-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add allowed seccomp specific config media type #2306
Conversation
Any plan to register this? |
In the image spec? Hm, I'm not sure if that would be accepted. 🤔 |
@containers/image-maintainers PTAL |
Signed-off-by: Sascha Grunert <[email protected]>
c54640d
to
383439e
Compare
As discussed before in #2279
|
Cc: @nalind |
Okay, I'm going to elaborate on the file based pull approach rather than full c/common libimage. I guess this would also simplify the whole media type topic by accepting anything. |
I do think we need to arrive at a design for “where / how we store artifacts”. I don’t know what’s the best forum and process for that. |
@mtrmac generally agree, for seccomp itself an in memory solution would be enough because the profile does not need to be on disk. We can create a more sustainable design later, when we want to fulfill more use cases like wasm. What do we need to do?
I’m not exactly sure how to do that right now with c/image but I’ll find out. |
The digest verification alone suggests that c/image should probably provide a convenience helper doing that. (Right now c/image does get care of that, but only in |
As for how to do that, the very rough outline is src := something.NewReference().NewImageSource()
// m, mt := src.GetManifest()
// parse m, either using the generic code, or a specific format, in c/image/manifest
stream := src.GetBlob(digest)
// buffer AND digest stream
// if digest matches, consume Alternatively, IIRC |
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
See cri-o/cri-o#7814 |
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
CRI-O now pulls OCI artifacts directly in-memory after the discussions in containers/image#2306 and kubernetes/website#45121. CRI-O also enforces the config media type `application/vnd.cncf.seccomp-profile.config.v1+json` for seccomp profiles. Signed-off-by: Sascha Grunert <[email protected]>
Adding the new seccomp related config media type
application/vnd.cncf.seccomp-profile.config.v1+json
to the list of allowed configurations.Alternative to #2279
Testing in cri-o/cri-o#7804
cc @sftim @mtrmac