search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.23k stars 511 forks source link

docker push doesn't go via notary #1288

Open chdebnat opened 6 years ago

chdebnat commented 6 years ago

Hello Team,

I am trying to setup my own notary service using the instructions available in this link https://github.com/theupdateframework/notary

What I have done:

1) git clone https://github.com/theupdateframework/notary.git 2) cd notary 3 )$ docker-compose build 4) $ docker-compose up -d

After performing above steps I got a 3 container up and running on my docker host (Running on Local laptop -Ubuntu16.04) a) notary_server b) notary_signer c) mariadb:10.1.28

Now in order to use my local notary service with private registry nexus (hosted as a container in other machine) I have done the below steps: 1) /etc/hosts entry 127.0.0.1 notary-server 2) mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary

After this I have tested the connection using below command and it succeed.

openssl s_client -connect :4443 -CAfile fixtures/root-ca.crt -no_ssl3 -no_ssl2

Now in order to sign the image and push it to private registry I have set the below environment variable. DOCKER_CONTENT_TRUST_SERVER=https://notary-server:4443 DOCKER_CONTENT_TRUST=1

Problem:

When I issue a docker push command like below

sudo docker push nexus.xyz.com:5000/nginx:latest (I have done proper tag before)

it doesnot go through signing , it directly push the image to private registry

But when I use sudo docker push --disable-content-trust=false nexus.xyz.com:5000/nginx:latest

it signed the image and push , but doesnot show any trusted content when I use

notary list nexus.xyz.com:5000/nginx:latest

Question:

Do I need to do any other configuration in order to use my own notary service?

Any help would be really appreciated.

Thanks Chayan @riyazdf I follow your lot of other issue reply , hence tagging you for quicker help. Thanks in advance !!

cyli commented 6 years ago

@chdebnat It's possible those environment variables aren't preserved when you run sudo docker. For instance, I get the following:

$  export DOCKER_CONTENT_TRUST_SERVER=https://notary-server:4443

$  env
...
LOGNAME=cyli
DOCKER_CONTENT_TRUST_SERVER=https://notary-server:4443
...
_=/usr/bin/env

$  sudo env
Password:
LOGNAME=root
USER=root
USERNAME=root
SHELL=/bin/sh
SUDO_COMMAND=/usr/bin/env
SUDO_USER=cyli
...

(no DOCKER_CONTENT_TRUST_SERVER variable)

From the sudo man page, you may need to pass the -E option:

       -E, --preserve-env
                   Indicates to the security policy that the user wishes to preserve their existing environment variables.  The security policy may return an
                   error if the user does not have permission to preserve the environment.

Is it possible the image is getting signed and the digest is being pushed elsewhere, but not your local notary server? I'm not sure if nexus.xyz.com has a notary server that you have access to.