New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Name Delegation Design Discussion #11
Comments
On Wed, Apr 06, 2016 at 05:15:43PM -0700, Brandon Philips wrote:
I think blob delegation should be outside the scope of the image
|
@wking This isn't about blob delegation. This is about delegation of naming for images. Which is explicitly in scope (see the README). |
On Thu, Apr 07, 2016 at 06:47:35AM -0700, Brandon Philips wrote:
Ah, it's just about discovering manifest hashes. Developing and |
@stevvooe I don't see how notary relates to name delegation. Do you have a doc? |
@stevvooe Ping. |
@philips You can read here. The link is fairly straightforward. Let me know if you have more questions. Perhaps, I am misunderstanding naming delegation. We may need a clear definition and identification specific use cases it solves for the individual user. Part of the crux with naming delegation is that it is great for ISVs and service providers but I'd like to better understand where the user gains benefit. We struggled with our efforts from this angle when we looked into this. If I were, say, a data scientist, why should I have to setup DNS and a web service to deploy software in my local infrastructure? I do find such strategies as We also may want to value offline use cases slightly higher. In typical deployments, there may only be a few organizational mirrors. In the |
Every enterprise I work with wants a trusted repository of data. This is a model they are very familiar with. Think rpm/deb repo or Java's maven repos. How does this name delegation model work for this model? For example imagine nginx comes from nginx.com. But in the "enterprise" they want to mirror the images from nginx.com to their local servers such that when a user pulls "nginx" it goes to the on prem repo and not the internet. |
Configuration to declare where the mirror is for nginx.com or more likely On Thu, Apr 21, 2016, 7:49 PM Darren Shepherd notifications@github.com
|
Does this work today already on rkt or appc? I'd like to understand more. I'm trying to wrap my head around this. The fact that it's model after go is the problem for me. Go has so many distribution problems where other languages like node and Java don't really. But the fundamental difference in the two is that node/Java have a centralized de facto store for everything (npm/mvn central). I have an easier time grasping the idea that name resolution is not decentralized but instead done based on a small set of chosen trusted sources. |
@ibuildthecloud Is what you are suggesting actually, technically different than an indefinitely caching proxy with a hand written white list? In that case, such proxys already exist, and no software on OPCs side is necessary. Just set up your "in enterprise" systems to use the companies proxy, and curration and trust management can happen when writting the white list. |
Is there room for TUF's delegation notions to get incorporated here? The have a pretty fine grained way of delegating trust for certain packages to different sources, with a well-studied set of security / authenticity guarantees. |
On Fri, Apr 22, 2016 at 09:08:29AM -0700, Kamal Marhubi wrote:
Notary [1,2] is a wrapper around TUF. More notes on that and thoughts
|
On Fri, Apr 22, 2016 at 9:08 AM Kamal Marhubi notifications@github.com
Namespaces in TUF and in particular Notary can use a DNS form. Here is a concrete example from the docs: |
Here are the three use cases as I see it:
Neither of those two care about name delegation.
