...
We introduce a few terms here for better understanding of this proposal
Edge Container Objects (ECO) - A VM or Container deployed on an EVE instance.
ECO Images - The image file for a particular VM or Container. The image that is used for deploying the VM or Container for the first time in the production environment.
Mutated ECO Image: As the ECO starts running on an EVE instance, it continuously changes its runtime state, and it starts accumulating data feeds from its external interfaces. All this is stored on its virtual disk. We call this virtual disk that contains the modified ECO state as mutated ECO image
Local File Store - Space on the permanent storage disk on EVE instance that is consumable from ECO, e.g. /persist/img . A file store need not be a secure file system.
Vault - A Secure secure version of a Local File Store, where the files are encrypted using filesystem encryption support (e.g. fscrypt)
...
App Instance configuration will carry this information - Whether the App is protected by End-to-End Security, and if yes, what is the Vault to associate this App Instance with. Zedmanager will consume this configuration, and co-ordinate between Vault manager and Domain Manager to make sure the required Vault is ready before launch of the User Application.
Components Interacting with RW Partition on EVE
Component | Directory/File | Comments | Contains Sensitive Data? |
---|---|---|---|
Domain Mgr | /persist/img /persist/rkt | for storing the mutable ECO disk images | Yes |
Downloader | /persist/downloads | for downloading Edge Container Images | No |
Verifier | /persist/downloads | for verifying integrity of downloaded images | No |
ZedAgent | /persist/config | for storing EVE device configuration | Yes |
TPM Mgr | /persist/config/tpm_in_use | for marking TPM mode of operation | No |
device-steps.sh | /persist/IMGA, /persist/IMGB | for storing image specific logs, info | No |
Network Interface Manager (NIM) | /persist/status | for storing DevicePortConfigList | No |
Providing Security By Default
...
b) A Vault to store ECO related files (for ECO consumption) - let’s call it Image Vault - to store and launch mutated ECO images
Even though these vaults are created by default, a User (if he wants) can change the policies associated with these Vaults, through the interface specified in this proposal, like he would do for any user-created Vaults.
...