XOS>> imgcrypt>> 返回
项目作者: containerd

项目描述 :
OCI Image Encryption Package
高级语言: Go
项目地址: git://github.com/containerd/imgcrypt.git
创建时间: 2019-10-24T20:10:03Z
项目社区:https://github.com/containerd/imgcrypt
开源协议:Apache License 2.0
下载


imgcrypt image encryption library and command line tool

Project imgcrypt is a non-core subproject of containerd.

The imgcrypt library provides API extensions for containerd to support encrypted container images and implements
the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. An extended version
of containerd’s ctr tool (ctr-enc) with support for encrypting and decrypting container images is also provided.

imgcrypt relies on the ocicrypt library for crypto functions on image layers.

Usage

imgcrypt requires containerd 1.3 or later. Containerd 1.4 or later is required when used with Kubernetes.
For configuration instructions for kubernetes, please consult the CRI decryption document.

Build and install imgcrypt:

  1. # make
  2. # sudo make install

Start containerd with a configuration file that looks as follows. To avoid interference with a containerd from a Docker
installation we use /tmp for directories. Also, we build containerd 1.3 from the source but do not install it.

  1. # cat config.toml
  2. version = 2
  3. disabled_plugins = ["io.containerd.grpc.v1.cri"]
  4. root = "/tmp/var/lib/containerd"
  5. state = "/tmp/run/containerd"
  6. [grpc]
  7.   address = "/tmp/run/containerd/containerd.sock"
  8.   uid = 0
  9.   gid = 0
  10. [stream_processors]
  11.     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
  12.         accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
  13.         returns = "application/vnd.oci.image.layer.v1.tar+gzip"
  14.         path = "/usr/local/bin/ctd-decoder"
  15.     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"]
  16.         accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"]
  17.         returns = "application/vnd.oci.image.layer.v1.tar+zstd"
  18.         path = "/usr/local/bin/ctd-decoder"
  19.     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
  20.         accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
  21.         returns = "application/vnd.oci.image.layer.v1.tar"
  22.         path = "/usr/local/bin/ctd-decoder"
  24. # sudo ~/src/github.com/containerd/containerd/bin/containerd -c config.toml

Create an RSA key pair using the openssl command line tool and encrypted an image:

  1. # openssl genrsa -out mykey.pem
  2. Generating RSA private key, 2048 bit long modulus (2 primes)
  3. ...............................................+++++
  4. ............................+++++
  5. e is 65537 (0x010001)
  6. # openssl rsa -in mykey.pem -pubout -out mypubkey.pem
  7. writing RSA key
  8. # sudo chmod 0666 /tmp/run/containerd/containerd.sock
  9. # CTR="/usr/local/bin/ctr-enc -a /tmp/run/containerd/containerd.sock"
  10. # $CTR images pull --all-platforms docker.io/library/bash:latest
  11. [...]
  12. # $CTR images layerinfo --platform linux/amd64 docker.io/library/bash:latest
  13.    #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
  14.    0   sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609   linux/amd64   2789669                          
  15.    1   sha256:7dd01fd971d4ec7058c5636a505327b24e5fc8bd7f62816a9d518472bd9b15c0   linux/amd64   3174665                          
  16.    2   sha256:691cfbca522787898c8b37f063dd20e5524e7d103e1a3b298bd2e2b8da54faf5   linux/amd64       340                          
  17. # $CTR images encrypt --recipient jwe:mypubkey.pem --platform linux/amd64 docker.io/library/bash:latest bash.enc:latest
  18. Encrypting docker.io/library/bash:latest to bash.enc:latest
  19. $ $CTR images layerinfo --platform linux/amd64 bash.enc:latest
  20.    #                                                                    DIGEST      PLATFORM      SIZE   ENCRYPTION   RECIPIENTS
  21.    0   sha256:360be141b01f69b25427a9085b36ba8ad7d7a335449013fa6b32c1ecb894ab5b   linux/amd64   2789669          jwe        [jwe]
  22.    1   sha256:ac601e66cdd275ee0e10afead03a2722e153a60982122d2d369880ea54fe82f8   linux/amd64   3174665          jwe        [jwe]
  23.    2   sha256:41e47064fd00424e328915ad2f7f716bd86ea2d0d8315edaf33ecaa6a2464530   linux/amd64       340          jwe        [jwe]

Start a local image registry so we can push the encrypted image to it. A recent versions of the registry is required
to accept encrypted container images.

  1. # docker pull registry:latest
  2. # docker run -d -p 5000:5000 --restart=always --name registry registry

Push the encrypted image to the local registry, pull it using ctr-enc, and then run the image.

  1. # $CTR images tag bash.enc:latest localhost:5000/bash.enc:latest
  2. # $CTR images push localhost:5000/bash.enc:latest
  3. # $CTR images rm localhost:5000/bash.enc:latest bash.enc:latest
  4. # $CTR images pull localhost:5000/bash.enc:latest
  5. # sudo $CTR run --rm localhost:5000/bash.enc:latest test echo 'Hello World!'
  6. ctr: you are not authorized to use this image: missing private key needed for decryption
  7. # sudo $CTR run --rm --key mykey.pem localhost:5000/bash.enc:latest test echo 'Hello World!'
  8. Hello World!

Project details

imgcrypt is a non-core containerd sub-project, licensed under the Apache 2.0 license.
As a containerd sub-project, you will find the:

information in our containerd/project repository.