Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Managing compliance with Conforma

Red Hat Advanced Developer Suite - software supply chain 1.8

Learn how Conforma enables you to better verify and govern compliance of the code you promote. Additionally, customize the sample policies to fit your corporate standards.

Red Hat Customer Content Services

Abstract

This document provides information about how to manage and maintain software supply chain security by defining and enforcing policies for building and testing container images.

Preface
复制链接

Conforma enforces software supply chain security by validating that container images are signed and attested. Use this guide to define policies, check artifacts, and block untrusted builds from your environment.

A secure CI/CD workflow should include artifact verification to detect problems early.

Chapter 1. Conforma for RHADS - SSC
复制链接

Conforma is a policy-driven workflow tool for maintaining software supply chain security by defining and enforcing policies for building and testing container images.

The more complex a software supply chain becomes, the more critical it is to employ reliable checks and best practices to guarantee software artifact integrity, as your image containers, and source code dependability. This is where Conforma streamlines Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) build and deploy experience.

For a build system that creates Supply-chain Levels for Software Artifacts (SLSA) provenance attestations, such as Tekton with Tekton Chains and GitHub Actions with the SLSA GitHub Generator, checking the signatures and confirming that the contents of the attestations actually match what is expected is a critical part of verifying and maintaining the integrity of your software supply chain. A secure CI/CD workflow should include artifact verification to detect problems early. Conforma validates that a known and trusted build system signs and attests the container image.

The general steps for validating a signed and attested container image are as follows:

  1. Create or copy a container image with RHADS - SSC.
  2. Generate a signing key with Cosign.
  3. Sign the container image with Cosign.
  4. Attest the image with Cosign.
  5. Verify your signed and attested container image with the Conforma CLI.

Signed software artifacts like container images are at a significantly lower risk of several attack vectors than unsigned artifacts. When a container image is signed, various cryptographic techniques bind the image to a specific entity or organization. The result is a digital signature that verifies the authenticity of the image so that you can trace it back to its creator and also verify that the image was not altered or tampered with after it was signed.

Conforma uses the industry standard Sigstore and Cosign as a resource library to validate your container images. With Red Hat Trusted Artifact Signer, Red Hat’s supported version of the Sigstore framework, you can use your own on-premise instance of Sigstore’s services to sign and attest your container images with the Cosign CLI.

As for software artifact attestation, it cannot happen without provenance. Provenance is the verifiable information about software artifacts like container images that describes where, when, and how that artifact was produced. The attestation itself is an authenticated statement, in the form of metadata, that proves that an artifact is intact and trustworthy. Conforma uses that attestation to cryptographically verify that the build was not tampered with, and to check the build against any set of policies, such as SLSA requirements. .

When you push your code from either the RHADS - SSC development namespace to the stage namespace, or from the stage namespace to the production namespace, Conforma automatically runs its validation checks to make sure your container image was signed and attested by known and trusted build systems. When your image passes the Conforma check, you can merge your code changes to complete your promotion from one environment to the next.

Chapter 2. Installing the Conforma command line
复制链接

Install the Conforma command-line interface (CLI) to validate and inspect container images and their attestations from your local workstation.

Prerequisites

  • A working Red Hat Trusted Artifact Signer installation on Red Hat OpenShift Container Platform (OCP) version 4.13 or higher.
  • A workstation with the cosign and oc binary files installed.
  • Access to the OCP web console.

Procedure

  1. Download the ec binary file from the OCP cluster.

    1. Log in to the OCP web console. From the home page, click the ? icon, select Command line tools, go to the ec download section, then click the link for your platform.

    2. Open a terminal on your workstation, and decompress the binary .gz file by running the following command: 

      $ gunzip ec-amd64.gz
      Copy to Clipboard Toggle word wrap

    3. Make the binary executable by running the following command: 

      $ chmod +x ec-amd64
      Copy to Clipboard Toggle word wrap

  2. Move and rename the binary to a location within your $PATH environment: 

    $ sudo mv ec-amd64 /usr/local/bin/ec
    Copy to Clipboard Toggle word wrap

Verification

  • Run the ec version command. The result should be the version of the Conforma CLI that you just installed.

Chapter 3. Creating a policy
复制链接

A Conforma policy is a rule or set of rules and Conforma-specific annotations. Conforma can perform several types of policy checks, including checking all of the policy rules required for Red Hat products. Conforma uses the general purpose policy engine called Open Policy Agent (OPA). OPA defines its policy rules by using Rego. This means that the policy rules from OPA that are in a Conforma policy are also defined in Rego.

Procedure

  1. Create a Rego file to define a new policy rule, as in the following example: 

    echo 'package zero_to_hero

import future.keywords.contains
import future.keywords.if
import future.keywords.in


# METADATA
# title: Builder ID
# description: Verify the SLSA Provenance has the builder.id set to
#   the expected value.
# custom:
#   short_name: builder_id
#   failure_msg: The builder ID %q is not the expected %q
#   solution: >-
#     Ensure the correct build system was used to build the container
#     image.
deny contains result if {
	some attestation in input.attestations
	attestation.statement.predicateType == "https://slsa.dev/provenance/v0.2"

	expected := "https://localhost/dummy-id"
	got := attestation.statement.predicate.builder.id

	expected != got

	result := {
		"code": "zero_to_hero.builder_id",
		"msg": sprintf("The builder ID %q is not expected, %q", [got, expected])
	}
}
' > rules.rego
    Copy to Clipboard Toggle word wrap
    METADATA
    The first 10 lines of code comprise the METADATA comment block, which is how rego specifies rules annotations so that Conforma can include those annotation details in its successes and violations report.
    short_name
    This single policy rule verifies that the builder.id in your new policy rule matches the builder.id in your Supply-chain Levels for Software Artifacts (SLSA) provenance.
    input.attestations

    input is a Rego object that contains all of the information about your container image, its signature, and its attestations. The input.attestations attribute of the input object contains a list of attestations associated with the image.

    Tip

    You can save the input object to a JSON file to view the available values, which is helpful in writing new policy rules. To save the input object as a JSON file named input.json, run a command similar to the following example: 

    $ ec validate image --public-key cosign.pub \
  --image "$REPOSITORY:latest" \
  --policy policy.yaml \
  --output policy-input=input.json
    Copy to Clipboard Toggle word wrap

  2. Create a policy configuration to use your new policy rule: 

    echo "
---
sources:
  - policy:
      - $(pwd)/rules.rego
" > policy.yaml
    Copy to Clipboard Toggle word wrap

  3. Use the new policy to validate your container image, and to display additional information in the successes and violations report, as in the following example: 

    $ ec validate image --public-key cosign.pub \
  --image "$REPOSITORY:latest" \
  --policy policy.yaml \
  --show-successes --info --output yaml
    Copy to Clipboard Toggle word wrap

Verification

  • Check the successes and violations report to make sure that your new rule is in the successes list.

3.1. Configuring a policy
复制链接

You can configure a Conforma policy with an inline JSON or YAML string. This policy, sometimes called a config or a contract, specifies where Conforma should find the rules and data to use to apply the policies you want to enforce. You can also include or exclude a single rule or a particular package of rules.

Procedure

  1. Configure your policy in the command line as a JSON or YAML string, as in the following example: 

    $ ec validate image --policy '{
    "sources": [
        {
            "policy": ["oci::quay.io/enterprise-contract/ec-release-policy:latest"],
            "data": ["git::https://github.com/enterprise-contract/ec-policies//example/data"],
            "config": {"include": ["@minimal"]}
        }
    ]
}' ...
    Copy to Clipboard Toggle word wrap

  2. (Optional) Exclude a particular package of rules from your Conforma policy, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "exclude": [
          "attestation_task_bundle",
          "slsa_build_scripted_build"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This command includes every rule from every package except for the rules in the specified packages.

  3. (Optional) Exclude a single rule, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "exclude": [
          "attestation_task_bundle.unacceptable_task_bundle"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This commands includes every rule from the attestation_task_bundle package except for the unacceptable_task_bundle rule.

  4. (Optional) Include rules from only a particular package, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "include": [
          "test",
          "java"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This command includes only the rules from the specified packages.

  5. (Optional) Include only some rules from a particular package. This means that you can specify both include and exclude to select only the rules you want your Conforma policy to include, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "include": [
          ""*"",
          "attestation_task_bundle.unacceptable_task_bundle"
        ],
        "exclude": [
          "attestation_task_bundle.*"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap
    asterisk (*)

    The asterisk (*) acts as a wildcard to match any package. It does not match partial names. For example, you cannot specify "s*" to match every package that starts with "s".

    These commands specify that you want to include only the unacceptable_task_bundle rule from the attestation_task_bundle package, and exclude all the other rules in that package.

