Explore attestation of docker containers

[shankari]

So that we can ensure that the container is running the expected code

[shankari]

@shankari will update with potential solutions both @shankari and @njriasan will explore

[njriasan]

@shankari did you find the Linux tools you were discussing? I did a brief search and didn't find anything. I assumed the easiest thing to do would be use the docker image ID, which appears to be a SHA256 hash of the image contents (with some layering component too that I'm not sure what to investigate about this). This seems like the most natural check because docker added this support primarily for this purpose. Of course using a hash introduces issues when making small changes, but I think its reasonable to assume that like all other software when updates are release you have to decide whether or not to upgrade.

[shankari]

@njriasan I can't find it 😦 I know I saw it earlier, but I looked through both apache and LF and I can't find anything related to this. I will take another look tomorrow am, but right now, I assume that we will have to roll our own.

[shankari]

I think this was maybe SPIRE https://spiffe.io/spire/concepts/ The name sounds vaguely familiar, but I can't remember where I saw it if so

[shankari]

The Security and Compilance section of the CNCF has some interesting projects linked as well. https://landscape.cncf.io/

[shankari]

Docker also has built-in capability tuning based on AppArmor https://opensource.com/business/15/3/docker-security-tuning

[shankari]

aha! spire is in fact part of the CNCF. Dunno why they are not in the main projects list. https://www.scytale.io/opensource-spiffe/

Inspired by production infrastructure at Facebook, Google, Netflix, and more, SPIFFE and SPIRE launched in December 2017 and were invited into the CNCF in March 2018.

Hm. It looks like it is not there any more https://www.cncf.io/projects/

Maybe it was removed, or chose to remove itself. I guess there are no press releases for that 😄 I must have seen it when it was still part of the CNCF.

[njriasan]

Here is another project that I found: https://github.com/GoogleContainerTools/container-structure-test.

You should be able to check hashes through command tests and then file existence/permissions and container permissions also seem reasonable to integrate. I don't know if you think we need an intricate example of using a tool like this but its probably at least useful to mention in the thesis. Personally I think this seems like the most straightforward to implement but I also haven't explored the other projects in great detail (this just seemed so straightforward).