App Container Image Discovery Server

aci-discovery implements the server side of the App Container Image Discovery protocol. It hosts App Container images, signatures, and the public GPG keys used to generate those signatures.

Deployment is as simple as placing your ACI files and signatures in /opt/aci/images/{os}/{arch}/, your GPG keys at /opt/aci/pubkeys.gpg and starting the aci-discovery daemon. For example, to deploy an aci-discovery endpoint for example.com/reduce-worker:0.0.1, place the following files on disk and execute aci-discovery --domain=example.com:

• /opt/aci/images/linux/amd64/reduce-worker-0.0.1.aci
• /opt/aci/images/linux/amd64/reduce-worker-0.0.1.sig
• /opt/aci/pubkeys.gpg

GPG

The App Container specification encourages the use of GPG signatures to verify the integrity of image data.

Generate the required pubkeys.gpg file using a command like this:

gpg --armor --output /opt/aci/pubkeys.gpg --export

A detached GPG signature could be generated using the following command:

gpg --armor --output /opt/aci/images/linux/amd64/reduce-worker-0.0.1.sig \
  --detach-sig /opt/aci/images/linux/amd64/reduce-worker-0.0.1.aci

TODO

• support for storage of image data in cloud services (e.g. Google Cloud Storage, Amazon S3, etc)