Use Docker trusted builds for services/platforms

[ches]

Same concerns as fgrehm/docker-provider#5 -- I don't want to run a bunch of images if I can't be assured they're actually built from published Dockerfiles.

I realize this one would be much more onerous for you to set up unless Docker adds support for multiple Dockerfiles in a single GitHub repo. Sadly it looks like there is already a ventriloquist GitHub user, in case you wanted to set up an organization to hold lots of repos :cry:

[fgrehm]

Thanks but I'm actually doing some research before going that direction. There seems to be a lot of interest on fig lately and while the projects have an "intersection" there are some things that they do not provide that we are doing over here. There are actually more than 10 different tools trying to solve the same problem that haven't reached 1.0 maturity yet and I want to make sure I'm really not reinventing the wheel here :-)

All of that to say that I want to give it some time before doing that move. It will require some effort to chop things into multiple repositories and taking care of a whole bunch of issue trackers on my own. If docker ends up adding support for multiple Dockerfiles I'm up for setting it up from a single repo, otherwise it'll have to wait untill I'm able to decide what I'll do next or for someone to volunteer :-P

On a side note, are you using the plugin? I haven't received much feedback apart from GitHub stars and according to RubyGems there has been only 207 downloads of the latest version. Different from other plugins I maintain (like vagrant-cachier and vagrant-lxc) I don't know if there is anyone else relying on the plugin to have their jobs done apart from myself.

Anyways, I'll keep the issue open until we have trusted builds in place :-)

[ches]

Sure, I totally don't blame you.

Responding to your request for feedback: no, I haven't actually used Ventriloquist yet -- I was taking a look out of general interest but I'm not sure that someone else's "opinionated" images would suit me when a goal in using Docker is consistency from dev to production. And of course I considered the reason for filing this issue a hurdle too, it's just irresponsible to run untrusted images from the public index IMO. If I do give it a try I'd be happy to follow up. Thanks for the pointer to Fig also, that's an interesting alternative for sure.

FWIW, I haven't actually tried to see how it works, but I just noticed this on the repository docs now:

You can create multiple Trusted Builds per repository and configure them to point to specific Dockerfile‘s or Git branches.

Perhaps they've already added this feature since the launch of trusted builds? If so that might be easy for you and might help more people to feel comfortable trying your project. Thanks for all the work you do on Vagrant plugins, by the way!

[fgrehm]

I'm not sure that someone else's "opinionated" images would suit me when a goal in using Docker is consistency from dev to production

Oh yeah, I agree with you. If you have control over your production env there's no point in using this plugin. My main intent with this tool is to make things easier for those who don't have control over their production environments (but still want to make use of a virtualized dev environment)

In that case (at least for now) you are better suited with Fig I think :-)

it's just irresponsible to run untrusted images from the public index IMO

Thanks for the heads up! When I started this project we didn't have trusted builds in place and I actually didn't bother doing anything about that for the same reasons as explained above, but it is something that I'll definitely keep in mind for this and other Docker related projects I might get involved.

Perhaps they've already added this feature since the launch of trusted builds? If so that might be easy for you and might help more people to feel comfortable trying your project.

Oh yeah, that does work, thanks for the heads up again :-) I'll look into it as soon as I get some other stuff out of my way.

And BTW, thanks a lot for reaching out!

[fgrehm]

Well, we'll probably start using the plugin on the company I work for, so I went ahead and created those trusted builds for all images!