►
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A Safer Curl | Bash for the Cloud - Carolyn Van Slyck, Microsoft
Most of us have used curl to download a script and run it immediately. Using curl | bash provides instant gratification. We can quickly get up and running with an application without requiring a steep learning curve or a strong attention span. Unfortunately, the common advice is that this is not safe! But what if it was?
Let's walk through how we can work with people's natural tendencies, keep the one-liner and make it more secure. We will use Porter and Notary to transform an example cloud-native application deployment from a dicey bash script, executed with bash and hope, into a safer one-liner installation that was designed to be used in production.
You will learn:
Why curling a script to bash is insecure, and why bundles mitigate those risks.
How to reuse existing tools and scripts in a bundle, without starting over from scratch.
What a safer one-line user experience could look like.
A
A
A
First,
let's
talk
about
what
curl
pipe
bash
really
is.
So
this
is
what
it
looks
like:
that's
when
you
copy
and
paste
a
command.
That
looks
like
the
one
right
here
now.
We
all
use
scripts
like
this
because
they
install
quickly
and
it
helps
you
a
software
that
you
aren't
familiar
with
curl
downloads,
the
script
and
then
the
script
contents
are
piped
to
bash
and
they're
immediately
executed.
A
Personally,
I
really
like
installation
scripts.
I
can
copy
paste
my
way
to
victory
with
just
a
single
command.
They
require
little
to
no
knowledge
of
the
installation,
logic
or
tooling
and
yeah.
I
really
do
believe
that
the
project
maintainers
can
automate
the
installation
way
better
than
me
on
the
first
try.
A
A
Now
I
don't
know
about
you,
but
I
don't
hand
over
my
laptop
to
my
husband,
and
I
trust
him
mostly
when
we
think
about
handing
over
your
laptop
to
a
stranger,
it's
easy
to
see
why
it's
risky.
They
would
have
access
to
everything
on
there,
documents,
pictures
environment
variables
with
security
tokens
and
passwords
you're
logged
into
a
bunch
of
sites.
A
A
Instead
of
using
that
handy
one
liner,
here's
a
safer
way
to
run
an
installation
script
first
download
the
script,
then,
if
they
provided
a
checksum
of
the
script,
match
against
it
and
make
sure
you've
downloaded
the
right
file,
now
read
the
script
figure
out
if
it
is
legit.
If
it's
what
you
want
to
be
running
and
then
you
know
run
it.
A
A
A
Instructions
are
like
15
steps
where
you
have
to
install
three
clis
copy,
your
credentials
into
more
environment
variables,
you're
gonna,
forget
about
them
and
leave
them
around
forever,
and
you
know
it
requires
a
database
that
you
don't
feel
like
figuring
out
how
to
set
up
and
really
now
that
you
think
about
it.
Maybe
you'll
just
try
out
this
some
other
time,
because
this
is
just
one
more
yak
to
shave
and
you
have
work
to
do
you
know
who
could
really
benefit
from
a
one-liner
cloud-native
deployments,
often
they're
complex
with
dependencies
dedicated,
clis
magic
configuration
credentials.
A
Most
of
us
don't
want
to
read
a
series
of
docs
and
install
extra
tools
just
to
try
something
out.
We
really
don't
want
to
figure
out
how
to
script,
coordinating
all
these
tools,
for
example,
creating
a
database
and
then
passing
the
connection
string
as
a
helm.
Chart
value
just
a
little
example,
but
I
don't
want
to
do
it.
A
A
So,
let's
flip
the
reflexive.
You
can't
do
that.
That's
not
safe
to
how
can
we
make
it
safe?
What
would
we
need
to
do
to
make
that
happen?
We
need
to
isolate
the
installer
only
giving
access
to
what
it
needs
instead
of
being
able
to
read.
God
knows
what
that
is
hiding
on
my
laptop.
We
want
something
that
does
the
boring
stuff
like
checking
signatures
or
digests
for
us.
A
A
Let's
see
how
close
we
can
get
to
making
a
safer
installation
experience
for
our
users.
