[prototype] feat: add ratify containerd plugin #125

akashsinghal · 2023-05-27T00:45:25Z

This is a very experimental and rudimentary ratify binary for the new image verifier containerd plugin proposal. It's purely used as POC.

Setup:

Use containerd version on main branch

Use a custom config.toml with contents:

version = 2

[plugins]
  [plugins."io.containerd.image-verifier.v1.bindir"]
    bin_dir = "/home/devuser/code/ratify/containerd-plugins"
    max_verifiers = 10
    per_verifier_timeout = "10s"

Start containerd:

sudo bin/containerd -c config.toml -l debug

Sample ctr command of image being blocked:

> sudo bin/ctr image pull --local=false wabbitnetworks.azurecr.io/test/notary-image:unsigned
ctr: rpc error: code = Unknown desc = image verifier bindir blocked pull of wabbitnetworks.azurecr.io/test/notary-image:unsigned with digest sha256:17490f904cf278d4314a1ccba407fc8fd00fb45303589b8cc7f5174ac35554f4 for reason: verifier ratify rejected image (exit code 1): {
  "isSuccess": false,
  "verifierReports": [
    {
      "subject": "wabbitnetworks.azurecr.io/test/notary-image:unsigned@sha256:17490f904cf278d4314a1ccba407fc8fd00fb45303589b8cc7f5174ac35554f4",
      "isSuccess": false,
      "message": "verification failed: no referrers found for this artifact"
    }
  ]
}

Sample ctr command of image passing verification:

> sudo bin/ctr image pull --local=false wabbitnetworks.azurecr.io/test/notary-image:signed

# Output from the containerd logs
DEBU[2023-05-27T00:36:52.223126601Z] Verifying image pull                          digest="sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b" name="wabbitnetworks.azurecr.io/test/notary-image:signed" verifier=bindir
DEBU[2023-05-27T00:36:52.252267490Z] time="2023-05-27T00:36:52Z" level=info msg="Setting log level to info"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.252314489Z] warning: GOCOVERDIR not set, no coverage data emitted  image_verifier=ratify
DEBU[2023-05-27T00:36:52.252633187Z] time="2023-05-27T00:36:52Z" level=info msg="selected default auth provider: dockerConfig"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.278756698Z] time="2023-05-27T00:36:52Z" level=info msg="defaultPluginPath set to /home/devuser/.ratify/plugins"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.278918597Z] time="2023-05-27T00:36:52Z" level=info msg="selected policy provider: configPolicy"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.511484911Z] time="2023-05-27T00:36:52Z" level=info msg="Resolve of the image completed successfully the digest is sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.546894954Z] time="2023-05-27T00:36:52Z" level=info msg="1 notary verification certificates loaded from path '/home/devuser/code/ratify/notary.crt'"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.546933254Z] time="2023-05-27T00:36:52Z" level=warning msg="Invalid path '/home/devuser/.ratify/ratify-certs/notary/truststore' skipped, error lstat /home/devuser/.ratify/ratify-certs/notary/truststore: no such file or directory"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.546955753Z] time="2023-05-27T00:36:52Z" level=info msg="0 notary verification certificates loaded from path '/home/devuser/.ratify/ratify-certs/notary/truststore'"  image_verifier=ratify
DEBU[2023-05-27T00:36:52.552758811Z] Image verifier allowed pull                   digest="sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b" name="wabbitnetworks.azurecr.io/test/notary-image:signed" ok=true reason="ratify => { \"isSuccess\": true, \"verifierReports\": [ { \"subject\": \"wabbitnetworks.azurecr.io/test/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b\", \"isSuccess\": true, \"name\": \"notaryv2\", \"message\": \"signature verification success\", \"extensions\": { \"Issuer\": \"CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US\", \"SN\": \"CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US\" }, \"artifactType\": \"application/vnd.cncf.notary.signature\" } ] }\nratify verification succeeded" verifier=bindir

Note: if you have an existing containerd instance running, you may need to stop the service temporarily so the custom instance can use the same sock. I'm sure there are better ways to get around this but I just did this: sudo systemctl stop containerd.service