  6. (Optional) Exclude certain checks so that Conforma can validate your container image even if those checks fail or don’t complete, as in the following example: 

    {
  "sources": [
    {
      "policy": [
        "oci::quay.io/enterprise-contract/ec-release-policy:latest"
      ],
      "data": [
        "git::https://github.com/enterprise-contract/ec-policies//example/data"
      ],
      "config": {
        "exclude": [
          "test:get-clair-scan",
          "test:clamav-scan"
        ]
      }
    }
  ]
}
    Copy to Clipboard Toggle word wrap

    This command specifies that, if either of the identified checks fails or does not complete, Conforma can still finish to validate your container image.

  7. (Optional) Modify the defaults for rules in a package by running either the config.policy.include command or the config.policy.exclude command, along with a list of strings.

    Your list of strings should include one of the following:

    package name
    Choose from the packages in the "Available rule collections" list.
    rule name
    Specify a rule name by entering the name of the package and the rule code, separated by a dot (.), as in this example: attestation_type.unknown_att_type. You can find rule codes under "Attestation type" in the upstream Conforma documentation.
    package name:term
    Some policy rules process a list of items. When you add "term" to the "package name" string, you can exclude or include a particular item from that list. This works similarly to "package name," except that it applies only to policy rules in the package that match that term. For example, if you run the test package, you can choose to ignore a given test case but include all the others.
    rule name:term
    This is similar to "package name:term" except that, instead of including or excluding an item from a package, you can include or exclude a particular package policy rule.
    @collection name
    Add this to your string to specify a predefined collection of rules. Prefix the collection name with the @ symbol. Choose from the available rule collections.

Chapter 4. Signing a container image
复制链接

Sign a container image by using the Red Hat Trusted Artifact Signer and Cosign to ensure its authenticity and integrity before validating it with Conforma.

Prerequisites

  • Access to the OpenShift Container Platform (OCP) web console.
  • A working Red Hat Trusted Artifact Signer (RHTAS) installation running on OpenShift version 4.13 or later.
  • A workstation with the ec, cosign, and oc binary files installed.

Procedure

  1. Log in to your OCP cluster by running the following command: 

    $ oc login --token=<TOKEN> --server=<SERVER_URL_AND_PORT>
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC \
  --server=https://example.com:6443
    Copy to Clipboard Toggle word wrap
    Note

    To find your command line login token and URL, log in to the OpenShift web console. Click your user name, then click Copy login command. If prompted, enter your user name and password again, then click Display Token.

  1. Log in to RHTAS.

  2. Configure your RHTAS shell environment to sign and verify container images by running the following commands: 

    $ cd sigstore-ocp
    Copy to Clipboard Toggle word wrap 
    $ source tas-env-variables.sh
    Copy to Clipboard Toggle word wrap

    You also have the option to set the environment variables manually. For example: 

    export OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
export OIDC_AUTHENTICATION_REALM=sigstore
export FULCIO_URL=https://fulcio.$OPENSHIFT_APPS_SUBDOMAIN
export OIDC_ISSUER_URL=https://keycloak-keycloak-system.$OPENSHIFT_APPS_SUBDOMAIN/auth/realms/$OIDC_AUTHENTICATION_REALM
export REKOR_URL=https://rekor.$OPENSHIFT_APPS_SUBDOMAIN
export TUF_URL=https://tuf.$OPENSHIFT_APPS_SUBDOMAIN
    Copy to Clipboard Toggle word wrap 
    $ source ./tas-env-vars.sh
    Copy to Clipboard Toggle word wrap

  3. Log out of your OCP cluster by running the following command: 

    $ oc logout
    Copy to Clipboard Toggle word wrap

  4. Identify the container image you want to sign and attest; for example: 

    IMAGE=quay.io/lucarval/rhtas-test@sha256:6b95efc134c2af3d45472c0a2f88e6085433df058cc210abb2bb061ac4d74359
    Copy to Clipboard Toggle word wrap

  5. Indicate to RHADS - SSC that you want to sign and attest your container image with Red Hat Trusted Artifact Signer instead of the public Sigstore deployment by running the following command: 

    $ cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
    Copy to Clipboard Toggle word wrap

  6. Sign your container image by running the following command: 

    $ cosign sign -y --fulcio-url=$FULCIO_URL \
  --rekor-url=$REKOR_URL \
  --oidc-issuer=$OIDC_ISSUER_URL $IMAGE
    Copy to Clipboard Toggle word wrap
  7. When prompted, log in to the Keycloak instance that RHADS - SSC installed when you installed RHADS - SSC. This is so Keycloak can authenticate you.

