Switching from DCT to Red Hat simple signing and updating the virtual server

The Notary v1 service that supports Docker Content Trust (DCT) and docker trust commands (including the alternative URLs) in IBM® Cloud Container Registry is discontinued. Any existing ICR images that were signed by using DCT, must be re-signed by using Red Hat. For more information, see Release notes for Container Registry.

Prerequisites

  • Not applicable if you use load image and do not use any container registry.
  • Not applicable if your image is DCT signed and present in DockerHub.
  • Not applicable if the image is Red Hat simple signed and present in IBM® Cloud Container Registry (ICR), and the virtual sever instance is already deployed with a Red Hat Simple Signed Image.
  • Not applicable if your virtual server is already running and you do not plan to update the virtual server.
  • If you are performing a fresh install of IBM Hyper Protect Virtual Servers version 1.2.7.2, and want to use ICR, then the image should be signed with Red Hat simple signing.
  • Applicable only when the image is signed by using Docker Content Trust (DCT) and the image is present in ICR, and you plan to update the virtual server to the latest version. In this scenario, follow this procedure.
  • You must install Skopeo.

Procedure

  1. Run the following command to list all your IBM Hyper Protect Virtual Servers instances. See hpvs vs list for more information about the command.

    hpvs vs list
    
  2. Run the following command to view details about the your virtual server instance. See hpvs vs show for more information about the command.

    hpvs vs show
    
  3. Complete the following steps to sign an image using DCT and push it to ICR:

    1. Build an image by using the following command:

      docker build . -t us.icr.io/yournamespace/imagename:latest
      
    2. Ensure that "DOCKER_CONTENT_TRUST" is turned on. This will automatically sign the image it is pushed. Use the following command:

      export DOCKER_CONTENT_TRUST=1
      

      Set the DCT server to the ICR Notary server (us.icr.io) by using the following command:

      export DOCKER_CONTENT_TRUST_SERVER=https://notary.us.icr.io
      
    3. Log in to ICR from your terminal by using the following command:

      1. ibmcloud login -a cloud.ibm.com --apikey $IAM_API_KEY
        
      2. ibmcloud cr login
        
    4. Push the image to ICR by using the following command:

      docker push us.icr.io/yournamespace/imagename:latest
      

      The following snippet is an example of the output:

      docker push us.icr.io/yournamespace/imagename:latest
      The push refers to repository [us.icr.io/yournamespace/imagename]
      e07ee1baac5f: Pushed
      latest: digest: sha256:55c..........................8b11 size: 525
      Signing and pushing trust metadata
      Enter passphrase for root key with ID 347bd0a:
      Enter passphrase for new repository key with ID 0667c56:
      Repeat passphrase for new repository key with ID 0667c56:
      Finished initializing "us.icr.io/yournamespace/imagename"
      Successfully signed us.icr.io/yournamespace/imagename:latest
      
    5. Use Red Hat simple signing method to sign the image. Use the following command:

      gpg --full-generate-key
      
    6. Check the fingerprint by using the following command:

      gpg —list-keys <key-name>  
      

      The following snippet shows an example:

      gpg --list-keys test-key
      pub   rsa4096 2023-02-24 [SC]
      
      5A.......................12
      uid           [ultimate] test-key <test-key@ibm.com>
      sub   rsa4096 2023-02-24 [E]
      
    7. Export the public key by using the following command:

      gpg --armor --export <name> > <filename>.pub
      
    8. Use the skopeo command to sign the image with Red Hat simple signing and push it to ICR:

      skopeo copy docker-daemon:us.icr.io/yournamespace/imagename:latest docker://us.icr.io/yournamespace/imagename:new --sign-by <fingerprint> --dest-creds iamapikey:*****
      

      Note: Ensure that you use the same fingerprint that is shown in step 3f.

    9. Create the rhlatest.json file. The following snippet shows an example of the rhlatest.json file.

      {
            "keyid" : "394B6BAFAF31A1FF831DA382087916ED0F44A26F",
            "public_key" : "-----BEGIN PGP PUBLIC KEY
        BLOCK----\n\nmQINBGOIbI0BEADvwdmYx1+cf3t1W1S5EVIoM9+TFRfld6uG9Sn+HIYzawCbJ8Wo\nTb3InrlMAJkAl09CMNFDGyvEtz1WBRDv5CS14PQ/c4FpDs02eUyoYFYN/naJO4nY\n5lGqIBoXAhE82WKEG6Av8VyErPRaoTuTi/LSfTHjtBpN0Xdami+OqlheQISE4c+3\nTnrMZl2WJOKlcdF/
        ......................................................................................................../.....................................................................................EDssK2VRll0vbpB6tqG3VT/g0p6eYOaB+5aTZc80j8wGug\nDwLTfz+gcqNgvqUWlR4e4iyZ/yiiHJ1up57QzQ==\n=hIsJ\n-----END PGP PUBLIC KEY BLOCK-----\n"
      }
      

      Use the rhlatest.json file created above in the content_trust_json_file_path parameter, in the secure_create.yaml file.

  4. Complete the following steps to register the Red Hat signed image and deploy the container:

    1. Create a registry by using the following command:

      hpvs registry add --name <reg_name> --dct https://notary.us.icr.io  --url us.icr.io --user iamapikey
      

      For example:

      hpvs registry add --name icr_reg --dct https://notary.us.icr.io  --url us.icr.io --user iamapikey
      
    2. Generate the registration file of the image by using the secure_create.yml file:

      hpvs regfile create --config secure_create.yml --isvsecret --out encryptedFile.enc
      

      The following snippet is an example of a secure_create.yml file

      repository_registration:
         docker:
            repo: 'yournamescpace/imagename'
            pull_server: 'icr_reg'
            # this root.json you will get after once you will push image to docker hub using docker content trust
            content_trust_json_file_path: '/root/.docker/trust/tuf/us.icr.io/yournamespace/imagename/metadata/rhlatest.json'
            #env:
            # allowlist: []
         signing_key:
            private_key_path: '/root/cloud.private'
            public_key_path: '/root/cloud.pub'
      
           isv_secrets:
            #secrets_list:
           - "k1": "V1"
           - "k2": "V2"
      
         # Add linux capabilities to hyper protect virtual server. List of linux capabilities
         # are available here https://man7.org/linux/man-pages/man7/capabilities.7.html.
         # While adding capabilities remove the prefix "CAP".
         # For example CAP_AUDIT_CONTROL will be AUDIT_CONTROL
      
         cap_add: [] # eg: ["NET_ADMIN","NET_RAW"]
      
    3. Register the repository on the Secure Service Container partition by using the following command:

      hpvs repository register --pgp=$HOME/hpvs/config/encryptedRegfile.enc --id=MyOwnRepo
      
    4. You can update the image tag of the {{site.data.keyword.hpvs_full_notm}} container by running the following command. See hpvs-vs-update for more information about the command.

      hpvs vs update
      

      For example, running the following command updates the image tag to use a different image tag, for example the virtual server image tag is updated to latest

      hpvs vs update --name yourcontainername --repo MyOwnRepo --tag latest
      

      The virtual server is now updated with the image that is signed with RedHat simple signing, and present in ICR.