Running Trusted Signatures in Apptainer
- Jonathon Anderson, HPC Solution Architect, CIQ
- Zane Hamilton, Director of Sales, CIQ
Note: This transcript was created using speech recognition software. While it has been reviewed by human transcribers, it may contain errors.
Full Webinar Transcript:
Zane Hamilton :
Is it possible to lock down execution to only allow containers that have trusted signatures to run? I think, Jonathon, you touched on this a little bit earlier, but I would rather you answer it again.
Containers with Trusted Signatures [00:09]
This is the execution control list function; it’s just a config file, which exists globally for the system, so it’s not a per-user setting. But within the general etc/Apptainer directory structure, there is an ECL dot something file that allows you to specify one to many blocks of configuration for containers under a certain path. You can give either a list of fingerprints for keys that must have signed or may not sign. So you can block containers with certain signatures. You can require that all of the signatures in a list are present on a container, or you can give a list of signatures, any of which would allow it to run. Then you can lock that down for only verified containers that are in /tmp or only verified containers that are in a certain directory structure and require that your containers be in certain places as well.