search

godarch / darch

A tool for building and booting stateless and immutable images, bare metal.
https://godarch.com/
MIT License
832 stars 32 forks source link

Feature Requests: Private registry / Encryption #25

Closed shizonic closed 6 years ago

shizonic commented 6 years ago

First I'd like to thank you for your great work you've done with darch. I really like it.

Currently I am on my own private darch setup and therefore building some images (void-based) from scratch. Some of these images contain sensitive data and I would like to host them in my private docker registry. As far as I know there is currently no possibility to pull images from a private registry. May you consider to implement this feature?

Further I would like to use full disk encryption (including /boot). Grub2 does support encryption but I still didn't get it work with darch. Are there any possibilities or would you implement this too?

If I can support you in any way I likely will. I have some knowledge in golang and a lot in docker. Besides linux in general is no foreign word for me.

Thanks for your effort. Thumb up!

pauldotknopf commented 6 years ago

First I'd like to thank you for your great work you've done with darch. I really like it.

Thanks!

As far as I know there is currently no possibility to pull images from a private registry. May you consider to implement this feature?

This is currently implemented. Name your images "domain.com/repo/image" and then push/pull like you would normally. If no domain is provided, docker.io is used.

Grub2 does support encryption but I still didn't get it work with darch.

This should work, I'm not sure what issues you are experiencing. When go 1.11 is finally released, I will be updating this package to support mod. I'll take a look at it then.

shizonic commented 6 years ago

@pauldotknopf Thanks for your quick and precise reply.

This is currently implemented. Name your images "domain.com/repo/image" and then push/pull like you would normally. If no domain is provided, docker.io is used. Okay. But what if I want to use my private repos on docker.io? If I pull from them via docker cli I get asked to insert my username and password (if I didn't use docker login first). At this point I am able to pull like from public repos. If I try the same with darch's cli I get:

darch: failed to resolve reference "docker.io/shizonic/void:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

This should work, I'm not sure what issues you are experiencing. Ok. So I just have to dig deeper and give it another try. Thanks.

When go 1.11 is finally released, I will be updating this package to support mod. I'll take a look at it then. What exactly do you mean with "mod"?

pauldotknopf commented 6 years ago

But what if I want to use my private repos on docker.io?

Check the user flag (see darch images pull --help for more info).

https://github.com/godarch/darch/blob/7e59246329669fcbdd0aa8d822a88142be2a2ff8/pkg/cmd/darch/commands/resolver.go#L29

What exactly do you mean with "mod"?

https://github.com/golang/go/wiki/Modules

shizonic commented 6 years ago

Check the user flag (see darch images pull --help for more info).

Perfect. I am sorry. Didn't see this before. Maybe the docs should be updated?

https://github.com/golang/go/wiki/Modules

Very interesting. Looking forward to this feature.

Another question: Do you consider to add shell completion (bash & zsh) for the cli? I think this would help everybody and the docs doesn't have to be updated... I think there are go packages that can generate completions automatically.

shizonic commented 6 years ago

This should work, I'm not sure what issues you are experiencing. When go 1.11 is finally released, I will be updating this package to support mod. I'll take a look at it then.

Again to the encryption problem. I have two partitions one for root / and one for /boot. Both are encrypted using LUKS. The root partition using LUKS 2.0 and the boot LUKS 1 (due the fact that GRUB encryption only works with GRUB 1). Both partitions use btrfs as fs.

So the problem now is, that you grub entry tries to source /etc/darch/grub.cfg but at the this moment only /boot is encrypted by GRUB and it can't be found. Therefore I don't have any entries for darch images. Is it not possible to have /boot on e separate partition when using encryption?

shizonic commented 6 years ago

So this is solved too. Thanks.

elovin commented 4 years ago

@shizonic How did you solve the encryption problem with grub ?

shizonic commented 4 years ago

https://github.com/godarch/darch/commit/dd679101bfe4d2ba011b4933427a0d11b7119494 ?