In this lab you will integrate Docker Enterprise in to your development pipeline. You will push an image to the Docker Trusted Registry (DTR). DTR will scan your image for vulnerabilities so they can be fixed before your application is deployed. This helps you build more secure apps!
Difficulty: Beginner
Time: Approximately 30 minutes
Table of Contents:
- Who am i
- Document conventions
- Abbreviations
- Prerequisites
- Understanding the Play With Docker Interface
- Introduction
- Task 1 Accessing PWD
- Task 2 Enable Docker Image Scanning
- Task 3 Create Jenkins User and Organization
- Task 4: Create DTR Repositories
- Task 5 Pull / Tag / Push Docker Image
- Task 6 Review Scan Results
- Task 7 Extend with Image Mirroring
- Task 8 Docker Content Trust / Image Signing
- Task 9 Automate with Jenkins
- Conclusion
- Github : https://github.com/clemenko
- Twitter : @clemenko
- Email : clemenko@docker.com
When you encounter a phrase in between < and > you are meant to substitute in a different value.
We are going to leverage the power of Play With Docker.
The following abbreviations are used in this document:
- UCP = Universal Control Plane
- DTR = Docker Trusted Registry
- DCT = Docker Content Trust
- CVE = Common Vulnerabilities and Exposures
- PWD = Play With Docker
This lab requires an instance of Docker Enterprise. Docker Enterprise includes Docker Universal Control Plane and Docker Trusted Registry. This lab provides Docker Enterprise.
This workshop is only available to people in a pre-arranged workshop. That may happen through a Docker Meetup, a conference workshop that is being led by someone who has made these arrangements, or special arrangements between Docker and your company. The workshop leader will provide you with the URL to a workshop environment that includes Docker Enterprise. The environment will be based on Play with Docker.
If none of these apply to you, contact your local Docker Meetup Chapter and ask if there are any scheduled workshops. In the meantime, you may be interested in the labs available through the Play with Docker Classroom.
There are three main components to the Play With Docker (PWD) interface.
Play with Docker provides access to the 3 Docker Enterprise hosts in your Cluster. These machines are:
- A Linux-based Docker Enterprise 2.2 (UCP 3.1.6 & DTR 2.6.5 & 18.09.2) Manager node
- Three Linux-based Docker Enterprise 2.2 (18.09.3) Worker nodes
By clicking a name on the left, the console window will be connected to that node.
Additionally, the PWD screen provides you with a one-click access to the Universal Control Plane (UCP)
web-based management interface as well as the Docker Trusted Registry (DTR) web-based management interface. Clicking on either the UCP or DTR button will bring up the respective server web interface in a new tab.
Throughout the lab you will be asked to provide either hostnames or login credentials that are unique to your environment. These are displayed for you at the bottom of the screen.
Note: There are a limited number of lab connections available for the day. You can use the same session all day by simply keeping your browser connection to the PWD environment open between sessions. This will help us get as many people connected as possible, and prevent you needing to get new credentials and hostnames in every lab. However, if you do lose your connection between sessions simply go to the PWD URL again and you will be given a new session.
This workshop is designed to demonstrate the power of Docker Secrets, Image Promotion, Scanning Engine, and Content Trust. We will walk through creating a few secrets. Deploying a stack that uses the secret. Then we will create a Docker Trusted Registry repository where we can create a promotion policy. The promotion policy leverages the output from Image Scanning result. This is the foundation of creating a Secure Supply Chain. You can read more about secure supply chains for our Secure Supply Chain reference architecture.
-
Navigate in your web browser to the URL the workshop organizer provided to you. Chrome is advised!
-
Fill out the form, and click
submit. You will then be redirected to the PWD environment. It may take a minute or so to provision out your PWD environment.
We are going to use worker3 for ALL our command line work. Click on worker3 to activate the shell.
Now we need to setup a few variables. We need to create DTR_URL and DTR_USERNAME. But the easiest way is to clone the Workshop Repo and run script.
git clone https://github.com/clemenko/fedsummit_19.gitOnce cloned, now we can run the var_setup.sh script.
source fedsummit_19/scripts/var_setup.shNow your PWD environment variables are setup. We will use the variables for some scripting.
