Add cmdline docs for signing and verification flows #14453
Conversation
| @@ -45,6 +45,7 @@ by the `docker` command line: | |||
| unsuitable for Docker. | |||
| * `DOCKER_RAMDISK` If set this will disable 'pivot_root'. | |||
| * `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote. | |||
| * `DOCKER_NOTARY` When set Docker uses notary to sign and verify images. | |||
There was a problem hiding this comment.
as in --untrusted=false for all? or does this mean something else?
EDIT: i did not read the original blurb, my b, but maybe this should say that too regardless, for non readers like me
There was a problem hiding this comment.
Notary is an implementation detail of the trust feature of Docker. Do we want to make it appear all the way up to the UX? Isn't making the name appear here contradictory to the idea of having well spec'ed ingredients that we can substitute with other conforming implementations?
There was a problem hiding this comment.
--untrusted=false feels a little like a double negative. E.g it is not un-trusted. Therefore it might be difficult for non-native english speakers to divine the expected behaviour. It's simpler to say it is trusted. I appreciate trusted is a loaded term, so maybe it's not the right word to use. Per icecrime's comment, I agree that we should use something more generic. Perhaps splitting the two workflows (signing and verification) would make sense - e.g DOCKER_IMAGE_VERIFY and DOCKER_IMAGE_SIGN
There was a problem hiding this comment.
This is so eventually we can make trusted the default and not have it be counterintuitive.
Otherwise all options sound weird when they are turned on by default. There was a alot of back and forth on this already and I think I am still pro- the current approach.
There was a problem hiding this comment.
Agreed --untrusted is a bit weird.
Perhaps --verify-image=true as a default, then the user would pass --verify-image=false?
There was a problem hiding this comment.
Ah, I see @dave-tucker said a similar thing below. Just adding a +1 to his suggestions.
|
Design LGTM eventually we can remove the |
|
Design LGTM |
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
| @@ -59,6 +59,7 @@ Creates a new container. | |||
| --restart="no" Restart policy (no, on-failure[:max-retry], always) | |||
| --security-opt=[] Security options | |||
| -t, --tty=false Allocate a pseudo-TTY | |||
| --untrusted Skip image verification | |||
There was a problem hiding this comment.
The doc should probably mention the default value (=true)
There was a problem hiding this comment.
Perhaps --verify=false
|
A few remarks, otherwise design LGTM. |
|
cherry picked |
In order to address issue #2700 we have been working on design and implementation of a system for trusted distribution of Docker images
We'd like to solicit feedback on our design. Please find our design document for more details on this proposal.
To briefly summarize the proposal, a new environment variable, DOCKER_NOTARY, will enable signing and verification on push, pull, create and run. This flag will cause signing to happen on push and verification to happen on pull, create, and run. The signing and verification functionality will be implemented in the Docker client through notary's implementation of The Update Framework.
Signed-off-by: Nathan McCauley nathan.mccauley@docker.com