Tiara's OCI Images

Tiara's workflow for actively managing OCI (Docker) image ownership - factory for building, publishing and archiving OCI images with a verifiable chain of trust

Usage (Producing)

• Docker Hub
• Downloads

Usage (Producing)

Configure environment

$> sh ./configure

Build Images

make <group>-<program><programversion>-<platform>
make all-<group>-<program>-<platform>
make all-<group>-<platform>
make <group>-<platform>
make all-<platform>

$> make build-python39-ubuntu
$> make _all-build-python-ubuntu
$> make _all-build-ubuntu
$> make build-ubuntu
$> make _all-ubuntu

Archive Images

Generate a GZip-compressed tarball archive of an image under dist/.

$> make build-python39-ubuntu ARCHIVE=1

Output path can be adjusted via $ARCHIVE_DIST_PATH.

$> make build-python39-ubuntu ARCHIVE=1 ARCHIVE_DIST_PATH=dist2

Sign compressed archived, requires GPG_SIGNER_FINGERPRINT

$> make build-python39-ubuntu ARCHIVE=1 SIGN_ARCHIVE=1

Publish Images

Push image to a Docker registry.

Login to Docker registry, prior to executing.

$> make build-python39-ubuntu PUBLISH=1

By default, will publish to docker.io/byteb4rb1e. Can be modified through DOCKER_REGISTRY and DOCKER_REPO_SLUG.

$> make _all-ubuntu \
    PUBLISH=1 \
    DOCKER_REGISTRY=contoso.com \
    DOCKER_REPO_SLUG=not-byteb4rb1e

Scan Images

Scan image with AquaSecurity Trivy Scanner for vulnerabilities and publish reports under test-reports/.

$> make _all-ubuntu SCAN=1 

Sign scan

$> make _all-ubuntu SCAN=1 SIGN_SCAN=1

Mix & Match

Define specific sequences of what to make.

$> make build-node23-ubuntu build-python313-ubuntu SCAN=1 ARCHIVE=1 PUBLISH=1

Parallelize

Run independent image builds and other jobs in parallel.

make _all-ubuntu -j8