-
-
Save curtisz/f9d0311e04462a9319c02392e85f2b72 to your computer and use it in GitHub Desktop.
Docker Content Trust Demo (January 2017)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### set environment variables | |
| DTR_URL="ddcbeta.mac" | |
| alias notary="notary -s https://${DTR_URL} -d ~/.docker/trust --tlscacert ~/.docker/tls/ddcbeta.mac/ca.crt" | |
| REPO="admin/signtest" | |
| USERNAME="admin" | |
| ### admin | |
| # get certificate from client bundle, send public key to the admin | |
| cd ~/ucp-bundles/local | |
| # initialize repo | |
| notary init ${DTR_URL}/${REPO} | |
| # rotate snapshot key | |
| notary key rotate ${DTR_URL}/${REPO} -r snapshot | |
| # setup releases role | |
| notary delegation add ${DTR_URL}/${REPO} targets/releases cert.pem --all-paths | |
| # setup user role | |
| notary delegation add ${DTR_URL}/${REPO} targets/${USERNAME} cert.pem --all-paths | |
| # publish changes | |
| notary publish ${DTR_URL}/${REPO} | |
| ### regular user | |
| # import private key | |
| notary key import key.pem | |
| ### enable DCT | |
| export DOCKER_CONTENT_TRUST=1 | |
| ### tag and push image | |
| docker tag hello-world ${DTR_URL}/${REPO}:latest | |
| docker push ${DTR_URL}/${REPO}:latest | |
| ### verify image is signed | |
| notary list ${DTR_URL}/${REPO} -r targets/releases | |
| notary list ${DTR_URL}/${REPO} -r targets/admin | |
| ### now you can deploy your application in UCP. Enable content trust policy enforcement and enjoy | |
| ### you can do further things like unsign an image | |
| ### unsign image | |
| notary remove -p ${DTR_URL}/${REPO} latest -r targets/releases | |
| notary remove -p ${DTR_URL}/${REPO} latest -r targets/admin | |
| ### verify image is no longer signed | |
| notary list ${DTR_URL}/${REPO} -r targets/releases | |
| notary list ${DTR_URL}/${REPO} -r targets/admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### reset environment | |
| # remove local and remote trust data | |
| notary delete ${DTR_URL}/${REPO} | |
| notary delete ${DTR_URL}/${REPO} --remote | |
| # remove local keys | |
| for i in $(notary key list | grep ${REPO} | awk '{print $3}'); do echo -e "yes\n" | notary key remove ${i}; done | |
| # optionally remove images from dtr | |
| < manually remove images from dtr > | |
| # remove trust data from UCP | |
| ssh root@ddcbeta docker exec -i ucp-kv etcdctl --endpoint https://127.0.0.1:2379 --ca-file /etc/docker/ssl/ca.pem --cert-file /etc/docker/ssl/cert.pem --key-file /etc/docker/ssl/key.pem rm --recursive /notary/v1/ddcbeta.mac/${REPO} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment