Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inherit container policy when doing a switch #815

Open
castrojo opened this issue Oct 5, 2024 · 3 comments
Open

Inherit container policy when doing a switch #815

castrojo opened this issue Oct 5, 2024 · 3 comments

Comments

@castrojo
Copy link
Contributor

castrojo commented Oct 5, 2024
edited
Loading

I noticed that doing a bootc switch from a signed image results in switching to an unsigned image unless you explicitly pass --enforce-container-sigpolicy

Reproducible Example:

  1. Given a status of ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:40
  2. bootc switch ghcr.io/ublue-os/bluefin:39
  3. Do a status and it's ostree-unverified-registry:ghcr.io/ublue-os/bluefin:39

Passing the enforce flag works as expected. The use case is that when doing testing it's common to switch a bunch. I was digging for a regression and switching between daily builds in multiple VMs, and by the time I was done all my images were unsigned.

Not sure on what the UX should look like as I would guess there are other enterprise policy features that would need to be accounted for. But it would be nice if the signing was transparent unless there was an error, so I figured if you're on a signed image you'd want to stay on a signed image.
@cgwalters
Copy link
Collaborator

This is all a bit confusing, ostree-unverified-registry doesn't mean that signatures are disabled. It just means that we didn't enforce that /etc/containers/policy.json didn't have a default fallback to insecureAcceptAnything.

There's a whole "observability problem" with the image signature bits here that we should definitely highlight in status in the case where we did verify a signature.

Another way to say this is I'm trying to deprecate the special ostree-container signature verification; bootc should behave the same as podman. IOW if we have something like bootc switch --enforce-signature or so, then podman pull --enforce-signature should exist too.

But basically I believe we were still enforcing signatures while you were switching assuming that you've configured /etc/containers/policy.json - does that make sense?

@castrojo
Copy link
Contributor Author

ostree-unverified-registry doesn't mean that signatures are disabled

Hah, yes of course, this makes total sense.

Gotten so used to it being "the one where the user didn't bother to set up signing" that it ended up just turning into "disabled" in my brain. Thanks! 😄

@castrojo castrojo reopened this Nov 17, 2024
@castrojo
Copy link
Contributor Author

Reopening after a quick discussion at kubecon.

Here's the UX problem we're trying to solve: Switching between streams. Scroll down a bit to he manual examples.

Typing the long sigpolicy flag gets old quickly when doing development. But if you don't use that flag the switch rebases to the target but is unsigned. We'd like for it to just only switch between signed images so we don't need to deal with the long flag.

Colin seems surprised by this and thought maybe there was an issue here, so reopening.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgwalters @castrojo