Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How should builds using multiple container images be attested? #1150

Open
marcelamelara opened this issue Sep 23, 2024 · 2 comments
Open

How should builds using multiple container images be attested? #1150

marcelamelara opened this issue Sep 23, 2024 · 2 comments
Assignees
@paveliak
Labels
build-environment-track Issues/PRs related to the SLSA BuildEnv track

Comments

@marcelamelara
Copy link
Contributor

How about a build being constructed using multiple container images?
ex: https://cloud.google.com/build/docs/build-config-file-schema#build_steps

Originally posted by @thirumalareddym in #1115 (comment)
@marcelamelara marcelamelara added the build-environment-track Issues/PRs related to the SLSA BuildEnv track label Sep 23, 2024
@marcelamelara marcelamelara mentioned this issue Sep 23, 2024
Merged
@marcelamelara
Copy link
Contributor Author

Notes from 10/23 discussion with @paveliak :
Different types of composition:

  • Composition of containers within containers
  • Containers execute sequential steps: Define a workflow which runs multiple step. They are the ephemeral environments, but all running within the same virtual machine
  • We should assume these containers run in VMs, which are not rebooted
  • Some platforms introduce abstractions for when your execution includes multiple containers
  • Do the containers become an input into the build?
  • What if the unit of attestation includes multiple instances of a VM?
  • Can we aggregate the attestations as they are generated? We can technically provide the attestations up front as the environment is created, but nesting of environments makes this harder.
  • If you're using multiple images for the environment, multiple VSA will be provided as early as possible.

@paveliak
Copy link

paveliak commented Nov 4, 2024

@marcelamelara I am struggling with whether we need to include any wording about this issue into the track. When I think about the containers two scenarios come into mind:

  • Container hosts a build environment (i.e. build executor runs inside the container)
  • Containers are used as building blocks for the individual tenant build steps

Original ask is about the second scenario (which is what Google Cloud Build does). If we look at the example provenance of Cloud Build then it treats those multiple container images as dependencies and includes them into the provenance according to the Build track. And so multiple container issue is a Build track concern.

A more interesting scenario is attesting container environments when build executor runs inside the container (actions-runner-controller could be an example of such a build platform). And I think we need to provide guidelines/requirements for the containers, which could be quite interesting at L3 level. But that probably needs to be tracked by a separate issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paveliak paveliak

Labels
build-environment-track Issues/PRs related to the SLSA BuildEnv track
Projects
Issue triage
Status: 🆕 New
SLSA Attested Build Environment Track
Status: Under Discussion
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paveliak @marcelamelara