https://github.com/carv-ics-forth/singularity-pki-containers
Proof of concept that singularity containers can be signed with PKI certificates
https://github.com/carv-ics-forth/singularity-pki-containers
Science Score: 13.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
○.zenodo.json file
-
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (11.1%) to scientific vocabulary
Repository
Proof of concept that singularity containers can be signed with PKI certificates
Basic Info
- Host: GitHub
- Owner: CARV-ICS-FORTH
- License: mit
- Language: Shell
- Default Branch: master
- Size: 16.6 KB
Statistics
- Stars: 0
- Watchers: 7
- Forks: 0
- Open Issues: 0
- Releases: 0
Metadata Files
README.md
singularity-pki-containers
Proof of concept that singularity containers can be signed with PKI certificates
Acknowledgements
We thankfully acknowledge the support of the European Commission and the Greek General Secretariat for Research and Innovation under the EuroHPC Programme through project DEEP-SEA (GA-955606). National contributions from the involved state members (including the Greek General Secretariat for Research and Innovation) match the EuroHPC funding.
Purpose
This software is a collection of scripts that create a PKI based Certificate Authority. Then using this CA we can create certificates and revoke,validate and verify them. Then we use these certificates to sign singularity container images and verify them after, similar to how singularity containers are signed and verified with PGP certificates.
Prerequisites
- SSH with SSH keys properly set up for seamless SSH connections between the hosts without the use of passwords.
- Docker Engine must be installed on all hosts. (https://docs.docker.com/engine/install/)
- Docker group must be created on all hosts and the user who runs CaDiSa must be a member on docker group in each host.
- If you want to run on multiple hosts, the location from where you run CaDiSa must be a shared location between all hosts eg NFS and make sure the local root users can have access to this shared folder, because docker runs with superuser privileges.
General structure
Folder "ca_management" contains scripts that create a Certificate Authority and run an OSCP server so that client certificates can be verified. It also contains scripts for certificate verification.
sifsign.sh signs a singularity image using a client's private key.
```
./sifsign.sh
./sif_verify.sh <SINGULARITY_IMAGE> <_CLIENT_PUBLIC_CERTIFICATE>
In order for the scripts to work correctly, verifycert.sh from folder camanagement has to be on the same directory as sif_verify.sh
slurmsingularityverifyandrun_pki.sh is a example slurm script, with a batch job to verify two singularity images and then run them. One image is not signed, the other is. It is only meant as an exaple for helping users writing their own scripts. The files used in this example are:
- lolcow.sif: an unsigned singularity image file
- lolcowsignedpki.sif: the file as above, but after it was signed using vavouris.key
- sif_sign.sh: the signing script
- sif_verify.sh: the verification script
- vavouris.key: private key, created from the CA
- vavouris.pem: public key, created from the CA
- verify_cert.sh: verification script
For installation and use of the Certificate Authority scripts, please read the README inside "ca_management" folder.
Owner
- Name: Computer Architecture and VLSI Systems (CARV) Laboratory
- Login: CARV-ICS-FORTH
- Kind: organization
- Location: Heraklion, Greece
- Website: http://www.ics.forth.gr/carv/
- Repositories: 53
- Profile: https://github.com/CARV-ICS-FORTH
GitHub Events
Total
Last Year
Issues and Pull Requests
Last synced: over 1 year ago
All Time
- Total issues: 0
- Total pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Total issue authors: 0
- Total pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0
Past Year
- Issues: 0
- Pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Issue authors: 0
- Pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0