it seems to me that there are two questions here:
Options here appear to be DNS CNAME records, or a well-known URI. Pros for CNAME are:
Cons for CNAME:
Pros for well known URI:
Cons for well known URI:
I think the answer here should be "no" the risks are just to big and the win is minimal. |
@brendandburns To clarify, are you saying that the user should be able to configure the naming authority for
We can agree, here. Allowing remotes or local to manipulate paths quickly gets out of hand. Put differently, if we expressed naming as a function |
@stevvooe the name of the image is still |
@stevvooe put another way, this all happens in the DNS subsystem, so the client code pulling the image doesn't even notice. They just see |
On Wed, Apr 27, 2016 at 3:27 PM Brendan Burns notifications@github.com
I think of delegation based on DNS/well-known URI as a "globally Depending on the language we come up with here it will look like something
|
It seems to me that TLS should be fine, as long as the thing you are delegating to holds the cert for the original registry. I think there are two cases to consider (and maybe this is the source of confusion) there is the pure delegation case: "I don't have a registry, but I want a vanity domain" and the mirror case "There's some registry out there, but for various reasons, I want to actually access those images at some other mirror location". I was really mostly thinking about the former. The mirror one is sort of interesting but doesn't seem like a server-side protocol, but rather a client-specific configuration. |
I don't see how we can dismiss TLS here. We still need to provide secure connections to both the white label domain and the upstream. They may be different. How can this happen at a pure dns-level if the primary and delegate domains may have different implementations and certificates? If it really is just pure DNS, why not just tell users to use a CNAME and be done with this? If it really is just CNAMEs, do we even need to specify anything? |
@stevvooe I'm not dismissing TLS. The CNAME option would involve a user defining a whole subdomain (e.g. I think the goal in the spec is to design the best practice for how it would work, so that implementors know what they need to build (e.g. an interface that accepts a cert), even if the actual mechanism doesn't require an implementation. Anyway, CNAME is one of the two options. A well-known URI is the other option. I tried to list the pros and cons of each in my earlier post I think that the best effort in this issue is to decide which option is preferred by the maintainers. If it is easier for me to put the options and pros/cons into a markdown doc and have the discussion in a PR, I can do that too. (and if I missed any pros/cons let me know) |
@brendandburns I see. Sorry about the harsh wording here. How is this different from using TLS with a CNAME as one normally would? It sounds like a very standard usage. Am I missing something? Why does it need to specified? Seems like it belongs in recommendations or best practices. As an interesting data point, I have suggested this approach situations looking "spruce" up the registry urls. Typically, this is easy if you host your own registry. The problem arises when using providers such as AWS ECR, Docker Registry and GCR (please correct me if I am wrong). They would have to host a private key for each domain. Would such a provision push a requirement for services running a registry to accept certificates to use for white labeling? |
This still delegates the trust model to the registry. The problem comes when working with multiple registries. Which keys do you trust when they disagree? The only way to manage this is centralization. One approach is to partition the namespace with DNS. I am not sure that one can honestly separate naming and trust models without redundancy and ambiguity. Can this be done without making such separate systems completely incompatible? |
On Mon, May 02, 2016 at 01:47:24PM -0700, Stephen Day wrote:
For example, if the registry (or registries, it doesn't matter) has With the X.509 trust delegation, maybe a debian.org/debian→hash |
Perhaps I'm missing something (and I apologize if I do), but wouldn't the ultimate trust model still consist of having the image pulled being signed by a recognized public key? That way, even if it is served by |
On Mon, May 02, 2016 at 03:26:19PM -0700, josephschorr wrote:
Yeah, I think end-to-end signing is important. Which is why I think func RegistryLookup(name string, trust TrustStore) (hash string, error)
} where registryLookup is performing the name (e.g. debian.org/debian) The earlier deconstruction 3, on the other hand, was fetching the |
I will re-iterate, there are really two different issues here:
I think that this issue is concerned with 1, not 2. There is definitely trust involved in name canonicalization, but I think that we have to require that the trust is implemented by having the owner of the domain ( The reason for this is that it is otherwise very difficult for me (as an image owner) to change the canonicalization of the name (say I switch from |
On Fri, May 06, 2016 at 10:57:51AM -0700, Brendan Burns wrote:
This assumes:
Both of those are reasonable choices for an implementation and are |
Hrm, I think all of the signing stuff is out of scope for this issue. In my mind there are two ways that we establish trust:
