Last active
August 24, 2021 20:02
-
-
Save mbentley/b5c432dcd9dfc61e122a3ee0d4a1c6f1 to your computer and use it in GitHub Desktop.
Docker Content Trust Demo (January 2017)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### set environment variables | |
DTR_URL="ddcbeta.mac" | |
# Make sure you have downloaded DTR's CA (if the certs are not trusted by valid root CA on your client already) and are placed in the path specified by --tlscacert | |
# The DTR's CA cert can be downloaded from https://${DTR_URL}/ca | |
# If it is already trusted, you can leave of the --tlscacert argument | |
alias notary="notary -s https://${DTR_URL} -d ~/.docker/trust --tlscacert ~/.docker/tls/${DTR_URL}/ca.crt" | |
REPO="admin/signtest" | |
USERNAME="admin" | |
### admin | |
# get certificate from client bundle, send public key to the admin | |
# note: this path is where i have my extracted client bundle that i want to create the delegation for | |
cd ~/ucp-bundles/local | |
# initialize repo | |
notary init ${DTR_URL}/${REPO} | |
# rotate snapshot key | |
notary key rotate ${DTR_URL}/${REPO} -r snapshot | |
# setup releases role | |
notary delegation add ${DTR_URL}/${REPO} targets/releases cert.pem --all-paths | |
# setup user role | |
notary delegation add ${DTR_URL}/${REPO} targets/${USERNAME} cert.pem --all-paths | |
# publish changes | |
notary publish ${DTR_URL}/${REPO} | |
### regular user | |
# import private key | |
notary key import key.pem | |
### enable DCT | |
export DOCKER_CONTENT_TRUST=1 | |
### tag and push image | |
docker tag hello-world ${DTR_URL}/${REPO}:latest | |
docker push ${DTR_URL}/${REPO}:latest | |
### verify image is signed | |
notary list ${DTR_URL}/${REPO} -r targets/releases | |
notary list ${DTR_URL}/${REPO} -r targets/admin | |
### now you can deploy your application in UCP. Enable content trust policy enforcement and enjoy | |
### you can do further things like unsign an image | |
### unsign image | |
notary remove -p ${DTR_URL}/${REPO} latest -r targets/releases | |
notary remove -p ${DTR_URL}/${REPO} latest -r targets/admin | |
### verify image is no longer signed | |
notary list ${DTR_URL}/${REPO} -r targets/releases | |
notary list ${DTR_URL}/${REPO} -r targets/admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### reset environment | |
# remove local and remote trust data | |
notary delete ${DTR_URL}/${REPO} | |
notary delete ${DTR_URL}/${REPO} --remote | |
# remove local keys | |
for i in $(notary key list | grep ${REPO} | awk '{print $3}'); do echo -e "yes\n" | notary key remove ${i}; done | |
# optionally remove images from dtr | |
< manually remove images from dtr > | |
# remove trust data from UCP (this is required if you delete the trust data completely as UCP doesn't purge the data from etcd) | |
# remove for versions earlier than UCP 3.0.x | |
ssh root@ddcbeta docker exec -i ucp-kv etcdctl --endpoint https://127.0.0.1:2379 --ca-file /etc/docker/ssl/ca.pem --cert-file /etc/docker/ssl/cert.pem --key-file /etc/docker/ssl/key.pem rm --recursive /notary/v1/ddcbeta.mac/${REPO} | |
# remove for UCP 3.0.x and above | |
ssh root@ddcbeta docker exec -i -e ETCDCTL_API=3 ucp-kv etcdctl --endpoints https://127.0.0.1:2379 --cert /etc/docker/ssl/cert.pem --key /etc/docker/ssl/key.pem --cacert /etc/docker/ssl/ca.pem del notary/v1/dddcbeta.mac/${REPO} --prefix | |
# the above probably doesn't work on newer versions of UCP; i have not tested this in a while though |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@wheestermans - Sorry, I did not get a notification about your reply. The reason is probably because your client that is doing the pushing doesn't trust the DTR's self signed CA. Your engine pushing trusts it but your local client does not. That is why the CA cert is placed in
~/.docker/tls/<fqdn.to.dtr>/ca.crt
so that it will allow the local client to use that for the trust chain. Sorry it wasn't clear in the instructions as to why the cert was placed there.