Description
File: engine/security/trust/trust_sandbox.md
The documentation on this page is slightly out of date.
The image specified to use for the notary service is a specific CI build that is really old, and no new versions are being built since the CI has changed. The test fixture certs included have since expired, so it no longer works.
I am not aware of there being any newer images that include the test fixture certs, so I'm not really sure how best to suggest updating this. The easy way to get a working environment with the test fixture certs is to clone the notary repo, and use it's docker-compose file. However that docker-compose file lacks the registry and docker-in-docker images that the DCT sandbox wants.
@HuKeping @justincormack As the people who seem to merge PRs for notary in recent times any thoughts? The goal being to have some easy way to set up some environment where users can test the workflow of DCT, without needing to jump through all the hoops of setting up certs for notary.
A set of steps that actually works to create a working sandbox environment right now is below. The concern I have with suggesting this is that it could easily become out of date if changes are made to the notary repository, since the below steps are run in the cloned notary repository to be able to access the test fixture certs, but the compose file would live in the documentation, and thus be easier to forget to update. Alternatives include be adding a compose file for this scenario to the notary repo, or having some published image with the test fixture certs available.
Steps to create a working DCT sandbox environment right now:
git clone https://github.com/theupdateframework/notary trustsandboxcd trustsandbox- Create docker-compose.dctsandbox.yml with the following contents (based partially on the notary repo's compose file, and partially on the out of date documentation).:
version: "2"
services:
notaryserver:
build:
context: .
dockerfile: server.Dockerfile
networks:
- sandbox
ports:
- "8080"
- "4443:4443"
entrypoint: /usr/bin/env sh
command: -c "notary-server -config=fixtures/server-config-local.json"
environment:
- NOTARY_SERVER_TRUST_SERVICE_TYPE=local
container_name: notaryserver
sandboxregistry:
image: registry
networks:
- sandbox
container_name: sandboxregistry
trustsandbox:
image: docker:dind
networks:
- sandbox
volumes:
- ./fixtures/root-ca.crt:/notarycerts/root-ca.crt
privileged: true
container_name: trustsandbox
entrypoint: ""
command: |-
sh -c '
cp /notarycerts/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt &&
update-ca-certificates &&
dockerd-entrypoint.sh --insecure-registry sandboxregistry:5000'
networks:
sandbox:
external: falsedocker-compose -f docker-compose.dctsandbox.yml up -d