Before we create the repositories, let's start with enabling the Docker Image Scanning engine. Good thing there is a script for that.
./fedsummit_19/scripts/enable_scanning.shIn order to setup our automation we need to create an organization and a user account for Jenkins. We are going to create a user named jenkins in the organization ci.
-
From the
PWDmain page click onDTR.
-
Once in
DTRnavigate toOrganizationson the left. -
Now click
New organization. -
Type in
ciand clickSave.
Now we should see the organization named ci.
While remaining in DTR we can create the user from here.
-
Click on the organization
ci. -
Click
Add user. -
Make sure you click the radio button
New. Add a new user namejenkins. Set a simple password that you can remember. Maybeadmin1234?
-
Now change the permissions for the
jenkinsaccount toOrg Owner.
-
Now we need to set the password for the Jenkins user on
worker3. Replace your password for the<PASSWORD>below.#export DTR_TOKEN=<PASSWORD> export DTR_TOKEN=admin1234
We now need to access Docker Trusted Registry to setup two repositories.
We have an easy way with a script or the hard way by using the GUI.
Either way we need to create two repositories, summit19_build and summit19. summit19_build will be used for the private version of the image. summit19 will be the public version once an CVE scan is complete.
Easy Way:
Since we used git clone to copy the repository to worker3 for this workshop, there is a script from that will create the DTR repositories.
./fedsummit_19/scripts/create_repos.shThis script will also create the Promotion Policy we will discuss further.
Hard Way:
-
Navigate to
Repositorieson the left menu and clickNew repository. -
Create that looks like
ci/summit19_build. Make sure you clickPrivate. Do not clickCreateyet! -
Click
Show advanced settingsand then clickOn PushunderSCAN ON PUSH. This will ensure that the CVE scan will start right after every push to this repository. And turn onIMMUTABILITY. Then clickCreate.
-
Repeat this for creating the
ci/summit19Publicrepository withSCAN ON PUSHset toOn PushandIMMUTABILITYturnedOff. -
We should have two repositories now.
With the two repositories setup we can now define the promotion policy. No we can review the policy for the ci/summit19 repository.
-
Navigate to the
ci/summit19_buildrepository. ClickPromotionsand click "eye" on the right of the policy that was created from the scripts in a earlier task.
Notice there are a lot of options for Criteria for triggering promotions. This allows for a lot of customization. When we push any image to
ci/summit19_buildit will get scanned. Based on that scan report we could see the image moved toci/summit19. Lets push a few images to see if it worked.
Lets pull, tag, and push a few images to YOUR DTR.
In order to push and pull images to DTR we will need to take advantage of PWD's Console Access.
-
Navigate back to the PWD tab in your browser.
-
Click on
worker3. -
In the console we should already have a variable called
DTR_URL. Lets check../fedsummit_19/scripts/pull_tag_push.sh
Lets take a good look at the scan results from the images. Please keep in mind this will take a few minutes to complete.
-
Navigate to DTR -->
Repositories-->ci/summit19_build-->Tags.Don't worry if you see images in a
Scanning...orPendingstate. Please click to another tab and click back.
-
Take a look at the details to see exactly what piece of the image is vulnerable.
Click
View detailsfor an image that has vulnerabilities. How aboutflask? There are two views for the scanning results, Layers and Components. The Layers view shows which layer of the image had the vulnerable binary. This is extremely useful when diagnosing where the vulnerability is in the Dockerfile.
Now lets look at the Components view. The vulnerable binary is displayed, along with all the other contents of the layer, when you click the layer itself. In this example there are a few potentially vulnerable binaries:
Now we have a chance to review each vulnerability by clicking the CVE itself, example
CVE-2019-3822. This will direct you to Mitre's site for CVEs.
Now that we know what is in the image. We should probably act upon it.
If we find that they CVE is a false positive. Meaning that it might be disputed, or from OS that you are not using. If this is the case we can simply Hide the vulnerability. This will not remove the fact that the CVE was found.
Click Show layers affected and then you can click Hide for the one critical CVE.
If we click back to Tags we can now see that the image does not have a critical vulnerability.
