--
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
On Tue, Aug 27, 2013 at 5:29 PM, Solomon Hykes <sol...@dotcloud.com> wrote:
> This feature would provide an alternative way to publish a container on theI have been thinking about signed containers recently too. But, from a
> public registry. Instead of the usual binary upload via "docker push", the
> publisher could submit a source URL to the registry. That would then trigger
> a build process *managed by the Docker team*, which would pull the source
> from the given URL, build the container, and push it.
slightly different angle:
1) Establishing trust: I want a mechanism inside of docker push to GPG
sign a container tag just like signing a git tag. And then to verify
that tag on a docker pull. At the end of the day I need to trust the
developer not to have nefarious code and having nefarious code built
by someone else doesn't add much to the security. But! Being able to
verify that the developer I trust was actually the one to release
version X of the container is a really useful property.
We should be able to do this all in native Go too:
https://code.google.com/p/go/source/browse/?repo=crypto#hg%2Fopenpgp
2) Source discovery: The source code discovery is really important too
and that would be a nice feature to add.
3) Random aside: It would be cool if you could start from a signed git
tag in source, build the container from it and then verify the built
container matches the developer's container bit for bit. Debian and
Tor have been talking about something like this:
https://wiki.debian.org/ReproducibleBuilds#Why_do_we_want_reproducible_builds.3F
What if I were to create an image using this method, but use FROM on an untrusted image? Would my new image be a trusted image, or is it automatically sullied by being based on an untrusted image?
Also, wouldn't the original ubuntu base images be untrusted, since they're not created from a Dockerfile, and are instead created by debootstrap? I realize you could manually mark those as "trusted", since they are official after all
, but that would preclude other debootstrap-based images from being trusted, even if they're created using a standard, repeatable method/script.
Don't get me wrong, I really love the idea, I just want to make sure the obvious issues are covered.
On Tuesday, 27 August 2013 18:29:43 UTC-6, Solomon Hykes wrote:So far the public registry has been a great way to get started and discover the possibilities of Docker, but many are hesitant to actually use third-party containers in their application because there's no easy and trustworthy way to *get the sources* of these containers.Here are the 2 questions I hear the most about the public registry:- Question 1: "I found a cool container on the public registry. How can I find its Dockerfile and its source?"- Question 2: "I don't trust this random binary download on the registry. How do I know for sure what source it was built from?"To solve this problem, I propose to add a "trusted build" feature to the public registry.This feature would provide an alternative way to publish a container on the public registry. Instead of the usual binary upload via "docker push", the publisher could submit a source URL to the registry. That would then trigger a build process *managed by the Docker team*, which would pull the source from the given URL, build the container, and push it.A container published via a Trusted Build would be accessible in all the usual ways. But it would be distinguishable by 1) a special "trusted build" notice on the page, and 2) a link to the source it was built from. Conversely, images which are not trusted builds could have a notice indicating that we cannot guarantee their content.This would provide a solid answer to both questions:"How can I find its Dockerfile and its source?" Answer: if it's a trusted build, just follow the source link!"How do I know for sure what source it was built from?" Answer: if it's a trusted build, we (the docker team and specifically infrastructure maintainers of the docker project) guarantee that the container was built from the indicated source. Obviously you need to trust the Docker team and the source - but you don't need to trust an arbitrary 3d-party binary.So, consider this a request for feedback. Do you consider this useful? Would you use it?
I'm new to Docker, and so may be missing something obvious, but I don't understand the utility in organizing the public repo around images with Dockerfiles as secondary objects. It seems like the most general use case of Docker will be running proprietary code and an accompanying private image repo, where users create their own local images.Having the public repository be organized primarily around Dockerfiles rather than images seems like it would be more useful, especially if there was support for software specific templates (i.e. paramaterized docker commands needed to install and run just "node" or "memcache" or "redis" or...). These could be combined to generate Dockerfiles which would themselves be shared as examples for the community to learn from. Instead of the current linear model, it would be more of a mixin-based approach to creating Dockerfiles. Vendors / maintainers of software projects could include a DockerfileTemplate in the root directory of their source, which would offer a "trusted" snippet which could be included in a Dockerfile via something likeTEMPLATE <name> <args>so for example:ADD ./mongodb.conf /data/mongodb.confTEMPLATE mongodb { conf : "/data/mongodb.conf", port: 27017, data : "/data/db" }would be expanded into:...RUN apt-get install mongodb-10genRUN mkdir -p /data/dbEXPOSE 27017ENTRYPOINT ["mongod", "-f", "/data/mongodb.conf"]Instead of building machinery / process / convention around images and the accompanying centralized build and verification process, the docker team would just need to manage access to the template namespace.
--
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.