Configuring Docker Notary and Docker Client
There is no configuration needed in Artifactory in order to work with trusted Docker images. However, in the setup instructions below, we do recommend testing your configuration by signing Artifactory and running it in a container.
To configure the Docker Notary and client to work with Artifactory, execute the following main steps:
- Configure your hosts file
- Configure the Notary server and run it as a container
- Configure the Docker client
Configuring Your Hosts File
If you are not working with a DNS, add the following entries to your/etc/hostsfile:
sudo sh -c 'echo "" >> /etc/hosts' sudo sh -c 'echo " " >> /etc/hosts'
Configuring the Notary Server
Create a directory for your Notary server. In the code snippets below we will usenotarybox.
Create a dockerfile with the following content:
FROM debian:jessie ADD https://get.docker.com/builds/Linux/x86_64/docker-1.9.1 /usr/bin/docker RUN chmod +x /usr/bin/docker \ && apt-get update \ && apt-get install -y \ tree \ vim \ git \ ca-certificates \ --no-install-recommends WORKDIR /root RUN git clone https://github.com/docker/notary.git && \ cp /root/notary/fixtures/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt && \ update-ca-certificates ENTRYPOINT ["bash"]
Use a private certificate
This configuration runs with a public certificate. Any Docker client running with the same public certificate may be able to access your Notary server.
For a secure setup, we recommend replacing it with your organization's private certificate by replacing the publicroot-ca.crtcertificate filewith your private certificate under/root/notary/fixtureson your Notary server, and under/usr/local/share/ca-certificateson the machine running your Docker client.
Build the test image:
docker build -t [image name] [path to dockerfile]
If you are running the build in your dockerfile directory, you can just use"."as the path to the Docker file.
Start the Notary server:
To start the Notary server, you first need to haveDocker Composeinstalled.
Then execute the following steps:
cd notarybox git clone -b trust-sandbox https://github.com/docker/notary.git cd notary docker-compose build docker-compose up -d
Configuring the Docker Client
To connect the Notary server to the Docker client you need to enable the Docker content trust flag and add the Notary server URL as follows:
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443
Test Your Setup
The example below demonstrates setting up the Notary server and Docker client, signing an image and the pushing it to Artifactory, with the following assumptions:
- Artifactory is up and running in a Docker container
- You haveconfigured the Notary server
- Notary server and Artifactory run on localhost (
127.0.0.1) - Notary server is in directory
notarybox - 工作没有DNS(我们需要配置
hostsfile) - Notary server name is
notaryserver - Artifactory server name is
artifactory-registry - Docker Compose is installed.
Set up the IP mappings
sudo sh -c 'echo "127.0.0.1 notaryserver" >> /etc/hosts' sudo sh -c 'echo "127.0.0.1 artifactory-registry" >> /etc/hosts'
Pull an image for testing
docker pull docker/trusttest
After you have pulled the image, you need todocker logintoartifactory-registry:5002/v2
Configure the Docker client
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443
Tag the image you pulled for testing and push it to Artifactory
docker tag docker/trusttest artifactory-registry:5002/test/trusttest:latest docker push artifactory-registry:5002/test/trusttest:latest
You will be asked to enter the root key passphrase. This will be needed every time you push a new image while theDOCKER_CONTENT_TRUSTflag is set.
The root key is generated at:/root/.docker/trust/private/root_keys
You will also be asked to enter a new passphrase for the image. This is generated at/root/.docker/trust/private/tuf_keys/[registry name] /[imagepath]
The Docker image is signed after it ispushed to Artifactory.
