Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

rkt: check signatures on --stage1-* options #2336

Merged
merged 3 commits into from
Mar 30, 2016
Merged

rkt: check signatures on --stage1-* options #2336

merged 3 commits into from
Mar 30, 2016

Conversation

@iaguis
Copy link
Member

@iaguis iaguis commented Mar 29, 2016

We were not checking signatures when the uses passes --stage1-*
options.

The new behavior is like so:

  • If the user doesn't pass any flag, stage1 images will be taken from the default stage1 directory or from the directory where the rkt binary is. In that case, we don't check any signatures.
  • If the user passes any --stage1-* flag, we always check the signature unless the resulting path is the one configured at build time.
  • If the user uses rkt's configuration to configure a different stage1 we assume they know what they're doing and we'll check the signature.

Does this make sense? // @krnowak

@iaguis iaguis added this to the v1.3.0 milestone Mar 29, 2016
@iaguis iaguis force-pushed the iaguis/check-stage1-signatures branch from 1fac843 to 41f6d7e Compare March 29, 2016 14:42
krnowak
krnowak reviewed Mar 30, 2016
View reviewed changes
rkt/stage1hash.go Outdated
ks := getKeystore()
// if the location of stage1 is in the default directory, we don't check
// the signature.
absLocation := filepath.Clean(location)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eh? filepath.Clean does not return the absolute path.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, what I was thinking :D

@iaguis iaguis force-pushed the iaguis/check-stage1-signatures branch from 41f6d7e to 4e2a54f Compare March 30, 2016 11:37
@krnowak
Copy link
Collaborator

krnowak commented Mar 30, 2016

If the user doesn't pass any flag, stage1 images will be taken from the default stage1 directory or from the directory where the rkt binary is. In that case, we don't check any signatures.

No, when user doesn't pass any flag, stage1 image paths will be taken from configuration. If there's none, it will be taken from build defaults.

krnowak
krnowak reviewed Mar 30, 2016
View reviewed changes
rkt/stage1hash.go Outdated
ks := getKeystore()
// if the location of stage1 is in the default directory, we don't check
// the signature.
absLocation := filepath.Abs(location)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

filepath.Abs returns an error IIRC.

@iaguis iaguis force-pushed the iaguis/check-stage1-signatures branch from 4e2a54f to 49edc7e Compare March 30, 2016 11:43
@iaguis
Copy link
Member Author

iaguis commented Mar 30, 2016

No, when user doesn't pass any flag, stage1 image paths will be taken from configuration. If there's none, it will be taken from build defaults.

OK, I guess I meant if the user doesn't pass any flags and there's no configuration :P

@krnowak
Copy link
Collaborator

krnowak commented Mar 30, 2016

Ok, first when no --stage1-* flag is passed - when looking for stage1 image we have three things available - name, version and location. Name and version together make the image reference (like coreos.com/rkt/stage1-coreos:1.2.1). The location can be either a URL or an absolute path. All of those can be overridden by a configuration.

The image reference is used to look for the image in the store only (there is no fetching from remote), so at this point signature checking is not relevant. If there is no such image in the store, we use the location to fetch it and that's where we have to decide if the signature should be checked. In this case we should skip the verification if the location is either the same as the build-time default location (buildDefaultStage1ImageLoc) or location is somewhere below the build-time default stage1 images directory (buildDefaultStage1ImagesDir).

Now, when --stage1-* flag is passed, then each have to be considered case by case.

  • --stage1-path and --stage1-url - this is simple - skip the verification if the flag value is the same as the build-time default (buildDefaultStage1ImageLoc) or the path is below is somewhere below the build-time default stage1 images directory (buildDefaultStage1ImagesDir).
  • --stage1-hash - verification is not relevant.
  • --stage1-from-dir - skip the verification if the stage1-images dir is the same as build-time default stage1 images directory (buildDefaultStage1ImagesDir) or even a subdirectory of it.
  • --stage1-name - I have no idea about this. I'd say, just do the verification. The verification will be skipped if we already have the image in the store, so we are fine. The problem may arise when the discovery returns the same location as the build-time default location (buildDefaultStage1ImageLoc), because we cannot tell the fetcher to skip the verification, because the location is already known to be verified.

@krnowak
Copy link
Collaborator

krnowak commented Mar 30, 2016

Implementation-wise, since the are some various conditions when the verification should be skipped or not, it would be better if the getStage1Finder function would take a boolean parameter telling whether the returned Finder should have its Ks field filled with a keystore or not.

@iaguis
Copy link
Member Author

iaguis commented Mar 30, 2016

Thanks for the write-up. That still misses the case where we use the image in the same directory as rkt.

@iaguis iaguis force-pushed the iaguis/check-stage1-signatures branch 2 times, most recently from 394b06c to 08acd8f Compare March 30, 2016 15:17
krnowak
krnowak reviewed Mar 30, 2016
View reviewed changes
rkt/stage1hash.go Outdated
if err != nil {
return false, err
}
if location == buildDefaultStage1ImageLoc ||
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use absLocation here.

@krnowak
Copy link
Collaborator

krnowak commented Mar 30, 2016

One nit, otherwise LFAD.

@iaguis
Copy link
Member Author

iaguis commented Mar 30, 2016

I guess I need to update the documentation

iaguis added 3 commits March 30, 2016 17:47
@iaguis
rkt: check signatures on --stage1-* options
9b3137b 
We were not checking signatures when the uses passes `--stage1-*`
options.
@iaguis
rkt: don't check stage1 signature if it's in the rkt binary dir
d7297ab
@iaguis
Documentation: update --stage1-* documentation
bbd2b67 
Simply use `--stage1-name` in most of the examples now that we have the
stage1 images in coreos.com.
@iaguis iaguis force-pushed the iaguis/check-stage1-signatures branch from 08acd8f to bbd2b67 Compare March 30, 2016 15:47
@krnowak
Copy link
Collaborator

krnowak commented Mar 30, 2016

LFAD if green.

I hope it won't break too many workflows, but it looks like it is a right thing to do.

@iaguis iaguis merged commit 9cbc0b3 into rkt:master Mar 30, 2016
@iaguis iaguis mentioned this pull request Mar 31, 2016
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

area/distribution kind/bug needs/some-changes priority/P0

Projects

None yet

Milestone

v1.3.0

Development

Successfully merging this pull request may close these issues.

2 participants

@iaguis @krnowak