Docker Trusted Registry allows you to create mirroring policies for a repository. When an image gets pushed to a repository and meets a certain criteria, DTR automatically pushes it to repository in another DTR deployment or Docker Hub.
This not only allows you to mirror images but also allows you to create image promotion pipelines that span multiple DTR deployments and data centers. Let's set one up. How about we mirror an image to hub.docker.com?
-
Go to hub.docker.com and create an login and repository.
-
Navigate to
Repositories-->ci/summit19-->MIRRORS-->New mirror. Change theREGISTRY TYPEtoDocker Huband fill out the relevant information like:
-
Click
Connectand scroll down. -
Next create a
tag nameTrigger that is equal topromoted -
Leave the
%ntag renaming the same. -
Click
Save & Apply.
Since we already had an image that had the tag promoted we should see that the image was pushed to hub.docker.com. In fact we can click on the hub repository name to see if the image push was successful.
Docker Content Trust/Notary provides a cryptographic signature for each image. The signature provides security so that the image requested is the image you get. Read Notary's Architecture to learn more about how Notary is secure. Since Docker Enterprise is "Secure by Default," Docker Trusted Registry comes with the Notary server out of the box.
We can create policy enforcement within Universal Control Plane (UCP) such that ONLY signed images from the ci team will be allowed to run. Since this workshop is about DTR and Secure Supply Chain we will skip that step.
Let's sign your first Docker image?
-
Right now you should have a promoted image
$DTR_URL/ci/summit19:flask. We need to tag it with a newsignedtag.docker pull $DTR_URL/ci/summit19:flask docker tag $DTR_URL/ci/summit19:flask $DTR_URL/ci/summit19:signed
-
Now lets use the Trust command... It will ask you for a BUNCH of passwords. Do yourself a favor in this workshop and use
admin1234. We can even use a variable for this.export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="admin1234" export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="admin1234" docker trust sign $DTR_URL/ci/summit19:signed
Here is an example output:
[worker3] (local) root@10.20.0.11 ~ $ docker trust sign $DTR_URL/ci/summit19:signed Created signer: jenkins Finished initializing signed repository for ip172-18-0-7-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com/ci/summit19:signed Signing and pushing trust data for local image ip172-18-0-7-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com/ci/summit19:signed, may overwrite remote trust data The push refers to repository [ip172-18-0-7-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com/ci/summit19] 79d8c9b0c7eb: Layer already exists 73b1d8895770: Layer already exists 758b3ad582e9: Layer already exists f1b5933fe4b5: Layer already exists signed: digest: sha256:dfd465db73b8fd3d4d64175f11dc38725913b49a2e59d82a70c75a2892f621a2 size: 1156 Signing and pushing trust metadata Successfully signed ip172-18-0-7-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com/ci/summit19:signed
Again please use the same password. It will simplify this part of the workshop.
-
And we can confirm the signature has been applied by inspecting the image:
docker trust inspect $DTR_URL/ci/summit19:signedHere is the example output:
[worker3] (local) root@10.20.0.11 ~ $ docker trust inspect $DTR_URL/ci/summit19:signed [ { "Name": "ip172-18-0-7-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com/ci/summit19:signed", "SignedTags": [ { "SignedTag": "signed", "Digest": "dfd465db73b8fd3d4d64175f11dc38725913b49a2e59d82a70c75a2892f621a2", "Signers": [ "jenkins" ] } ], "Signers": [ { "Name": "jenkins", "Keys": [ { "ID": "2e78226bb7144f8af1d416984e20fa688de714570a1841395dd5b55950cb65d0" } ] } ], "AdministrativeKeys": [ { "Name": "Root", "Keys": [ { "ID": "1330c69fa43a6ab40e286876efdb31c0de2aa3fb6b84b9f74fcc3a1b77bb55ad" } ] }, { "Name": "Repository", "Keys": [ { "ID": "c2265b8fde8433dd01986815a879af71dcbb9607197c65dbd6fd96b3e02a74a8" } ] } ] } ]
-
Back in DTR, Navigate to
Repositories-->ci/summit19-->Tagsand you will now see the newsignedtag with the textSignedunder theSignedcolumn:
-
If you were to enable Docker Content Trust in UCP then you would need to upload the public certificate used to sign the image. As we did not perform the
docker trust signer addcommand before step 2 above then a public certificate is automatically generated but is not associated to a user in UCP. This means when UCP tries to verify the signature on a signed image to a user it will fail and therefor not meet UCP's Content Trust policy.To resolve this issue you can upload the base64 encoded public certificate in
~/.docker/trust/tuf/$DTR_URL/ci/summit19/metadata/targets.json- the certificate is located in the structure.signed.delegations.keyswith the key value ofpublic.For example, use the command
cat ~/.docker/trust/tuf/$DTR_URL/ci/summit19/metadata/targets.json | jq '.signed.delegations.keys' | grep publicto extract the certificate.
