Skip to content
Dev0 Docs

Podman Image Trust

Tags: podman

Basics

  1. Changes from these commands are written to /etc/containers/policy.json
  2. This has no user level configuration, all controls are global
  3. This supports only allowing GPG signed images from X repository based on a specific public key
  4. Terminology for docker.io/redhat/ubi8 - registry/repository/image

Base configuration

The file /etc/containers/policy.json should be configured as follows to permit users to permit building images. This permits the “contianer-storage” transport method which means locally built images/local user cache/things in podman images. This also rejects all external repos which you can read more about in [[#Create registry whitelist]]

{
    "default": [
        {
            "type": "reject"
        }
    ],
    "transports": {
        "containers-storage": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
}

Allow importing images from files

The transport docker-archive would need to be permitted, copy the container-storage block from above to accomplish that, without this transport you cannot podman image load < image.tgz

Create registry whitelist

This rejects ALL repos, then rejects ALL of docker.io before permitting a single image. Omitting an image name would permit/reject a single repository

Terminal window
sudo podman image trust set -t reject default
sudo podman image trust set -t reject docker.io
sudo podman image trust set -t accept docker.io/redhat/ubi8
sudo podman image trust show

Result

Terminal window
> podman image trust show
TRANSPORT   NAME                   TYPE        ID          STORE
all         default                reject
repository  docker.io              reject
repository  docker.io/redhat/ubi8  accept


> podman pull redhat/ubi8
 docker.io/redhat/ubi8:latest
Trying to pull docker.io/redhat/ubi8:latest...
Getting image source signatures
Copying blob 95141d380d54 done
Copying config 75162cd9f6 done
Writing manifest to image destination
Storing signatures
75162cd9f635fcffe35bb260ef3fd912f1e5d73524361e9622bdd81b2cb94a3d


> podman pull redhat/ubi7
 docker.io/redhat/ubi7:latest
Trying to pull docker.io/redhat/ubi7:latest...
Error: initializing source docker://redhat/ubi7:latest: reading manifest latest in docker.io/redhat/ubi7: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Recover a broken JSON file

Terminal window
sudo rm /etc/containers/policy.json
sudo podman image trust set -t accept default
Sources:
  • https://github.com/containers/image/issues/548
  • https://docs.podman.io/en/latest/markdown/podman-image-trust.1.html