Implement encrypted push and pull/bud/from using encrypted images

[lumjjb]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR introduces the ability to encrypt an OCI container image when pushing, and also allows the use of encrypted OCI container images when building a Dockerfile or pulling an encrypted image from the registry.

This is the initial implementation idea. There are a few more things that I am working on right now before taking out of DRAFT, but would like some feedback on the general idea.

TODO in progress by me:

• Remove ufave/cli and some additional imports which are not necessary from upstream ocicrypt lirbary
• Add tests

How to verify it

# Create keypair
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ openssl genrsa -out mykey.pem 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
...........+++++
.......+++++
e is 65537 (0x010001)
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ openssl rsa -in mykey.pem -pubout > mykey.pub
writing RSA key

# Encrypt an image to local registry
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah images
REPOSITORY   TAG   IMAGE ID   CREATED   SIZE
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah pull docker://docker.io/library/nginx:latest
Getting image source signatures
Copying blob ffadbd415ab7 done
Copying blob c499e6d256d6 done
Copying blob 74cda408e262 done
Copying config ed21b7a8ae done
Writing manifest to image destination
Storing signatures
ed21b7a8aee9cc677df6d7f38a641fa0e3c05f65592c592c9f28c42b3dd89291
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
f91d02361eae        registry:2.7.1      "/entrypoint.sh /etc…"   4 months ago        Up 2 days           0.0.0.0:5000->5000/tcp   registry
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah push --tls-verify=false --encryption-key jwe:./mykey.pub docker.io/library/nginx:latest docker://localhost:5000/test_enc_img
Getting image source signatures
Copying blob d37eecb5b769 done
Copying blob 99134ec7f247 done
Copying blob c3a984abe8a8 done
Copying config 3f9bb7a003 done
Writing manifest to image destination
Storing signatures

# Try pulling encrypted image without key
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah pull --tls-verify=false docker://localhost:5000/test_enc_img
Getting image source signatures
Getting image source signatures
Getting image source signatures
Getting image source signatures
while pulling "docker://localhost:5000/test_enc_img" as "localhost:5000/test_enc_img": Error decrypting layer sha256:ae69626ca4b44e82dce805f5f7be5272c5651bd75e19aa38ec2f5ef78986f3ff: missing private key needed for decryption
ERRO exit status 1

# Try pulling encrypted image with key
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah pull --tls-verify=false --decryption-key ./mykey.pem docker://localhost:5000/test_enc_img
Getting image source signatures
Copying blob ae69626ca4b4 done
Copying blob de5dd0ed1059 done
Copying blob 4071791f0baf done
Copying config 3f9bb7a003 done
Writing manifest to image destination
Storing signatures
3f9bb7a003b412bc186a8437e2d2246f42a6bb7488458585948e50be00a9037d

# Cleanup
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah rmi --all -f
ed21b7a8aee9cc677df6d7f38a641fa0e3c05f65592c592c9f28c42b3dd89291
3f9bb7a003b412bc186a8437e2d2246f42a6bb7488458585948e50be00a9037d

# Create dockerfile that uses encrypted image
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ vi enc_dockerfile/Dockerfile
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ cat enc_dockerfile/Dockerfile
FROM localhost:5000/test_enc_img

# buildah bud without key
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah bud --tls-verify=false ./enc_dockerfile/
STEP 1: FROM localhost:5000/test_enc_img
Getting image source signatures
Getting image source signatures
Getting image source signatures
Getting image source signatures
error creating build container: Error decrypting layer sha256:ae69626ca4b44e82dce805f5f7be5272c5651bd75e19aa38ec2f5ef78986f3ff: missing private key needed for decryption
ERRO exit status 1

# buildah bud with key
vagrant@ubuntu-bionic:~/go/src/github.com/containers/buildah$ ./buildah bud --tls-verify=false --decryption-key ./mykey.pem ./enc_dockerfile/
STEP 1: FROM localhost:5000/test_enc_img
Getting image source signatures
Copying blob ae69626ca4b4 done
Copying blob 4071791f0baf done
Copying blob de5dd0ed1059 done
Copying config 3f9bb7a003 done
Writing manifest to image destination
Storing signatures
STEP 2: COMMIT
--> 3f9bb7a003b
3f9bb7a003b412bc186a8437e2d2246f42a6bb7488458585948e50be00a9037d

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Yes

• it provides a new flag for buildah push with --encryption-key
• it provides a new flag for buildah pull with --decryption-key
• it provides a new flag for buildah bud with --decryption-key

[rhatdan]

Please Use errors.Wrapf

[rhatdan]

Not big fans of commented out code...

[lumjjb]

Should have squashed my commits, my bad. I will squash current commits and then changes on top of that.

[rhatdan]

Are both flags required to push? If yes, there should be an error returned by the CLI if only one is specified.

[rhatdan]

Experiemental->experimental

[lumjjb]

encryptLayers is optional. Let me add additional text to the tooltip to communicate that.

[rhatdan]

Experiemental->experimental

[rhatdan]

errors.Wrapf

[rhatdan]

Should we only output this iff there is an encrypted layer

[rhatdan]

Why not make this the default and when initilizing, then eliminate the else block

[rhatdan]

command completions changes required.

[lumjjb]

Thanks for comments @rhatdan ! Addressed them.

command completions changes required.

Forgive my ignorance.. Is there a process to do this? Or is this a manual edit of contrib/completions/bash/buildah?

[rhatdan]

Manually edit them. Just add the options.