Porter
is
a
command
line
tool
that
makes
cloud
installers.
It
packages
your
application,
which
could
be
a
website,
a
microservice,
an
iot,
app
whatever,
with
all
the
necessary
tools,
configuration
and
deployment
logic
necessary
to
properly
install
your
application.
A
A
Porter
provides
packaging
distribution,
a
layer
of
security
around
what
you
already
use
today.
Let's
say
that
I
have
a
nifty
app
that
I'd
like
to
share
with
the
world
tabby
cats.
Tracker
tabby
cats
is
a
browser
extension
that
shows
you
a
different
cute
cat,
like
you
see
here
on
each
new
tab
that
you
open,
tabby
cat's
tracker
is
an
app
that
lets.
You
save
your
favorites
and
share
your
top
tabby
cats
with
your
friends.
A
Tabby
tracker
runs
on
kubernetes
and
it's
installed
with
a
helm
chart
and
because
I
was
resume
padding
a
bit,
it
uses
the
cloud
database
to
save
your
tabi's
too.
So
it's
got
everything
in
it.
Now,
let's
use
porter
to
install
tabby
tracker
safely,
no
curl
pipe
bash
for
us
for
unfamiliar
bundles.
You
can
use
porter,
explain
to
learn
how
to
install
it.
A
Bundles
have
meta
data
that
describes
what
the
bundle
is
its
version,
the
credentials
it
needs
to
install
and
any
parameters
that
you
can
use
to.
Customize.
The
installation
explain,
gives
you
enough
information
to
know
what
you
need
to
pass
to
the
porter
install
command
or
later
to
the
upgrade
command.
A
A
A
A
Here
I
have
azure
key
vault
set
up
with
secrets
for
the
service
principle,
I'm
using
azure,
but
I
could
have
used
any
secret
store
like
hashicorp.
Vault
porter
has
something
called
credential
sets,
which
is
a
mapping
between
the
credentials
used
by
the
bundle
and
where
porter
can
look
up
those
credentials
when
the
bundle
is
run.
Porter
looks
up
the
credentials
just
in
time
and
injects
them
into
the
bundle.
A
A
Porter
is
going
to
walk
through
each
credential
and
prompt
for
where
that
value
is
stored.
Now
mine
are
all
in
a
secret
store,
so
I
can
just
enter
in
the
key
name
for
each
value,
and
this
tells
porter
where
to
get
my
credentials
when
it
needs
it
later
now.
I
realize
this
is
an
extra
step
installing
something
that
you
wouldn't
have
to
do
with
curl
pipe
bash,
but
remember
that
one
of
our
goals
was
isolating
the
installation
script
from
our
local
computer.
A
We
don't
want
the
installer
to
be
able
to
snoop
around
and
find
juicy
environment
variables
with
tokens
and
credentials
in
them
when
porter
runs
a
bundle.
The
bundle
executes
inside
a
docker
container
any
credentials
that
the
bundle
needs
must
be
explicitly
passed
in
a
credential
set.
Lets
me
store
a
hint
for
porter
on
how
to
find
my
credentials.
A
So,
even
though
the
bundle
is
using
helm
and
terraform,
I
don't
have
to
have
those
installed
on
my
laptop,
because
the
bundle
remember
a
docker
container
has
the
right
versions
of
the
cli
installed.
Alongside
with
my
terraform
files
and
helm,
charts
everything
my
app
needs
to
install
is
inside
that
bundle.
It
doesn't
matter
what
I'm
installing
it's
the
same,
porter
install
command.
A
A
A
A
First,
the
image
used
by
my
deployment
uses
a
digest,
not
a
tag,
that's
something
that
porter
can
help
you
manage
so
that
you
aren't
copying
digest
around.
You
know,
because
it's
not
quite
as
easy
to
work
with
as
tags
and
I'll
show
you
in
a
minute.
Just
how
porter
does
that.
The
other
thing
that
you
can
see
is
that
porter
injected
the
connection
string
for
the
database
that
the
installation
script
created
now,
let's
go
see
the
source
for
the
bundle
and
how
it
was
made.
