blog-manifesto.jpg

Manifesto: A New Open Source Container Metadata Tool

Here at Aqua Security, we recently released an open source project to help container users manage the metadata associated with their container images. It’s called Manifesto, and it stores free-form metadata in the registry, alongside the images themselves.

The Need for Post-Build Metadata

I’ve been interested in container metadata for a while, working on MicroBadger and the label-schema standard. These projects addressed metadata that you can add to an image at build time through labels, but they don’t really help with the information about an image that you can update post-build — perhaps throughout its lifetime.

Just a few use cases for metadata that needs to be updated after an image is built include:

  • Keeping track of test results and approval status for an image as it passes through a set of “gates” before deployment
  • Saving the Seccomp / AppArmor or other security profile that you want this image to run under
  • Storing the latest vulnerability scan report for the image.

In all these cases (and many more) it’s possible to store the information somewhere else, but it’s a headache to tie it back to the image it relates to. The Manifesto project aims to remove that pain and make it seamless to store and retrieve data for your images.

A Command Line Tool

With Manifesto, we’ve built a prototype command line interface (CLI) that lets users add, list and get arbitrary metadata for a specific image.

Metadata for Automation

The demo above shows retrieving the seccomp profile for a particular image and storing it in a file. This could then easily be passed into the command to deploy a container — for example in Docker:

  $ manifesto get myorg/myimage:v1.1 seccomp > seccomp.json
  $ docker run --security-opt seccomp=seccomp.json myorg/myimage:v1.1

More generally, the CLI could be used in many automation scripts — for example, storing test results and those all-important vulnerability scans for an image as part of a CI/CD pipeline.

manifesto.png

Leveraging Notary for Data Security

It’s important that the metadata is kept secure and intact — you don’t want a bad actor being able to mess with your vulnerability reports to mask an exploit, or tampering with your security profiles. The Docker team have done an excellent job of ensuring the provenance of images through Notary, and with Manifesto, we’re aiming to leverage Notary for image metadata as well as the images themselves. In fact, there’s a Moby project proposal for standardized vulnerability reports that discusses using an approach along these same lines.

The Future of Manifesto

We’re aiming to take Manifesto forward from its current prototype stage to being a robust, secure and useful tool. Our friends at Puppet have already implemented Manifesto into their project Lumogon, a tool for inspecting container-based applications. We’ve had some helpful feedback, and, dear reader, we welcome your ideas, comments, PRs, and GitHub stars!

Picture of Liz Rice

Liz Rice

Liz Rice is the VP of Open Source Engineering at cloud native security specialists Aqua Security, where she works on container-related open source projects including kube-bench and kube-hunter. She chairs the CNCF’s Technical Oversight Committee, and in 2018 was Co-Chair of the CNCF’s KubeCon + CloudNativeCon events in Copenhagen, Shanghai and Seattle. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, and competing in virtual races on Zwift.

Open Source