New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cmdline docs for signing and verification flows #14453
Conversation
@@ -45,6 +45,7 @@ by the `docker` command line: | |||
unsuitable for Docker. | |||
* `DOCKER_RAMDISK` If set this will disable 'pivot_root'. | |||
* `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote. | |||
* `DOCKER_NOTARY` When set Docker uses notary to sign and verify images. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as in --untrusted=false
for all? or does this mean something else?
EDIT: i did not read the original blurb, my b, but maybe this should say that too regardless, for non readers like me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Notary is an implementation detail of the trust feature of Docker. Do we want to make it appear all the way up to the UX? Isn't making the name appear here contradictory to the idea of having well spec'ed ingredients that we can substitute with other conforming implementations?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--untrusted=false
feels a little like a double negative. E.g it is not un-trusted
. Therefore it might be difficult for non-native english speakers to divine the expected behaviour. It's simpler to say it is trusted
. I appreciate trusted
is a loaded term, so maybe it's not the right word to use. Per icecrime's comment, I agree that we should use something more generic. Perhaps splitting the two workflows (signing and verification) would make sense - e.g DOCKER_IMAGE_VERIFY
and DOCKER_IMAGE_SIGN
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is so eventually we can make trusted the default and not have it be counterintuitive.
Otherwise all options sound weird when they are turned on by default. There was a alot of back and forth on this already and I think I am still pro- the current approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed --untrusted
is a bit weird.
Perhaps --verify-image=true
as a default, then the user would pass --verify-image=false
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see @dave-tucker said a similar thing below. Just adding a +1 to his suggestions.
Design LGTM eventually we can remove the |
Design LGTM |
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
@@ -59,6 +59,7 @@ Creates a new container. | |||
--restart="no" Restart policy (no, on-failure[:max-retry], always) | |||
--security-opt=[] Security options | |||
-t, --tty=false Allocate a pseudo-TTY | |||
--untrusted Skip image verification |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The doc should probably mention the default value (=true
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps --verify=false
A few remarks, otherwise design LGTM. |
cherry picked |
In order to address issue #2700 we have been working on design and implementation of a system for trusted distribution of Docker images
We'd like to solicit feedback on our design. Please find our design document for more details on this proposal.
To briefly summarize the proposal, a new environment variable, DOCKER_NOTARY, will enable signing and verification on push, pull, create and run. This flag will cause signing to happen on push and verification to happen on pull, create, and run. The signing and verification functionality will be implemented in the Docker client through notary's implementation of The Update Framework.
Signed-off-by: Nathan McCauley nathan.mccauley@docker.com