Signed-off-by: Binbin Li <libinbin@microsoft.com>

…ifiers

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@7afa10e...8450866) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

feat: add verifiers interface to wrap up operations on namespaced verifiers [multi-tenancy PR 2]

…-action-4.3.0

…_actions/codecov/codecov-action-4.3.0 chore: Bump codecov/codecov-action from 4.2.0 to 4.3.0

…licies [multi-tenancy PR 3] (notaryproject#1359)

…aced stores [multi-tenancy PR 4] (notaryproject#1380)

…project#1383) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…yproject#1394) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

….17.11 (notaryproject#1393) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

….1 to 1.5.2 (notaryproject#1392) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Binbin Li <libinbin@microsoft.com>

…ct#1391) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

notaryproject#1390) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

feat: merge from `staging` to `main`

… certStores [multi-tenancy PR 5] (notaryproject#1382)

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Co-authored-by: Binbin Li <libinbin@microsoft.com>

…#1577) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Yi Zha <yizha1@microsoft.com>

Signed-off-by: Susan Shi <huish@microsoft.com> Co-authored-by: Binbin Li <libinbin@microsoft.com>

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Akash Singhal <akashsinghal@microsoft.com>

…9.2 (notaryproject#1575) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Akash Singhal <akashsinghal@microsoft.com> Co-authored-by: huish@microsoft.com <huish@microsoft.com>

Signed-off-by: Susan Shi <huish@microsoft.com>

Bumps golang from `2eb85b8` to `b405b62`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps alpine from `77726ef` to `b89d9c9`. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

…docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 chore: Bump alpine from `77726ef` to `b89d9c9`

…docker/httpserver/golang-b405b62 chore: Bump golang from `2eb85b8` to `b405b62` in /httpserver

Signed-off-by: Juncheng Zhu <74894646+junczhu@users.noreply.github.com> Co-authored-by: Binbin Li <libinbin@microsoft.com>

…21 (notaryproject#1586) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…notaryproject#1592) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

….28.6 (notaryproject#1587) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…1.17.22 (notaryproject#1594) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…1.17.23 (notaryproject#1600) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…23 (notaryproject#1602) Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Susan Shi <huish@microsoft.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Susan Shi <huish@microsoft.com>

…ct#1598) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

basic ratify containerd plugin

328ec8e

akashsinghal changed the title ~~basic ratify containerd plugin~~ [prototype] feat: add ratify containerd plugin May 27, 2023

akashsinghal mentioned this pull request Jun 1, 2023

Add image verifier transfer service plugin system based on a binary directory containerd/containerd#8493

Merged

binbin-li and others added 27 commits April 9, 2024 04:59

refactor: refactor verifiers to support namespaced

84cb90c

Signed-off-by: Binbin Li <libinbin@microsoft.com>

feat: add verifiers interface to wrap up operations on namespaced ver…

e716f54

…ifiers

feat: add context to getExecutor method

2061199

chore: address comments

810c93e

Merge branch 'staging' into multi-tenancy-pr-2

73ef709

Merge pull request notaryproject#1358 from binbin-li/multi-tenancy-pr-2

6a93bbf

feat: add verifiers interface to wrap up operations on namespaced verifiers [multi-tenancy PR 2]

Merge branch 'staging' into dependabot/github_actions/codecov/codecov…

8c87951

…-action-4.3.0

Merge pull request notaryproject#1379 from deislabs/dependabot/github…

9ac7d5a

…_actions/codecov/codecov-action-4.3.0 chore: Bump codecov/codecov-action from 4.2.0 to 4.3.0

feat: add key support to key management provider (notaryproject#1333)

2894b51

fix: enable workflow for staging (notaryproject#1369)

3872e05

feat: add PolicyManager interface to wrap operations on namespaced po…

7958056

…licies [multi-tenancy PR 3] (notaryproject#1359)

feat: add ReferrerStoreManager interface to wrap operations on namesp…

003fe00

…aced stores [multi-tenancy PR 4] (notaryproject#1380)

fix: update azure tenantId casing (notaryproject#1385)

8acd52b

Merge branch 'main' into staging

f201712

chore: Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 (notary…

a1a739f

…project#1383) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

build: update Bridge to Kubernetes debugging steps (notaryproject#1384)