[rhatdan]

Now I will ask for the Big pain. some tests to make sure this works.
Also I think you will need this option for buildah from

[TomSweeneyRedHat]

Concept looks good to me, nothing out of whack that I spotted. We will most likely need to do this for at least 'podman pull' too, maybe others as well. The build side of things should go in without a problem, but we'll need to touch up the podman build man page to capture the new options.

FYI: @mheon @baude

[lumjjb]

i'm running into some weird flag issues in running the tests out of master. Having issues with running the integration tests. Am i missing some configuration? I get similar errors when I run make test-integration.

# bats ./tests/push.bat
...
 ✗ push
...
   $ /home/vagrant/go/src/github.com/containers/buildah/tests/../buildah commit
   -D
   --format docker
   --reference-time
   /tmp/tmpdbb3572b5a974dc1a0dd361f/reference-time-file
   --signature-policy
   /home/vagrant/go/src/github.com/containers/buildah/tests/policy.json
   working-container
   scratch-image-docker
   unknown flag: --format docker
   [ rc=1 (** EXPECTED 0 **) ]
   #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
   #| FAIL: exit code is 1; expected 0
   #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...

 ✗ buildah push image to docker and docker registry
   (from function `_prefetch' in file tests/helpers.bash, line 71,
    in test file tests/push.bats, line 148)
     `_prefetch busybox' failed with status 125
   # [checking for: busybox]
   # [restoring from cache: /tmp/buildah-image-cache.4027 / busybox]
   Error: unknown flag: --root /tmp/tmp9db9842473732348fdfd7845/root --storage-driver vfs

[rhatdan]

No idea what is going on.

[lumjjb]

EDIT: looks like it was a mismatch version with podman , should be good now.
looks like it wasnt.

[openshift-ci-robot]

@lumjjb: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lumjjb]

@rhatdan figured it out... looks like it was an outdated bats version which was parsing the arguments in a different way.

[openshift-ci-robot]

@lumjjb: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@lumjjb: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@lumjjb: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@lumjjb: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lumjjb]

@rhatdan @TomSweeneyRedHat Added the tests and buildah from. Ready for review!

[rhatdan]

Looks good, just a few nits.

[rhatdan]

Use lower case for help messages.. But I would drop "Experimental" and just leave that in the man page.

[rhatdan]

Lower case error.

[rhatdan]

Remove experimental

[rhatdan]

lower case error.

[rhatdan]

remove experimental

[rhatdan]

remove experimental.

[rhatdan]

Ditto

[rhatdan]

lower case

[rhatdan]

This should start with OciEncryptConfig not If.

[rhatdan]

Rather then extending retryCopyImage, could you just pass in options...

[lumjjb]

I think we're extending getCopyOptions here. Is this fine or are you thinking something like this?

options := getCopyOptions(...)
options.decryptionKey = ...

[rhatdan]

I ready this wrong. I was thinking the copy options and options.MaxRetries, I hate functions which just keep growing their params. Is there a way we can consolidate.

[lumjjb]

Have a couple ideas ... But seems like this would be a separate PR.

For getCopyOptions it looks like the only special case is the store... Maybe something like this? I guess it would be a different PR for this though.

initCopyOptionsWithStore(store, &cp.Options{
                ReportWriter:          reportWriter,
                SourceCtx:             sourceCtx,
                DestinationCtx:        destinationCtx,
                ForceManifestMIMEType: manifestType,
                RemoveSignatures:      removeSignatures,
                SignBy:                addSigner,
                OciEncryptConfig:      ociEncryptConfig,
                OciDecryptConfig:      ociDecryptConfig,
                OciEncryptLayers:      ociEncryptLayers,
        })

Consolidating the retry options

type copyRetryOptions struct{
    maxRetries int
    retryDelay time.Duration
}

[rhatdan]

@mtrmac @vrothberg @nalind PTAL

[rhatdan]

getEncryptConfig is not used?
This looks good, but we will want you to squash the commits when you are done.

[lumjjb]

Thanks. good catch. Rebased master and squashed as well.

[mtrmac]

ACK (but I didn’t review the CLI machinery in detail, I only read the PR diffs without full context).

[lumjjb]

@mtrmac @TomSweeneyRedHat Addressed the comments!

I am thinking that I could do another PR after this one to write something in docs/tutorials on image security - including both signing and encryption as part of that tutorial to provide more context.

[TomSweeneyRedHat]

👍

[TomSweeneyRedHat]

I'd suggest the following, ditto for the other man pages with decryption-key

Suggested change

	**--decryption-key** *key*
	**--decryption-key** *key[:passphrase]*

[TomSweeneyRedHat]

One nit scattered across several of the pages, otherwise LGTM.
A follow up tutorial and/or blog for buildah.io would be very welcomed!

[lumjjb]

Fixed!

[rhatdan]

Tests are still failing?

[lumjjb]

Interesting, it was just passing the last commit and just doc changes... let me check it out.

[lumjjb]

Ah - seems to have something to do with Quay.io being down.

[+0028s] Error: unable to pull quay.io/libpod/in_podman:master: unable to pull image: Error initializing source docker://quay.io/libpod/in_podman:master: unexpected http code: 500 (Internal Server Error), URL: https://quay.io/v2/auth?scope=repository%3Alibpod%2Fin_podman%3Apull&service=quay.io

[TomSweeneyRedHat]

bors retest

[TomSweeneyRedHat]

Kicked the test runs again, hopefully quay.io is happy again.

[rhatdan]

bors r+

[bors]

Build succeeded:

• cirrus-ci/success

[lumjjb]

🎉

[TomSweeneyRedHat]

Awesome work @lumjjb !