远程证明 - 机密容器

# AA **换源** ``` vi /etc/apk/repositories ``` ``` https://mirrors.tuna.tsinghua.edu.cn/alpine/v3.14/main https://mirrors.tuna.tsinghua.edu.cn/alpine/v3.14/community ``` **添加代理** ``` touch ~/.bashrc vi ~/.bashrc ``` ``` export HTTP_PROXY=http://172.24.51.140:7890 export HTTPS_PROXY=http://172.24.51.140:7890 ``` ``` source ~/.bashrc ``` **更新包管理器** ``` apk update ``` **下载git、make、curl** ``` apk add git make curl ``` **下载rust** ``` curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable ``` ``` source "$HOME/.cargo/env" ``` ``` export RUSTUP_HOME=/mnt/.rustup export CARGO_HOME=/mnt/.cargo ``` **下载AA** ``` git clone https://github.com/containers/attestation-agent ``` ``` cd attestation-agent ``` ``` make KBC=sample_kbc && make install ``` ![捕获.PNG](https://cos.easydoc.net/36024082/files/lvxegd5z.PNG) ![捕获1.PNG](https://cos.easydoc.net/36024082/files/lvxegd1i.PNG) ![捕获2.PNG](https://cos.easydoc.net/36024082/files/lvxegd0u.PNG) ![捕获3.PNG](https://cos.easydoc.net/36024082/files/lvxegd9z.PNG) **查看磁盘大小** ``` df -h ``` ![图片.png](https://cos.easydoc.net/36024082/files/lvxemb9l.png) **创建一个新的空白的镜像文件，大小为1GB** ``` dd if=/dev/zero of=new.img bs=1G count=1 ``` **使用 fdisk创建分区** ``` fdisk new.img ``` **创建loop设备** ``` losetup -P -f --show new.img ``` **复制分区** ``` dd if=/dev/loop0p1 of=/dev/loop1p1 bs=2M status=progress dd if=/dev/loop0p2 of=/dev/loop1p2 bs=2M status=progress ``` ``` dd if=/dev/loop0 of=/dev/loop1 bs=2M status=progress ``` **使用 resize2fs扩大文件系统** ``` resize2fs /dev/loopXp1 ``` **删除 loop 设备** ``` losetup -d /dev/loop1 ``` **使用持久卷** ```kind: Service apiVersion: v1 metadata: name: coco-demo spec: selector: app: coco-demo ports: - port: 22 --- kind: Deployment apiVersion: apps/v1 metadata: name: coco-demo spec: selector: matchLabels: app: coco-demo template: metadata: labels: app: coco-demo spec: runtimeClassName: kata-qemu containers: - name: coco-demo image: docker.io/katadocker/ccv0-ssh imagePullPolicy: Always volumeMounts: - name: ima-config-volume mountPath: /sys/kernel/security/ - mountPath: /mnt name: my-volume volumes: - name: ima-config-volume hostPath: path: /sys/kernel/security/ type: Directory - name: my-volume persistentVolumeClaim: claimName: my-pvc ``` **一个pod内运行两个机密容器** ``` containers: - name: coco-first image: docker.io/katadocker/ccv0-ssh imagePullPolicy: Always - name: coco-second image: docker.io/katadocker/ccv0-ssh imagePullPolicy: Always ``` **报错** ![图片.png](https://cos.easydoc.net/36024082/files/lw4ced3n.png) ![图片.png](https://cos.easydoc.net/36024082/files/lw4cez44.png) ``` containers: - name: coco-first image: docker.io/katadocker/ccv0-ssh imagePullPolicy: Always - name: coco-second image: busybox:1.28 imagePullPolicy: Always ``` ![图片.png](https://cos.easydoc.net/36024082/files/lw4cxdgu.png) ![图片.png](https://cos.easydoc.net/36024082/files/lw4cxvno.png) # 运行KBS **安装Rust环境** ``` curl https://sh.rustup.rs -sSf | sh source "$HOME/.cargo/env" ``` **安装go环境** ``` wget https://golang.google.cn/dl/go1.22.3.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin go version ``` **安装kbs** ``` make background-check-kbs POLICY_ENGINE=opa sudo make install-kbs ``` **编译超时** ![图片.png](https://cos.easydoc.net/36024082/files/lw4l905r.png) **获取kbs源码** ``` git clone https://github.com/confidential-containers/trustee.git ``` **转到对应目录** ``` cd /root/trustee/kbs/config/kubernetes ``` **配置密钥** ``` echo "$(cat /root/image_key|base64)" > overlays/key.bin ``` **运行脚本** ``` ./deploy-kbs.sh ``` ![图片.png](https://cos.easydoc.net/36024082/files/lwrg51fn.png) ![图片.png](https://cos.easydoc.net/36024082/files/lwrg7rpq.png) # 加密镜像 **创建镜像** ``` docker build -t unencrypted - <<EOF FROM nginx:stable RUN echo "something confidential" > /secret EOF ``` ``` head -c 32 /dev/urandom | openssl enc > image_key KEY_B64="$(base64 < image_key)" ``` ``` KEY_PATH="/default/image_key/nginx" KEY_ID="kbs://${KEY_PATH}" ``` ``` git clone https://github.com/confidential-containers/guest-components.git cd guest-components docker build -t coco-keyprovider -f ./attestation-agent/docker/Dockerfile.keyprovider . ``` ![捕获1.PNG](https://cos.easydoc.net/36024082/files/lw7gjihb.PNG) ``` mkdir -p oci/{input,output} skopeo copy