Securely Storing Container Images with OCI Registries

Scenario: A developer, Alice, is working on a project that involves building, testing, and deploying container images. She wants to ensure that her images are securely stored and accessible only to authorized users. To achieve this, Alice decides to use an Open Container Initiative (OCI) registry.

Solution: OCI registries provide a secure and standardized way to store, manage, and distribute container images. They support various authentication methods, such as Transport Layer Security (TLS), basic authentication, and OAuth2, to protect access to images. In this example, we will demonstrate how to use an OCI registry, specifically the Harbor registry, to store and manage container images.

First, Alice sets up a Harbor registry instance. She can follow the official Harbor documentation to install and configure the registry: https://goharbor.io/docs/

Next, Alice builds her container image using a Dockerfile and pushes it to the Harbor registry. She can use the following command to build and tag her image:

docker build -t myimage:latest .
docker tag myimage:latest harbor.example.com/myproject/myimage:latest
docker push harbor.example.com/myproject/myimage:latest

Replace myimage with the name of her image, myproject with the name of her project, and harbor.example.com with the URL of her Harbor registry.

Now, Alice wants to ensure that only authorized users can access her images. She can configure access control policies in the Harbor registry to restrict access to her images. For example, she can create a group of users and grant them read or write access to specific images or repositories.

To test the access control policies, Alice can use the Harbor CLI or API to authenticate and retrieve her images. She can also use tools like skopeo or docker to pull images from the registry.

Here are some tests to verify that the images are securely stored and accessible only to authorized users:

  1. Verify that the image is stored in the Harbor registry:
skopeo inspect harbor.example.com/myproject/myimage:latest
  1. Verify that only authorized users can pull the image:
  • Log in to the Harbor registry as an authorized user:
harbor login harbor.example.com
  • Pull the image:
docker pull harbor.example.com/myproject/myimage:latest
  • Log out of the Harbor registry:
harbor logout
  1. Verify that unauthorized users cannot pull the image:
  • Attempt to pull the image as an unauthorized user:
docker pull harbor.example.com/myproject/myimage:latest

This will result in an error message indicating that the user is not authorized to access the image.

  1. Verify that access control policies can be updated:
  • Log in to the Harbor registry as an administrator:
harbor login harbor.example.com --admin
  • Update the access control policies to grant read access to a new user or group.
  1. Verify that the new user or group can access the image:
  • Log out of the Harbor registry:
harbor logout
  • Log in to the Harbor registry as the new user or group:
harbor login harbor.example.com
  • Pull the image:
docker pull harbor.example.com/myproject/myimage:latest

This will confirm that the new user or group can access the image according to the updated access control policies.

By using an OCI registry like Harbor, Alice can ensure that her container images are securely stored and accessible only to authorized users. She can also take advantage of features like access control policies, image scanning, and signing to enhance the security of her container supply chain.