github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/Documentation/examples/metadata-service/README.md

github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/Documentation/examples/metadata-service/README.md (about)

     1  # Metadata service example application
     2  
     3  This directory includes an example application interacting with the rkt [metadata service](../../subcommands/metadata-service.md). It can sign and verify files against the metadata service following the [Identity Endpoint](https://github.com/appc/spec/blob/v0.8.11/spec/ace.md#identity-endpoint) of the [appc spec](https://github.com/appc/spec).
     4  
     5  The signature file format is just the base64-encoded signature returned by the metadata service.
     6  
     7  Note that this is just an example application: it doesn't work for big files and is not suitable for production use.
     8  
     9  ## Compilation
    10  
    11  ```
    12  $ CGO_ENABLED=0 go build -o mds-example
    13  ```
    14  
    15  ## Trying it out
    16  
    17  We'll start two pods and send a file from one to the other.
    18  We'll use our example application to sign the file against the metadata service, then we'll send the file and the signature to the receiver pod and verify its integrity and authenticity using our example application too.
    19  
    20  Assuming we're in this directory and we've [compiled](#compilation) the example application and the metadata service is running, let's start two busybox pods with our app mounted inside: "POD a" and "POD b"
    21  
    22  ```shell
    23  $ sudo rkt run --mds-register --interactive --volume=mds-example,kind=host,source=$PWD/mds-example kinvolk.io/aci/busybox:1.24 --mount volume=mds-example,target=/bin/mds-example
    24  [POD a] / #
    25  ```
    26  
    27  ```shell
    28  $ sudo rkt run --mds-register --interactive --volume=mds-example,kind=host,source=$PWD/mds-example kinvolk.io/aci/busybox:1.24 --mount volume=mds-example,target=/bin/mds-example
    29  [POD b] / #
    30  ```
    31  
    32  In "POD a", we'll create a message and sign it using our example application:
    33  
    34  ```
    35  [POD a] / # echo "Very trustworthy message" > msg.txt
    36  [POD a] / # mds-example sign --file=msg.txt --signature=msg.sig
    37  [POD a] / # ls -l msg*
    38  -rw-------    1 root     root           125 Dec 18 17:34 msg.sig
    39  -rw-r--r--    1 root     root            25 Dec 18 17:34 msg.txt
    40  ```
    41  
    42  Now we'll transfer the message to "POD b":
    43  
    44  ```
    45  # let's find out the IP address of POD b
    46  [POD b] / # ip a
    47  (...)
    48      inet 172.16.28.84/24 scope global eth0
    49  (...)
    50  [POD b] / # nc -l -p 9090 > msg.txt
    51  
    52  # switch to POD a to send the message
    53  [POD a] / # nc 172.16.28.84 9090 < msg.txt
    54  
    55  # switch to POD b
    56  [POD b] / # nc -l -p 9090 > msg.sig
    57  
    58  # switch to POD a to send the signature
    59  [POD a] / # nc 172.16.28.84 9090 < msg.sig
    60  
    61  # find out the UUID of POD a
    62  [POD a] / # echo $(wget -q -O - $AC_METADATA_URL/acMetadata/v1/pod/uuid)
    63  d1703a6a-568a-48ee-b84b-4ccd803743dd
    64  ```
    65  
    66  And finally, we'll verify the message in "POD b":
    67  
    68  ```
    69  [POD b] / # cat msg.txt
    70  Very trustworthy message
    71  [POD b] / # mds-example verify --file msg.txt --uuid=d1703a6a-568a-48ee-b84b-4ccd803743dd --signature=msg.sig
    72  signature OK
    73  ```