docker-daemon:unencrypted:latest dir:./oci/input docker run -v "${PWD}/oci:/oci" coco-keyprovider /encrypt.sh -k "$KEY_B64" -i "$KEY_ID" -s dir:/oci/input -d dir:/oci/output ``` ``` skopeo inspect dir:./oci/output | jq '.LayersData[0].Annotations["org.opencontainers.image.enc.keys.provider.attestation-agent"] | @base64d | fromjson' ``` ``` ENCRYPTED_IMAGE=some-private.registry.io/coco/nginx:encrypted skopeo copy dir:./oci/output "docker://${ENCRYPTED_IMAGE}" ``` **启动coco_keyprovider服务** ``` cd attestation-agent/coco_keyprovider RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 & ``` ``` cat <<EOF > ocicrypt.conf { "key-providers": { "attestation-agent": { "grpc": "127.0.0.1:50000" }}} EOF ``` **安装依赖** ``` yum install protobuf-compiler ``` ![图片.png](https://cos.easydoc.net/36024082/files/lw7gg3ho.png) **生成密钥** ``` export OCICRYPT_KEYPROVIDER_CONFIG="$(pwd)/ocicrypt.conf" head -c32 < /dev/random > key1 ``` **加密镜像** ``` skopeo copy --insecure-policy --encryption-key provider:attestation-agent:keypath=$(pwd)/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM docker-daemon:unencrypted:latest oci:encrypted ``` ![图片.png](https://cos.easydoc.net/36024082/files/lw7goct6.png) **上传镜像** ``` ENCRYPTED_IMAGE=docker.io/legend/nginx:encrypted skopeo copy oci:encrypted "docker://${ENCRYPTED_IMAGE}" ``` ![图片.png](https://cos.easydoc.net/36024082/files/lw7goy9m.png) **添加docker账户** ``` skopeo copy oci:encrypted docker://docker.io/legend/nginx:encrypted --dest-creds=username:password ``` ![捕获.PNG](https://cos.easydoc.net/36024082/files/lwhge1kq.PNG) **删除.config文件** ``` mkdir -p /root/.config/containers/crets.d/docker.io ``` ![图片.png](https://cos.easydoc.net/36024082/files/lwhh13vf.png) **创建仓库** ``` skopeo copy oci:encrypted docker://docker.io/2055331743/nginx:encrypted --dest-creds=username:password ``` ![捕获1.PNG](https://cos.easydoc.net/36024082/files/lwhgbel8.PNG) **查看docker hub** ![捕获5.PNG](https://cos.easydoc.net/36024082/files/lwhgbea0.PNG) **查看加密信息** ![捕获3.PNG](https://cos.easydoc.net/36024082/files/lwhgbehe.PNG) ![捕获4.PNG](https://cos.easydoc.net/36024082/files/lwhgbepk.PNG) # 使用dd创建虚拟机镜像 **创建一个新的空白的镜像文件，大小为1GB** ``` dd if=/dev/zero of=new.img bs=1G count=1 ``` **使用 fdisk创建分区** ``` fdisk new.img ``` **创建loop设备** ``` losetup -P -f --show new.img ``` **挂载** ``` mount /dev/loop0p1 /mnt/kata-p1 ``` **解除**粗体**挂载** ``` umount /mnt/kata-p1 ``` **删除 loop 设备** ``` losetup -d /dev/loop1 ``` # 使用云镜像创建虚拟机镜像 **获取云镜像** ``` wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img ``` **下载qemu工具** ``` yum install -y qemu-kvm ``` **转换qcow2为raw** ``` qemu-img convert -p -f qcow2 -O raw focal-server-cloudimg-amd64.img focal-server-cloudimg-amd64.raw ``` **扩容** ``` qemu-img resize -f raw focal-server-cloudimg-amd64.raw +1G ``` **添加映射** ``` kpartx -va focal-server-clouding-amd64.raw ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1fltb5.png) **查看分区信息** ``` fdisk -l /dev/loop0 ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1fmtz4.png) **删除第一个分区** ``` parted /dev/loop0 rm 1 ``` **重新创建分区** ``` parted /dev/loop0 mkpart primary ext4 116MB 3.2GB ``` **输出分区** ``` parted /dev/loop0 print ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1fras6.png) **重新映射** ``` kpartx -d focal-server-cloudimg-amd64.raw kpartx -va focal-server-cloudimg-amd64.raw ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1fq603.png) **调整文件系统大小** ``` e2fsck -f /dev/mapper/loop0p1 resize2fs /dev/mapper/loop0p1 ``` **查看文件系统** ``` mount /dev/mapper/loop0p1 /mnt df -h /mnt umount /mnt kpartx -d focal-server-cloudimg-amd64.raw ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1fw457.png) ``` fdisk -l focal-server-cloudimg-amd64.raw mount -o loop,offset=$((227328 * 512)) focal-server-cloudimg-amd64.raw /mnt ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1ft0o0.png) **修改DNS** ``` unlink /mnt/etc/resolv.conf touch /mnt/etc/resolv.conf sudo mount -o bind /etc/resolv.conf /mnt/etc/resolv.conf ``` **进入云镜像的根目录** ``` sudo chroot /mnt mount -t proc proc /proc mount -t devpts devpts /dev/pts df -h ``` ![图片.png](https://cos.easydoc.net/36024082/files/lx1g0q7i.png) **解除挂载** ``` umount /dev/pts umount /proc history -c exit umount /mnt/etc/resolv.conf umount /mnt ```