Comments (7)
thaJeztah
commented on August 26, 2024
/cc @docker/core-notary-maintainers
from engine-api.
endophage
commented on August 26, 2024
@ibuildthecloud thank you for the feedback. I'll try to provide some explanation on how trusted pulls work specifically, then let you decide if you still want changes made to the APIs.
First, trusted pulls rely on a previously existing feature, "pull-by-digest". In this flow, engine is provided with the image name and a checksum of the desired version (in place of the normal tag). This is secure vs a typical pull by tag because the user is specifying the exact content they want to retrieve, rather than a name which could be associated with any content (in a pull by tag it's up to the server to resolve the name).
Content trust then leverages pull-by-digest and moves the name resolution from the server, to the docker CLI. The docker CLI retrieves and validates the trust data for the image repository, looks up the provided tag in that trust data, and receives the checksum (sha256) of the image associated with that tag. It is then able to execute a secure pull-by-digest against the engine.
from engine-api.
stevvooe
commented on August 26, 2024
@ibuildthecloud Ignore the black magic required to do trusted pulls, just parsing a string to ImageID and Tag is not even straight forward.
I noticed this yesterday while looking into the API client library a little more. I filed #137 in response. If you dig down into the example, it basically shows us just giving a ref to the method and have the engine-api sort out the parsing.
This was actually the goal of the reference package, but that effort needs a little more consolidation.
from engine-api.
calavera
commented on August 26, 2024
I'd rather not do this tbh. This package is designed, as much as possible, to only keep logic shared between API client and server. I agree with @stevvooe that we should work on consolidating the reference package.
from engine-api.
bfirsh
commented on August 26, 2024
@ibuildthecloud I agree that more client logic should live in a reusable library somewhere. Another example is simply running a container, which is also rather convoluted with this library.
@calavera If this package is designed to keep logic shared between API client and server, perhaps we should create another project as the user-facing library for building apps on top of the Docker API? Something akin to docker-py or dockerode, but for Go. WDYT?
from engine-api.
vdemeester
commented on August 26, 2024
I think it could in some engine-cli project used by docker/docker and designed in a reusable way 😇
from engine-api.
stevvooe
commented on August 26, 2024
@vdemeester It may also make sense in distribution.
from engine-api.
Related Issues (20)
- APIClient stub HOT 1
- Streaming Events HOT 2
- Wrong pathstat.Size value for tar file extracted using CopyFromContainer
- Pointer to time.Duration HOT 2
- ContainerLogs with default ContainerLogsOption HOT 1
- Go 1.7: context.DeadlineExceeded gets returned as ErrConnectionFailed
- I can't seem to cp files into containers with mounted docker volumes? HOT 1
- Proposal: A new user-focused client API HOT 7
- networkCreate failing to create overlay networks HOT 3
- CreateService with limit.NanoCPUs ERRO[0052] Error response from daemon: {"message":"rpc error: code = 3 desc = invalid cpu value 2e-09: Must be at least 0.001"} HOT 1
- ContainerCreate fails with error
- Proposal: to support YAML version of configuartion files
- [Proposal] Moving the client package to docker/docker HOT 8
- ContainerExecAttach wrong request body? HOT 2
- c.Clone undefined (type *tls.Config has no field or method Clone) HOT 5
- Golang SDK for swarm mode - swarmInit
- adding device with containers/{id}/update api call has no effect
- ContainerStart with memory limit HOT 2
- don't close the write connection on docker attach HOT 1
- API have any function support -net=host?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from engine-api.