Skip to content

Instantly share code, notes, and snippets.

@curtisz
Forked from mbentley/0_dct_demo.sh
Created February 2, 2017 14:00
Show Gist options
  • Save curtisz/f9d0311e04462a9319c02392e85f2b72 to your computer and use it in GitHub Desktop.
Save curtisz/f9d0311e04462a9319c02392e85f2b72 to your computer and use it in GitHub Desktop.
Docker Content Trust Demo (January 2017)
### set environment variables
DTR_URL="ddcbeta.mac"
alias notary="notary -s https://${DTR_URL} -d ~/.docker/trust --tlscacert ~/.docker/tls/ddcbeta.mac/ca.crt"
REPO="admin/signtest"
USERNAME="admin"
### admin
# get certificate from client bundle, send public key to the admin
cd ~/ucp-bundles/local
# initialize repo
notary init ${DTR_URL}/${REPO}
# rotate snapshot key
notary key rotate ${DTR_URL}/${REPO} -r snapshot
# setup releases role
notary delegation add ${DTR_URL}/${REPO} targets/releases cert.pem --all-paths
# setup user role
notary delegation add ${DTR_URL}/${REPO} targets/${USERNAME} cert.pem --all-paths
# publish changes
notary publish ${DTR_URL}/${REPO}
### regular user
# import private key
notary key import key.pem
### enable DCT
export DOCKER_CONTENT_TRUST=1
### tag and push image
docker tag hello-world ${DTR_URL}/${REPO}:latest
docker push ${DTR_URL}/${REPO}:latest
### verify image is signed
notary list ${DTR_URL}/${REPO} -r targets/releases
notary list ${DTR_URL}/${REPO} -r targets/admin
### now you can deploy your application in UCP. Enable content trust policy enforcement and enjoy
### you can do further things like unsign an image
### unsign image
notary remove -p ${DTR_URL}/${REPO} latest -r targets/releases
notary remove -p ${DTR_URL}/${REPO} latest -r targets/admin
### verify image is no longer signed
notary list ${DTR_URL}/${REPO} -r targets/releases
notary list ${DTR_URL}/${REPO} -r targets/admin
### reset environment
# remove local and remote trust data
notary delete ${DTR_URL}/${REPO}
notary delete ${DTR_URL}/${REPO} --remote
# remove local keys
for i in $(notary key list | grep ${REPO} | awk '{print $3}'); do echo -e "yes\n" | notary key remove ${i}; done
# optionally remove images from dtr
< manually remove images from dtr >
# remove trust data from UCP
ssh root@ddcbeta docker exec -i ucp-kv etcdctl --endpoint https://127.0.0.1:2379 --ca-file /etc/docker/ssl/ca.pem --cert-file /etc/docker/ssl/cert.pem --key-file /etc/docker/ssl/key.pem rm --recursive /notary/v1/ddcbeta.mac/${REPO}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment