Running Trusted Signatures in Apptainer

June 22, 2022

Webinar Synopsis:


  • Jonathon Anderson, HPC Solution Architect, CIQ

  • Zane Hamilton, Director of Sales, CIQ

Note: This transcript was created using speech recognition software. While it has been reviewed by human transcribers, it may contain errors.

Full Webinar Transcript:

Zane Hamilton :

Is it possible to lock down execution to only allow containers that have trusted signatures to run? I think, Jonathon, you touched on this a little bit earlier, but I would rather you answer it again.

Containers with Trusted Signatures [00:09]

Jonathon Anderson:

This is the execution control list function; it’s just a config file, which exists globally for the system, so it’s not a per-user setting. But within the general etc/Apptainer directory structure, there is an ECL dot something file that allows you to specify one to many blocks of configuration for containers under a certain path. You can give either a list of fingerprints for keys that must have signed or may not sign. So you can block containers with certain signatures. You can require that all of the signatures in a list are present on a container, or you can give a list of signatures, any of which would allow it to run. Then you can lock that down for only verified containers that are in /tmp or only verified containers that are in a certain directory structure and require that your containers be in certain places as well.