Next steps

Your image is now signed. Now you can:

  1. Create a SLSA provenance attestation and associate it with your container image.
  2. Validate your container image with the Conforma.

You must have a signing key before you can sign and attest a container image.

Prerequisites

  • A workstation with the cosign binary files installed.

Procedure

  1. Generate a key pair by running the following command: 

    $ cosign generate-key-pair
    Copy to Clipboard Toggle word wrap
  2. When prompted, enter a new password for the key-pair. Make sure your password is memorable and strong.

Verification

  • You should now have two new files in your working directory: a cosign.pub file and a cosign.key file.

    • The cosign.pub file contains your public signing key. You can share this key with any collaborator who needs to validate the container image.
    • The cosign.key file is your private key for signing content. Only the person responsible for signing and attesting images should have access to the cosign.key file.

When you install the Red Hat Trusted Artifact Signer (RHTAS) service, you can use the ec binary file to validate the attestation and signature of the container images that use the RHTAS service’s keyless signing framework.

Prerequisites

  • A working RHTAS installation running on OpenShift Container Platform (OCP) version 4.13 or later.
  • Access to the OCP web console.
  • A workstation with the cosign and oc binary files installed.

Procedure

  1. Download the ec binary file from the OCP cluster:

    1. Log in to the OpenShift Container Platform web console. From the home page, click the ? icon in the upper right, then select Command Line Tools.
    2. From the ec download section, click the link for your platform.
    3. Open a terminal.

    4. Decompress the .gz file by running the following command: 

      $ gunzip ec-amd64.gz
      Copy to Clipboard Toggle word wrap

    5. Make the ec binary file executable by running the following command: 

      $ chmod +x ec-amd64
      Copy to Clipboard Toggle word wrap

    6. Move the ec binary file to a directory within your $PATH environment. For example: 

      $ sudo mv ec-amd64 /usr/local/bin/ec
      Copy to Clipboard Toggle word wrap
      Tip

      Run the ec validate image --help command to see all the image validation command options.

  2. Configure your shell environment for container image signing and verification.

    1. Navigate to the sigstore-ocp directory by running the following command: 

      $ cd sigstore-ocp
      Copy to Clipboard Toggle word wrap

    2. Configure the shell by running the tas-env-variables.sh script: 

      $ source tas-env-variables.sh
      Copy to Clipboard Toggle word wrap

    3. (Optional) Set the environment variables manually: 

      export OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
export OIDC_AUTHENTICATION_REALM=sigstore
export FULCIO_URL=https://fulcio.$OPENSHIFT_APPS_SUBDOMAIN
export OIDC_ISSUER_URL=https://keycloak-keycloak-system.$OPENSHIFT_APPS_SUBDOMAIN/auth/realms/$OIDC_AUTHENTICATION_REALM
export REKOR_URL=https://rekor.$OPENSHIFT_APPS_SUBDOMAIN
export TUF_URL=https://tuf.$OPENSHIFT_APPS_SUBDOMAIN
      Copy to Clipboard Toggle word wrap 
      $ source ./tas-env-vars.sh
      Copy to Clipboard Toggle word wrap

  3. Initialize The Update Framework (TUF) system by running the following command: 

    $ cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
    Copy to Clipboard Toggle word wrap

  4. Sign your container image by running the following command: 

    $ cosign sign -y --fulcio-url=$FULCIO_URL --rekor-url=$REKOR_URL --oidc-issuer=$OIDC_ISSUER_URL IMAGE_NAME
    Copy to Clipboard Toggle word wrap

    For example: 

    $ cosign sign -y --fulcio-url=$FULCIO_URL \
  --rekor-url=$REKOR_URL \
  --oidc-issuer=$OIDC_ISSUER_URL example-hello-world@sha256:2788a47fd0ef1ece30898c1e608050ea71036d3329b9772dbb3d1f69313f745c
    Copy to Clipboard Toggle word wrap

    In the web browser that opens, sign the container image with an email address.