9c11f81

chore: Bump github.com/aws/aws-sdk-go-v2 from 1.26.0 to 1.26.1 (notar…

f5089fc

…yproject#1394) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.9 to 1…

62c00fb

….17.11 (notaryproject#1393) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump google.golang.org/grpc from 1.62.1 to 1.62.2 (notaryproje…

bce6b4c

…ct#1391) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.9 to 1.27.11 (

7c75d59

notaryproject#1390) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Merge pull request notaryproject#1388 from deislabs/staging

6a5f10c

feat: merge from `staging` to `main`

chore: bump oras go to 2.5.0 (notaryproject#1389)

7c34a1a

feat: add certStoreManager interface to wrap operations on namespaced…

3e656b1

… certStores [multi-tenancy PR 5] (notaryproject#1382)

chore: Bump azure/login from 2.0.0 to 2.1.0 (notaryproject#1400)

cc7d780

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

fix: rename staging to dev branch (notaryproject#1401)

4fed7a0

Co-authored-by: Binbin Li <libinbin@microsoft.com>

dependabot bot and others added 23 commits June 17, 2024 11:18

chore: Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (notaryproject…

80ffa1f

…#1577) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

docs: add a proposal for periodic retrieval (notaryproject#1510)

6c197b8

Signed-off-by: Yi Zha <yizha1@microsoft.com>

doc: update minor release branching strategy (notaryproject#1456)

2d3a8e0

Signed-off-by: Susan Shi <huish@microsoft.com> Co-authored-by: Binbin Li <libinbin@microsoft.com>

ci: harden github actions (notaryproject#1579)

f536f68

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Akash Singhal <akashsinghal@microsoft.com>

chore: remodule ratify package (notaryproject#1552)

4a5fee5

fix: enable automated pr to main (notaryproject#1582)

ad69840

Signed-off-by: Susan Shi <huish@microsoft.com>

chore: update a flag in makefile (notaryproject#1584)

a89d00d

chore: Bump golang from 2eb85b8 to b405b62 in /httpserver

1581bcd

Bumps golang from `2eb85b8` to `b405b62`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

chore: Bump alpine from 77726ef to b89d9c9

27ca126

Bumps alpine from `77726ef` to `b89d9c9`. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request notaryproject#1590 from ratify-project/dependabot/…

e4c58e2

…docker/alpine-b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 chore: Bump alpine from `77726ef` to `b89d9c9`

Merge branch 'dev' into dependabot/docker/httpserver/golang-b405b62

cca0a13

Merge pull request notaryproject#1589 from ratify-project/dependabot/…

47b3331

…docker/httpserver/golang-b405b62 chore: Bump golang from `2eb85b8` to `b405b62` in /httpserver

ci: switch region from eastus to westus2 (notaryproject#1591)

efe84cf

feat: Support more trust store types (notaryproject#1538)

ae4385b

Signed-off-by: Juncheng Zhu <74894646+junczhu@users.noreply.github.com> Co-authored-by: Binbin Li <libinbin@microsoft.com>

chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.18 to 1.27.…

374d187

…21 (notaryproject#1586) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 (…

cf7a111

…notaryproject#1592) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.28.5 to 1…

45430c7

….28.6 (notaryproject#1587) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.21 to …

aeceddc

…1.17.22 (notaryproject#1594) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.22 to …

8af013d

…1.17.23 (notaryproject#1600) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chore: Bump github/codeql-action from 3.25.10 to 3.25.11 (notaryproje…

d862e04

…ct#1598) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

merge dev

5b913b3

akashsinghal temporarily deployed to azure-test July 1, 2024 22:10 — with GitHub Actions Inactive

akashsinghal temporarily deployed to azure-test July 1, 2024 22:32 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[prototype] feat: add ratify containerd plugin #125

[prototype] feat: add ratify containerd plugin #125

Uh oh!

akashsinghal commented May 27, 2023 •

edited

Loading

Uh oh!

Uh oh!

[prototype] feat: add ratify containerd plugin #125

Are you sure you want to change the base?

[prototype] feat: add ratify containerd plugin #125

Uh oh!

Conversation

akashsinghal commented May 27, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

akashsinghal commented May 27, 2023 •

edited

Loading