In order to automate we need to deploy Jenkins. If you want I can point you to a few Docker Compose yamls. OR we have the easy way. The easy, aka script, deploys Jenkins quickly.
-
Take a look at the script. Also notice the script will check variables, and then runs
docker run.cat ./fedsummit_19/scripts/jenkins.sh
-
Then install Jenkins.
./fedsummit_19/scripts/jenkins.sh
-
Pay attention to the url AND Jenkins password. It will look like :
[worker3] (local) root@10.20.0.11 ~ $ ./fedsummit_19/scripts/jenkins.sh ========================================================================================================= Jenkins URL : http://ip172-18-0-8-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com:8080 ========================================================================================================= Waiting for Jenkins to start..................... ========================================================================================================= Jenkins Setup Password = 9a64091d98d5460b8675de99ebd0b8f2 =========================================================================================================
-
Now navigate to
http://$DOCS_URL:8080by clicking on the url in the terminal. Let's start the setup of Jenkins and enter the password. It may take a minute or two for theUnlock Jenkinspage to load. Be patient.
-
One the password is entered click grey "X" in the upper right hand corner. This will cancel out of the installer.
-
And we are done installing Jenkins. Click
Start using Jenkins
Now that we have Jenkins setup and running we need to add an "item".
-
Click on
New itemin the upper left.
-
Enter a name like
ci_summit19, clickFreestyle projectand then clickOK.
-
Let's scroll down to the
Buildsection. We will come back to theBuild Triggerssection in a bit. Now clickAdd build step-->Execute shell.
-
You will now see a text box. Past the following build script into the text box.
Please replace the <DTR_URL> with your URL!
echo $DTR_URL<--worker3DTR_USERNAME=admin DTR_URL=<DTR_URL> docker login -u admin -p admin1234 $DTR_URL docker pull clemenko/summit19:alpine docker tag clemenko/summit19:alpine $DTR_URL/ci/summit19_build:jenkins_$BUILD_NUMBER docker push $DTR_URL/ci/summit19_build:jenkins_$BUILD_NUMBER docker rmi clemenko/summit19:alpine $DTR_URL/ci/summit19_build:jenkins_$BUILD_NUMBER
It will look very similar to:
Now scroll down and click
Save. -
Now let's run the build. Click
Build now.
-
You can watch the output of the
Buildby clicking on the task number in theBuild Historyand then selectingBuild Output
-
The console output will show you all the details from the script execution.
-
Review the
ci/summit19repository in DTR. You should now see a bunch of tags that have been promoted.
Now that we have Jenkins setup we can extend with webhooks. In Jenkins speak a webhook is simply a build trigger. Let's configure one.
-
Navigate to Jenkins and click on the project/item called
ci_summit19and click onConfigureon the left hand side. -
Then scroll down to
Build Triggers. Check the checkbox forTrigger builds remotelyand enter a Token ofsummit19_rocks. Scroll down and clickSave.
-
Now in your browser goto YOUR
http://$DOCS_URL:8080/job/ci_summit19/build?token=summit19_rocksIt should look like:
http://ip172-18-0-8-bjmlj2h6u0dg00a2j7n0.direct.beta-hybrid.play-with-docker.com:8080/job/ci_summit19/build?token=summit19_rocks -
Check DTR to verify the images were pushed. Then log into
https://hub.docker.comto see if your images were mirrored.
In this workshop we were able use the tools that are included with Docker Trusted Registry to build a basic Automated Secure Supply Chain. Hopefully with this foundation you can build your own organizations Secure Supply Chain!