when a user pulls an image (for now only system images) using
atomic pull ..., a manifest that details a layer (i.e, file ordering, file attributes like mode, size, sha256digest, etc.) will be created and stored in/var/lib/atomic/gomtree-manifests. Then, when a user performsatomic verify -V <system_image>, these manifests will be validated against the local image the user has on disk.Ideally, we would be able to do this for the rest of the images as well, and implement it in a similar manner to
syscontainers._pull_image_to_ostree()Since
gomtreeis still being developed, we need to maintain updated versions of thegomtreebinary. I wasn't sure if ago get...,go install...was something we wanted to do in the Makefile. For now, I created a local build of thegomtreetool and added it as part of this commit.For testing, would the program be able to write to a
/var/lib/atomicdirectory? Because that would be the location where these "gomtree manifests" would be stored. If you want to test it by hand, you can go into your ostree repo and change some content of an image you're not using (although this might affect other images as well, so be careful) and then performverifywith the -V flag.Signed-off-by: Stephen Chung schung@redhat.com