Closed saschagrunert closed 7 months ago
application/vnd.cncf.seccomp-profile.config.v1+json
Any plan to register this?
application/vnd.cncf.seccomp-profile.config.v1+json
Any plan to register this?
In the image spec? Hm, I'm not sure if that would be accepted. :thinking:
@containers/image-maintainers PTAL
As discussed before in #2279
.OCIConfig
. If we really wanted to write the seccomp profiles things to c/storage, it would be more reasonable for the c/image/copy code that calls .OCIConfig
to avoid doing that for the seccomp profile artifacts. (… But after activity around #2218 , the c/storage “destination” requires! that the image has a ~valid config in the image sense.) What we do here really depends on the local storage design above, but it’s already a point of concern.Cc: @nalind
Okay, I'm going to elaborate on the file based pull approach rather than full c/common libimage. I guess this would also simplify the whole media type topic by accepting anything.
I do think we need to arrive at a design for “where / how we store artifacts”. I don’t know what’s the best forum and process for that.
@mtrmac generally agree, for seccomp itself an in memory solution would be enough because the profile does not need to be on disk. We can create a more sustainable design later, when we want to fulfill more use cases like wasm.
What do we need to do?
I’m not exactly sure how to do that right now with c/image but I’ll find out.
3. Pull the blob directly (which can be the seccomp JSON for example) and parse it
⚠️💀 Critical: verify each blob’s digest against the data in the manifest. Recommended: If reading into memory (and possibly even to disk), impose a hard-coded size limit.
The digest verification alone suggests that c/image should probably provide a convenience helper doing that. (Right now c/image does get care of that, but only in c/image/copy
. Individual transports should not be in that business.)
As for how to do that, the very rough outline is
src := something.NewReference().NewImageSource()
// m, mt := src.GetManifest()
// parse m, either using the generic code, or a specific format, in c/image/manifest
stream := src.GetBlob(digest)
// buffer AND digest stream
// if digest matches, consume
Alternatively, IIRC podman machine
does the equivalent of skopeo copy $src oci:$tmp
via the Go API; that still costs strictly-speaking-unnecessary disk accesses, but not nearly as many as c/storage (no locking, no syncs), and it handles digest validation.
Adding the new seccomp related config media type
application/vnd.cncf.seccomp-profile.config.v1+json
to the list of allowed configurations.Alternative to https://github.com/containers/image/issues/2279 Testing in https://github.com/cri-o/cri-o/pull/7804
cc @sftim @mtrmac