Immutable Storage for storing history, log or ledger.
To detect who record or change data, recorded data is signed by recorder private key and stored with certificate to storage. We are also able to know where storage has data since stored data is signed by storage service. It is important to store your private key to your private storage. You should not store decrypted private key to remote storage. However, you can not create signature before decrypting private key with secret password. Therefore, you should sign data in your LOCAL computer.
Immutable Storage is a tool to store unchangeable data such as history, log, or ledger.
Immutable Storage functions:
- Identity access management
- Remote storage management
- Library for storing immutable data to keep using private key in local computer
- Library for confidential data
Immutable Storage consists of Immutable Storage service and client.
Immutable Storage service records data on Kubernetes environment. Only one storage service is no problem for immutable and confidential although you can create more than one storage service to be redundant of data storage. Storage Group consists of one or more than one Immutable Storage service.
There are the following three types of client for each application.
-
Web application: You can extend your web application to record immutable and confidential data using WASM module (i.e. imms.wasm)
-
Native Linux application: Your Linux application can use Immutable Storage functions from a library without writing lots of codes.
-
Syslog client: Your syslog client will get Immutable Storage functions without adding codes if you edit a configuration file for rsyslogd.
- Kubernetes such as microk8s
- Kubernetes private image registry, CoreDNS and ingress controller
- containerd for image registry
- An Internet connection
The Immutable Storage Docker image can be installed to your registry with the following command as root or through sudo.
ctr i import imms-1.6.1.tar
ctr i push REGISTRY/imms:1.6.1 localhost:32000/imms:1.6.1
REGISTRY is your registry. For example, local registry is "localhost:32000" on microk8s. ctr command may be replaced by microk8s.ctr on microk8s. By default, this "localhost:32000" is an insecure registry. To push the Immutable Storage image to an insecure registry, you need to add the option --plain-http with the "ctr i push" command.
To configure resources for Immutable Storage service, you need to edit some lines in the imms-example.yaml file.
If, for example, your registry is localhost:32000, the line defined image is the following:
- image: localhost:32000/imms:1.6.1
You must define an organization name for Immutable Storage service. This organization name will be also used as domain name in hostname. If you want to set an organization name to example.com, a value in the imms-example.yaml file looks like:
- name: IMMS_ORG
value: example.com
Resources for Immutable Storage service can be created with the following command.
kubectl apply -f imms-example.yaml
Note: If you want to create these resources with execution progress in the terminal, you will need to comment out the following lines in the imms-example.yaml file.
#command:
# - sleep
# - "365d"
And you will need to execute some commands:
kubectl apply -f imms-example.yaml
kubectl exec -it imms -- bash
root@imms:/var/lib/ImmutableST/bin# ./imms.sh start
You can get an initial administrator secret to enroll CA administrator with the following command.
kubectl logs imms
This command will print the secret looks like:
Initial administrator secret: WNB57zcz
To access to Immutable Storage service, you need to map Immutable Storage service hostname to the Ingress IP address. You can use either the /etc/hosts file or a name server to map between this hostname and IP address. If, for example, you set an organization name to example.com and the Ingress IP address is "127.0.0.1", you can edit the /etc/hosts file with the following commands for mapping this service.
sudo sed -i '/www.example.com/d' /etc/hosts # delete a hostname
echo "127.0.0.1 www.example.com" | sudo tee -a /etc/hosts # add a hostname
You can enter a username and a secret with Web-browser and then click "Enroll user" to enroll CA administrator. In this case, the username is "admin", and the secret is "WNB57zcz".
Note: You can delete the imms pod after enrolling the CA administrator.
kubectl delete pod imms
You can enroll an administrator to create an Immutable Storage service.
You can add an administrator for Immutable Storage service as CA administrator.
- Select the Register tab.
- Select the Storage service administrator from the User type drop-down list.
- Type the name you want to use as administrator in the User name text box.
- Click the Register button.
After clicking the Register, it will fill the secret in the Secret text box.
You can enroll an administrator for Immutable Storage service.
- Select the Enroll tab.
- Type the name for Immutable Storage service in the Username text box.
- Type the secret, which was printed in the Register Secret text box, in the Secret text box.
- Click the Enroll button.
You can export an Immutable Storage service to join an Immutable Storage group.
- Select the Storage Service tab.
- Click the Export button.
- On Mozilla Firefox, click the Save File button in opening file dialog.
You can create an Immutable Storage group as CA administrator.
- Select the Switch User tab.
- Click the admin radio button in the Select a user list to select CA administrator.
You can register an administrator for Immutable Storage group.
- Select the Register tab.
- Select the Storage Group administrator from the User type drop-down list.
- Type the name you want to use as administrator in the User name text box.
- Click the Register button.
After clicking the Register, it will fill the secret in the Secret text box.
You can enroll an administrator for Immutable Storage group.
- Select the Enroll tab.
- Type the name for Immutable Storage group in the Username text box.
- Type the secret, which was printed in the Register Secret text box, in the Secret text box.
- Click the Enroll button.
You can import some Immutable Storage services to create an Immutable Storage Group.
- Select the Storage Service tab.
- Click the Import button.
- Select the ".dat" file that was saved in Section 4.2.3, "Exporting Immutable Storage Service".
- Click the Export button.
- Click the Save File button in opening file dialog.
You can deploy an Immutable Storage group as the administrator for Immutable Storage service.
- Select the Switch User tab.
- Click the administrator name for Immutable Storage service in the Select a user list.
- Select the administrator tab between the Enroll and the Switch User tab.
- Select the Storage Service tab.
- Click the Join button.
- Select the ".block" file that was saved in Section 4.3.3, "Exporting an Immutable Storage Group".
- Click the Enable button to deploy the Immutable Storage group on the Immutable Storage service.
After clicking the Enable button, it will appear "Available" instead of the Enable button.
Unless otherwise noted, source files are distributed under the Apache License, Version 2.0 found in the LICENSE file.
Linux and Kubernets are trademarks of The Linux Foundation registered in the United States and/or other countries. Mozilla, Firefox and the Firefox logo are trademarks of the Mozilla Foundation in the U.S. and other countries. All other trademarks are the property of their respective owners.