People who don't want this can use IP addresses for their registry prefix, which inherently will skip name resolultion. |
On Fri, May 06, 2016 at 11:16:46AM -0700, Brendan Burns wrote:
And folks who are using a sneakernet and OpenPGP? I agree that lots |
@wking in that case they can use any name they want, and then install the appropriate mirror definition in their clients. This is why I think there are two different issues getting smashed around here. One is discovery/naming: how do I go from the name of an image to an actual place where I can get a bunch of file hashes. The other is trust: I have this collection of tarballs, how do I assert that they are the thing that I think they are and that they are sourced from a source I trust. In your use case, name resolution and discovery aren't necessary. You already have the files in a tarball. Only the trust part is needed. But for most users that isn't the way they will interact with images. And for people who distribute images but don't want to get a domain name there are always the existing hosted registries (e.g. I could imagine defining some sort of null registry |
On Fri, May 06, 2016 at 02:04:54PM -0700, Brendan Burns wrote:
I agree that there are at least two issues, I just don't want to see
With that approach, how will folks sign/verify gcr.io or localhost |
So my thought is that you would sign with your keys prior to uploading the image to the registry, but I haven't thought super deep about the signing problem, since I think its different than name resolution, and I've focused name resolution for this issue. |
On Thu, May 19, 2016 at 10:18:18AM -0700, Brendan Burns wrote:
I think signing is going to be inseparable from name resolution. On the other hand, signing should be orthogonal from distribution. $ oci-image-tool unpack path/to/my-oci-image.tar.gz debian-1.0 which unpacks the image whose name matches debian-1.0 after checking $ oci-image-tool unpack https://gcr.io/brendanburns/foo mycompany.com/foo which unpacks the image whose name matches mycompany.com/foo after With that orthogonal signing in place, how you get from a |
@wking The name that you use for validating signing is still the original name. Put clearly in an example: I start pulling But then once downloaded, I verify the images using the original name Make sense? |
On Thu, May 19, 2016 at 12:34:05PM -0700, Brendan Burns wrote:
Sounds good to me, although it sounds more like the pseudo-code in 1 And with this optional mirror-lookup procedure, I want to make sure And I am absolutely fine with folks mirroring any image they have |
I guess I think: if the owner of the name choses the remapping then it is "delegation" since there no other locations where that image can be found. if the owner of the client chooses the remapping then it is "mirroring" since it is copied from wherever the original source is located. but it's semantics, I guess. If we have rough agreement on the goals, do we have a preference for DNS or well-known URL? (or both?) |
On Thu, May 19, 2016 at 02:09:02PM -0700, Brendan Burns wrote:
How many images are licensed “all rights reserved”? I'd guess for
I don't care once things get down to this level. I just get jumpy |
@wking I think we should require dns compatible names. whether the domain actually exists or not is up to the end user. |
On Thu, May 19, 2016 at 02:31PM -0700, Brendan Burns wrote:
What's the benefit to requiring DNS-based names but allowing So folks intending to use DNS-based mirror discovery should be using |
We have been discussing naming for quite some time but I would like to propose to the @opencontainers/image-spec-maintainers that we move this to the post-v1.0.0 milestone for two reasons:
We can discuss during the call tomorrow or here. If you are ok or not ok moving to post-v1.0.0 speak up below. |
I still want this idea. It was one of the earliest topics, and lengthy discussion. |
Signed-off-by: Sajay Antony <sajaya@microsoft.com>
DNS delegation is the idea that I can own the domain
example.com
but delegate hosting of my container images tocontainer.hosting
. Think MX records, where I have a DNS name that tells me where to send email for a domain without the dedicated special DNS record.Today, AppC supports a method for doing this type of delegation that uses HTTPS, and HTML meta tags. This type of delegation is inspired by the method used by the
go get
package management system as well.One critique of this method is that there is an RFC for this sort of meta information called 'well-known URIs'. I believe that using this type of well-known scheme is a better choice today and will stay out of people's way better; in fact we prototyped this in a project called abd.
FAQ
Why not DNS: If we used DNS it would make it hard to bootstrap trust of this source based on the existing well understood TLS infrastructure on the internet today. With systems like Let's Encrypt in place today I think it would be smart to rely on this existing trust root. We do this in rkt today and it works nicely.
But I have this way better way of doing delegation: We can add additional methods, but having some method to start for delegation is super helpful.
I don't want to allow outbound traffic to the internet: Container engines can allow for this feature to be turned off or configure that certain domains are statically delegated to internal mirrors. This is all about having a default UX.
The text was updated successfully, but these errors were encountered: