forked from kata-containers/kata-containers
-
Notifications
You must be signed in to change notification settings - Fork 41
Erofs changes roadmap #380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
jiria
wants to merge
5
commits into
erofs-main
Choose a base branch
from
jiria/erofsproposalissue
base: erofs-main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| # Code Integrity for OCI Containers Roadmap | ||
|
|
||
| The purpose of this issue is to track the roadmap for the Code Integrity for OCI | ||
| Containers project. | ||
|
|
||
| The goal is to ensure that when a container is running, its integrity is | ||
| enforced by kernel in the runtime | ||
| ([dm-verity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html)) | ||
| and further, only binaries that come from the original container image layers | ||
| are allowed to run | ||
| ([IPE](https://docs.kernel.org/next/admin-guide/LSM/ipe.html)). Finally, we | ||
| would like to achieve these goals seamlessly, such that not everybody is | ||
| required to update the build and runtime environments, by leveraging integration | ||
| with OCI registries. | ||
|
|
||
| The rest of the document outlines the milestones we envision to achieve the | ||
| stated goals. | ||
|
|
||
| ## Milestones | ||
|
|
||
| ### Milestone 1: Initial Integration with containerd/erofs-snapshotter | ||
|
|
||
| The purpose of this milestone is to enable the basic building blocks required | ||
| for the Code Integrity for OCI Containers project. This includes support for tar | ||
| index, dm-verity, and dm-verity signatures in the erofs-snapshotter. | ||
|
|
||
| As part of the initial milestone, we would like to extend the | ||
| erofs-snapshotter with the following features: | ||
|
|
||
| 1. Add a second method for image layer tar to erofs conversion in the erofs | ||
| snapshotter by leveraging the tar index mode. This is a prerequisite for the | ||
| next milestone, so that the index, which is much smaller than the full erofs | ||
| blob, can be generated ahead of time and pulled from the registry (instead of | ||
| being generated on the fly on the container host). It will also serve as a | ||
| consistent fallback for the next milestone, in case the tar index is not | ||
| available in the registry. | ||
|
|
||
| 2. Finalize the dm-verity support in the erofs | ||
| snapshotter, so that the converted image layers can be backed by a dm-verity | ||
| block device. This will allow the kernel to check the integrity of any file that | ||
| is part of image layers in the runtime. As part of the initial milestone, the | ||
| dm-verity Merkle tree will be generated on the fly on the container host. | ||
|
|
||
| 3. Extend the dm-verity support with logic to pull per-layer dm-verity root hash | ||
| signatures. This will establish provenance for each layer, recognized by the | ||
| kernel. This is a prerequisite for leveraging IPE at scale for all the | ||
| container image layers. We envision that the | ||
| signatures would be pulled from the registry and tied to image layers by | ||
| leveraging the OCI referrers feature. Tying the signatures to the layers | ||
| directly, as opposed to the image manifest, will allow the signatures to be | ||
| reused across different image manifests. | ||
|
|
||
| ```mermaid | ||
| erDiagram | ||
| direction LR | ||
| IMAGE-MANIFEST }|--|{ IMAGE-LAYER-TAR: layers | ||
aadhar-agarwal marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| IMAGE-LAYER-TAR ||--|| IMAGE-LAYER-MANIFEST: layers | ||
| IMAGE-LAYER-MANIFEST ||..|{ IMAGE-LAYER-SIGNATURE-MANIFEST: subject | ||
| IMAGE-LAYER-SIGNATURE-MANIFEST ||--|| IMAGE-LAYER-SIGNATURE: layers | ||
| ``` | ||
|
|
||
| ### Milestone 2: Populating erofs tar index and dm-verity Merkle tree | ||
|
|
||
| The purpose of this milestone is to allow generation of the erofs tar index and | ||
| the dm-verity Merkle tree ahead of time, so that the container host does not | ||
| need to generate them on the fly. This will lead both to a faster cold container | ||
| startup and also to reduce the overall energy needed (by doing the | ||
| operation once, instead of on every host). | ||
|
|
||
| The plan is to extend the erofs-snapshotter by fetching the tar index and | ||
| dm-verity Merkle tree from the registry. If the artifacts are not available from | ||
| the registry, the logic from the initial milestone will be used as a fallback to | ||
| generate the index and Merkle tree on the fly on the container host. | ||
|
|
||
| The actual implementation will leverage OCI referrers to loosely couple the | ||
| tar-index and dm-verity Merkle tree with the original image layers, similar to | ||
| what has been done for signatures as part of the initial milestone. The | ||
| benefit of this approach is that the original image builder does not have to | ||
| understand how to generate the tar index and dm-verity Merkle tree, and somebody | ||
| else can come after the fact and add these artifacts (to help with onboarding | ||
| new users). Further, this means that the | ||
| same image layers can be consumed by other containerd snapshotters, that do not | ||
| understand erofs or dm-verity. | ||
|
|
||
| Leveraging the OCI referrers feature, instead of directly modifying published | ||
| artifacts in the registry is a cleaner approach, as the associated manifests | ||
| would not have to be regenerated. | ||
|
|
||
| ```mermaid | ||
| erDiagram | ||
| direction LR | ||
| IMAGE-MANIFEST }|--|{ IMAGE-LAYER-TAR: layers | ||
| IMAGE-LAYER-TAR ||--|| IMAGE-LAYER-MANIFEST: layers | ||
| IMAGE-LAYER-MANIFEST ||..|{ IMAGE-LAYER-SIGNATURE-MANIFEST: subject | ||
| IMAGE-LAYER-SIGNATURE-MANIFEST ||--|| IMAGE-LAYER-SIGNATURE: layers | ||
| IMAGE-LAYER-MANIFEST ||..|| IMAGE-LAYER-CI-MANIFEST: subject | ||
| IMAGE-LAYER-CI-MANIFEST ||--|| IMAGE-LAYER-CI: layers | ||
| IMAGE-LAYER-MANIFEST ||..|| IMAGE-LAYER-EROFS-COMPATIBILITY-MANIFEST: subject | ||
| IMAGE-LAYER-EROFS-COMPATIBILITY-MANIFEST ||--|| IMAGE-LAYER-EROFS-COMPATIBILITY: layers | ||
| ``` | ||
|
|
||
| The `IMAGE-LAYER-CI` would contain the dm-verity Merkle tree, while the `IMAGE-LAYER-EROFS-COMPATIBILITY` would contain the tar index. | ||
|
|
||
| The downside of this approach is that when the snapshotter is preparing the | ||
| layers for the first time, it will have to reach out to the registry to fetch | ||
| the additional associated artifacts (tar index and dm-verity Merkle tree). To | ||
| mitigate the latency cost, we would like to collaborate on [native support for | ||
| referrers in containerd](https://github.com/containerd/containerd/issues/7654) | ||
| such that containerd could pre-fetch such artifacts ahead of time, as part of | ||
| pulling the layers. This would be | ||
| beneficial for the signature artifacts as well. | ||
|
|
||
| ### Milestone 3: Support for native erofs + dm-verity layers | ||
|
|
||
| The purpose of this milestone is to deliver the final piece of the puzzle, which | ||
| focuses on the native support for erofs and dm-verity layers in | ||
| containerd/erofs-snapshotter. This will reduce any performance overhead of the | ||
| initial milestones for the teams that can publish and consume native | ||
| erofs+dm-verity layers. | ||
|
|
||
| At the moment, containerd can leverage image index and select the right image | ||
| manifest based on OS and architecture. We would like to extend this further, to | ||
| leverage the work done for picking the image manifest based on OS features. This | ||
| would enable OCI registry to serve both erofs and legacy layers in parallel and | ||
| containerd would [pick the right one based on the OS features of the | ||
| host](https://github.com/containerd/platforms/pull/20) and what the registry has | ||
| to offer. This means that when erofs layers are published to registry, they | ||
| could be downloaded directly, and if they are not available, the solutions from | ||
| Milestones 2 and 1 could be used as a fallback. | ||
|
|
||
| The benefit of this approach is that it will simplify the amount of different | ||
| artifacts that need to be pulled from the registry and thus further speed up the | ||
| container startup time. | ||
|
|
||
| While the Merkle tree could be still kept as a separate artifact, we would like | ||
| to propose that the native erofs layers will contain the Merkle tree as well. More | ||
| specifically, we propose that there are native erofs+dm-verity layers, as | ||
| opposed to only generic erofs layers. This will simplify the design overall and | ||
| improve performance. | ||
|
|
||
| ```mermaid | ||
| erDiagram | ||
| direction LR | ||
| IMAGE-MANIFEST }|--|{ IMAGE-LAYER-EROFS-DMVERITY: layers | ||
| IMAGE-LAYER-EROFS-DMVERITY ||--|| IMAGE-LAYER-MANIFEST: layers | ||
| IMAGE-LAYER-MANIFEST ||..|{ IMAGE-LAYER-SIGNATURE-MANIFEST: subject | ||
| IMAGE-LAYER-SIGNATURE-MANIFEST ||--|| IMAGE-LAYER-SIGNATURE: layers | ||
| ``` | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How will these images be built and published? ie. what tooling is available to deal with this?
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment, you can do everything by using the tar.gz as an input and processing it through mkfs.erofs (erofs-utils) and veritysetup. We are planning to simplify this, but I would envision that build-kit can support this as well, and possibly others. What would be the good set to target from your perspective?