  5. Create a predicate.json file: 

    {
  "builder": {
    "id": "https://localhost/dummy-id"
  },
  "buildType": "https://example.com/tekton-pipeline",
  "invocation": {},
  "buildConfig": {},
  "metadata": {
    "completeness": {
      "parameters": false,
      "environment": false,
      "materials": false
    },
    "reproducible": false
  },
  "materials": []
}
    Copy to Clipboard Toggle word wrap

  6. Associate the predicate.json file with your container image by running the following command: 

    $ cosign attest -y --predicate ./predicate.json \
  --type slsaprovenance IMAGE_NAME:TAG
    Copy to Clipboard Toggle word wrap

    For example: 

    $ cosign attest -y --predicate ./predicate.json \
  --type slsaprovenance example.io/hello-world:latest
    Copy to Clipboard Toggle word wrap

  7. Verify that the container image has at least one attestation and signature by running the following command: 

    $ cosign tree IMAGE_NAME:TAG
    Copy to Clipboard Toggle word wrap

    For example: 

    $ cosign tree example.io/hello-world:latest
📦 Supply Chain Security Related artifacts for an image: example.io/hello-world@sha256:7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35
└── 💾 Attestations for an image tag: example.io/hello-world:sha256-7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35.att
   └── 🍒 sha256:40d94d96a6d3ab3d94b429881e1b470ae9a3cac55a3ec874051bdecd9da06c2e
└── 🔐 Signatures for an image tag: example.io/hello-world:sha256-7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35.sig
   └── 🍒 sha256:f32171250715d4538aec33adc40fac2343f5092631d4fc2457e2116a489387b7
    Copy to Clipboard Toggle word wrap

  8. Verify the container image with Conforma by running the following command: 

    $ ec validate image --image IMAGE_NAME:TAG \
  --certificate-identity-regexp 'SIGNER_EMAIL_ADDR' \
  --certificate-oidc-issuer-regexp 'keycloak-keycloak-system' \
  --output yaml --show-successes
    Copy to Clipboard Toggle word wrap

    For example: 

    $ ec validate image --image example.io/hello-world:latest \
  --certificate-identity 'jdoe@example.com' \
  --certificate-oidc-issuer 'keycloak-keycloak-system' \
  --output yaml --show-successes
    Copy to Clipboard Toggle word wrap

    Use the output to verify the container image: 

    success: true
successes:
  - metadata:
      code: builtin.attestation.signature_check
    msg: Pass
  - metadata:
      code: builtin.attestation.syntax_check
    msg: Pass
  - metadata:
      code: builtin.image.signature_check
    msg: Pass
ec-version: v0.1.2427-499ef12
effective-time: "2024-01-21T19:57:51.338191Z"
key: ""
policy: {}
success: true
    Copy to Clipboard Toggle word wrap

    Conforma generates a pass or fail report with details about any security violations. When you add the --info flag, the report includes more details and possible solutions for any violations.

Chapter 5. Attesting and validating a container image
复制链接

Before Conforma can validate your signed container image, you must first create Supply-chain Levels for Software Artifacts (SLSA) provenance and associate it with your container image. Provenance is the verifiable information about software artifacts, including where, when, and how a given software "link" in a supply chain was produced.

Prerequisites

  • A signed container image.
  • Access to the OpenShift Container Platform web console.
  • A working Red Hat Trusted Artifact Signer installation running on OpenShift version 4.13 or later.
  • A workstation with the cosign and oc binary files installed.

Procedure

  1. Create a SLSA provenance predicate.json file. For example: 

    echo '{
 "builder": {
   "id": "https://localhost/dummy-id"
 },
 "buildType": "https://localhost/dummy-type",
 "invocation": {},
 "buildConfig": {},
 "metadata": {
   "buildStartedOn": "2023-09-25T16:26:44Z",
   "buildFinishedOn": "2023-09-25T16:28:59Z",
   "completeness": {
     "parameters": false,
     "environment": false,
     "materials": false
   },
   "reproducible": false
 },
 "materials": []
}
' > predicate.json
    Copy to Clipboard Toggle word wrap

  2. Sign and attest the predicate.json file you just created by running the following command: 

    $ cosign attest -y --fulcio-url=$FULCIO_URL \
   --rekor-url=$REKOR_URL \
   --oidc-issuer=$OIDC_ISSUER_URL \
   --predicate predicate.json \
   --type slsaprovenance $IMAGE
    Copy to Clipboard Toggle word wrap

    Keycloak opens to automatically authenticate you based on your login when you signed the container image.

  3. Verify the signature and attestation with Conforma by running the following command: 

    $ ec validate image --image $IMAGE \
   --certificate-identity-regexp '.*' \
   --certificate-oidc-issuer-regexp '.*' \
   --output yaml --show-successes
    Copy to Clipboard Toggle word wrap
    Important

    Be as specific as possible when you run the ec validate image command so that each signature matches the expected identity.

Verification

  • When Conforma has validated your container image, a detailed report of all Conforma verifications and signatures opens.

Legal Notice
复制链接

Copyright © Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部