Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable read-only FS until we fix issue #1589 #1606

Closed
wants to merge 1 commit into from
Closed

Disable read-only FS until we fix issue #1589 #1606

wants to merge 1 commit into from

Conversation

jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Nov 9, 2023

We track go-tuf writing into /home and not being allowed to in issue
artifact signatures.

@jhrozek
Disable read-only FS until we fix issue mindersec#1589
41c730a 
We track go-tuf writing into /home and not being allowed to in issue
artifact signatures.
rdimitrov
rdimitrov reviewed Nov 9, 2023
View reviewed changes
Copy link
Member

@rdimitrov rdimitrov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should update this setting on the docker compose file too 👍

@JAORMX
Copy link
Contributor

JAORMX commented Nov 9, 2023

@rdimitrov so, there is no way to configure where go-tuf downloads these files?

@rdimitrov
Copy link
Member

rdimitrov commented Nov 9, 2023
edited
Loading

@rdimitrov so, there is no way to configure where go-tuf downloads these files?

@JAORMX - Alright, I'm silly 🤦‍♂️

I went back to the cosign code and found that in sigstore/sigstore there's a SIGSTORE_NO_CACHE env var that apparently should allow for tuf to run in a readonly setup which hopefully allows this for cosign too. Although it's not really documented anywhere so...there's that.

@jhrozek - did you found a way to reproduce this somewhat easily so we can try this?

@jhrozek
Copy link
Contributor Author

jhrozek commented Nov 9, 2023

@rdimitrov so, there is no way to configure where go-tuf downloads these files?

@JAORMX - Alright, I'm silly 🤦‍♂️

I went back to the cosign code and found that in sigstore/sigstore there's a SIGSTORE_NO_CACHE env var that apparently should allow for tuf to run in a readonly setup which hopefully allows this for cosign too. Although it's not really documented anywhere so...there's that.

Do we lose the ability to fetch the trust roots?

@jhrozek - did you found a way to reproduce this somewhat easily so we can try this?

Not really, although it was visible several times a day in staging. We can push your patch and observe for 24h if you prefer.

@rdimitrov
Copy link
Member

Do we lose the ability to fetch the trust roots?

No, we shouldn't. It's just that if minder restarts cosign will rebuilt/update its metadata state. Otherwise it would've read it from disk.

@jhrozek - did you found a way to reproduce this somewhat easily so we can try this?

Not really, although it was visible several times a day in staging. We can push your patch and observe for 24h if you prefer.

Ah, so we haven't seen that locally, i.e. using run-docker? Alright, I'll open a PR adding this env var 👍

@rdimitrov rdimitrov mentioned this pull request Nov 9, 2023
Merged
@jhrozek
Copy link
Contributor Author

jhrozek commented Nov 9, 2023

Ah, so we haven't seen that locally, i.e. using run-docker? Alright, I'll open a PR adding this env var 👍

I don't use run-docker, but run the server locally on foreground..

@jhrozek
Copy link
Contributor Author

jhrozek commented Nov 9, 2023

Closing in favour of #1611

@jhrozek jhrozek closed this Nov 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdimitrov rdimitrov rdimitrov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jhrozek @JAORMX @rdimitrov