search

lima-vm / lima

Linux virtual machines, with a focus on running containers
https://lima-vm.io/
Apache License 2.0
15.13k stars 591 forks source link

consume lima templates over OCI registries #882

Open developer-guy opened 2 years ago

developer-guy commented 2 years ago

Description

OCI registries are evolving to store any kind of artifact, thanks to OCI artifacts. So many tools are out there that have been already adapted consuming their configs over OCI registries such as conftest (ability to pull/push Rego policies), Flux (kustomizer.dev), Tekton (Tekton Bundle), Helm (Charts OCI Registry support), etc.

What I'd like to propose is that we can store and distribute Lima templates over OCI registries too:

# devopps/my-lima-template:v0.1.0 this image will hold the template itself within its layer
$ lima start template://devopps/my-lima-template:v0.1.0

cc: @AkihiroSuda @dentrax @jandubois

developer-guy commented 2 years ago

please assign it to use if you are ok on this

jandubois commented 2 years ago 
$ lima start template://devopps/my-lima-template:v0.1.0

I think it would need some different protocol schema name than template to avoid ambiguity; the example you give above is a valid file reference.

Personally I'm a bit worried about using protocols that are not easily inspectable with just a browser, as lima templates can execute provisioning scripts, so can access data from the host and exfiltrate it at will. It would be trivial to have a template that sends your ~/.aws/config to a server somewhere. That's why I would never install a template without manually checking it first, just like I don't like running curl ... | sudo bash.

It there really a compelling use case for storing lima templates in a registry, and not just at some https url, which is already supported?

AkihiroSuda commented 2 years ago

I agree with @jandubois . Using a remote URL is highly discouraged.