A
A
Keep
going,
let's
look
around
a
bit.
It
also
declares
what
tools
are
inside.
The
bundle
by
declaring
mix-ins
mix-ins
are
building
blocks
for
bundles
and
they
help
you
use
existing
tools
inside
of
a
bundle
and
have
it
work.
The
way
you'd
expect
mix-ins
install
the
tools
inside
the
bundle's
docker
image
and
map
between
the
yaml
that
you
see
here
and
the
final
commands
executed
inside
the
bundle
when
it's
run
mix-ins
can
make
it
easier
to
to
write
the
bundle.
A
A
So
pretty
much
everything
you
see
here
helps
you
create
a
bundle
with
just
one
file
and
the
yam
will
kind
of
help
to
piece
everything
together.
You
don't
have
to
do
this
like.
Quite
honestly,
you
could
keep
the
bash
script.
You
wrote
today
put
in
the
bundle
and
go,
but
for
a
lot
of
people.
This
extra
metadata
and
structured
view
of
passing
data
between
steps
can
be
really
helpful.
A
A
Now
we
wanted
to
isolate
the
installer,
automatically
check
signatures
and
digest,
and
we
wanted
insight
into
what
the
installer
was
actually
going
to
do.
Bundles
really
just
borrow
security
features
from
existing
tools.
We
can
check
off
isolated
installer,
they
run
in
a
container
and
they
only
have
access
to
what
we
explicitly
provide
like
cloud
credentials.
A
A
A
Full
disclosure?
It
isn't
always
a
one-liner.
The
first
time
you
run
a
new
bundle.
You're
going
to
run
porter,
explain
to
see
what
credentials
it
needs
and
then
create
a
credential
set
with
the
credits
it
needs.
If
you
don't
have
one
set
up
already,
but
for
any
bundle
that
you've
worked
with
before
it's
just
that
one
command
porter
install,
I
mean
I'm
calling
it
close
enough.
A
A
A
So,
in
addition
to
writing
an
installation
guide,
you
can
give
them
the
installer
that
helps
them
get
up,
get
set
up
really
the
first
time,
but
it
also
tracks
upgrades
over
time
so
that
you
can
manage
additional
operational
concerns
from
day
to
day,
like
a
bundle
could
help
you
do
troubleshooting
for
the
status,
see
what's
up
or
down
or
do
a
backup
even
your
own
internal
applications,
just
like
an
external
customer
would
kind
of
appreciate
a
little
help.
Setting
up
and
running
your
software.
You
know
the
same
applies
to
the
people
on
your
team.
A
I
can
ship
not
just
a
binary
or
a
docker
image
and
if
I'm
really
like
going
above
and
beyond
giving
someone
an
installation
guide,
that's
actually
useful
instead,
not
instead,
but
in
addition
to
I
can
just
ship
an
entire
installer.
It
has
all
the
tools
it
needs.
It
knows
how
to
do
a
proper
installation,
not
just
what
was
easiest
to
document
and
come
on.
I
mean
you
know,
there's
a
gap
between
the
two.
A
What's
in
the
docks
and
what's
a
real
production
installation,
you
could
put
that
real
production
insulation
in
the
bundle,
even
if
it's
awkward
and
hard
to
describe
here,
are
some
resources
for
getting
started.
Making
your
own
installers,
the
quick
start
walks
you
through
how
to
use
porter
to
install
bundles
or
you
know,
if
you
like
videos,
our
learning
page
has
demos
and
talks
that
cover
porter
just
in
general
and
when
you're
ready
to
make
your
first
bundle
run.
A
A
A
No
matter
what
you
say,
how
do
we
make
that
more
secure,
rather
than
telling
someone
nope
that's
a
bad
thing,
you're
a
bad
person
for
wanting
to
do
it.
Let's
aim
to
understand
why
they
want
to
do
this
task
in
the
first
place,
what
were
they
really
trying
to
accomplish,
and
maybe
there's
an
alternate
user
experience
that
we
could
provide
and
make
it
safe
thanks?
Everyone.