Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minimal changes to trust/trust_sandbox docs #13912

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Minimal changes to trust/trust_sandbox docs #13912

Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
379db4b
Minimal changes to trust/trust_sandbox docs
IAL32 Nov 30, 2021
f2ec88d
Removed unnecessary port exposure
IAL32 Jan 13, 2022
b09d743
Fixed a couple of things
IAL32 Aug 24, 2022
de6f51a
Bumping version and suggestions from @glours
IAL32 Oct 20, 2022
81ad9e8
Suggestions from @thaJeztah
IAL32 Oct 20, 2022
09ef9d9
Last fix
IAL32 Oct 20, 2022
c713717
Using Notary v0.7.0
IAL32 Oct 27, 2022
ff6e04a
Merge branch 'master' into patch-1
IAL32 Nov 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 50 additions & 23 deletions engine/security/trust/trust_sandbox.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,10 @@ production trust environment, and sets up these additional components.

| Container | Description |
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| trustsandbox | A container with the latest version of Docker Engine and with some preconfigured certificates. This is your sandbox where you can use the `docker` client to test trust operations. |
| Registry server | A local registry service. |
| Notary server | The service that does all the heavy-lifting of managing trust |
| server | The container that will host the Notary Server, which manages the TUF database |
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
| signer | The container that will host the Notary Signer, which manages the _timestamp_ and _snapshot_ private keys, and signing operations |
| trustsandbox | The container that will host the Notary Server |
| Registry server | A local registry service. |

This means you run your own content trust (Notary) server and registry.
If you work exclusively with the Docker Hub, you would not need these components.
Expand Down Expand Up @@ -67,46 +68,72 @@ the `trustsandbox` container, the Notary server, and the Registry server.
$ mkdir trustsandbox
$ cd trustsandbox

2. Create a file called `docker-compose.yml` with your favorite editor. For example, using vim:
2. Clone the official `notary` repository:

$ git clone git@github.com:notaryproject/notary.git
IAL32 marked this conversation as resolved.
Show resolved Hide resolved

3. Create a file called `docker-compose.yml` with your favorite editor. For example, using vim:

$ touch docker-compose.yml
$ vim docker-compose.yml

3. Add the following to the new file.
4. Add the following to the new file.
IAL32 marked this conversation as resolved.
Show resolved Hide resolved

version: "2"
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
services:
notaryserver:
image: dockersecurity/notary_autobuilds:server-v0.5.1
volumes:
- notarycerts:/var/lib/notary/fixtures
server:
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
image: notary:server-0.6.1-2
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
container_name: notaryserver
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
networks:
- sandbox
environment:
- NOTARY_SERVER_STORAGE_TYPE=memory
- NOTARY_SERVER_TRUST_SERVICE_TYPE=local
sandboxregistry:
image: registry:2.4.1
sandbox:
aliases:
- notaryserver
depends_on:
- signer
volumes:
- ./notary:/notarydir
command: |-
sh -c "/notarydir/migrations/migrate.sh &&
cd /notarydir/fixtures &&
notary-server -config=/notarydir/fixtures/server-config-local.json"

signer:
image: notary:signer-0.6.1-2
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
container_name: notarysigner
networks:
- sandbox
container_name: sandboxregistry
sandbox:
aliases:
- notarysigner
volumes:
- ./notary:/notarydir
command: |-
sh -c "/notarydir/migrations/migrate.sh &&
cd /notarydir/fixtures &&
notary-signer -config=/notarydir/fixtures/signer-config-local.json"

trustsandbox:
image: docker:dind
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
networks:
- sandbox
volumes:
- notarycerts:/notarycerts
- ./notary:/notary
privileged: true
container_name: trustsandbox
entrypoint: ""
command: |-
sh -c '
cp /notarycerts/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt &&
cp /notary/fixtures/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt &&
update-ca-certificates &&
dockerd-entrypoint.sh --insecure-registry sandboxregistry:5000'
volumes:
notarycerts:
external: false

sandboxregistry:
image: registry:2.7
IAL32 marked this conversation as resolved.
Show resolved Hide resolved
networks:
sandbox:
aliases:
- sandboxregistry
container_name: sandboxregistry

networks:
sandbox:
external: false
Expand Down Expand Up @@ -217,7 +244,7 @@ data. Then, you try and pull it.
2. Open a new interactive terminal from your host, and obtain a shell into the
`sandboxregistry` container.

$ docker container exec -it sandboxregistry bash
$ docker container exec -it sandboxregistry sh
root@65084fc6f047:/#

3. List the layers for the `test/trusttest` image you pushed:
Expand Down