Merge pull request #17388 from vikstrous/notary_docs

more notary documentation

docs/reference/commandline/cli.md

@@ -48,6 +48,8 @@ by the `docker` command line:
 * `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote.
 * `DOCKER_CONTENT_TRUST` When set Docker uses notary to sign and verify images.
   Equates to `--disable-content-trust=false` for build, create, pull, push, run.
+* `DOCKER_CONTENT_TRUST_SERVER` The URL of the Notary server to use. This defaults
+  to the same URL as the registry.
 * `DOCKER_TMPDIR` Location for temporary Docker files.
 
 Because Docker is developed using 'Go', you can also use any environment
@@ -109,6 +111,15 @@ Following is a sample `config.json` file:
       "psFormat": "table {{.ID}}\\t{{.Image}}\\t{{.Command}}\\t{{.Labels}}"
     }
 
+### Notary
+
+If using your own notary server and a self-signed certificate or an internal
+Certificate Authority, you need to place the certificate at
+`tls/<registry_url>/ca.crt` in your docker config directory.
+
+Alternatively you can trust the certificate globally by adding it to your system's
+list of root Certificate Authorities.
+
 ## Help
 
 To list the help on any command just execute the command, followed by the

docs/security/trust/content_trust.md

@@ -31,7 +31,10 @@ Docker registries. These signatures allow client-side verification of the
 integrity and publisher of specific image tags.
 
 Currently, content trust is disabled by default. You must enabled it by setting
-the `DOCKER_CONTENT_TRUST` environment variable.
+the `DOCKER_CONTENT_TRUST` environment variable. Refer to the
+[environment variables](../../reference/commandline/cli.md#environment-variables)
+and [Notary](../../reference/commandline/cli.md#notary) configuration
+for the docker client for more options.
 
 Once content trust is enabled, image publishers can sign their images. Image consumers can
 ensure that the images they use are signed. publishers and consumers can be

docs/security/trust/deploying_notary.md

@@ -0,0 +1,34 @@
+<!--[metadata]>
++++
+title = "Deploying Notary"
+description = "Deploying Notary"
+keywords = ["trust, security, notary, deployment"]
+[menu.main]
+parent= "smn_content_trust"
++++
+<![end-metadata]-->
+
+# Deploying Notary Server with Compose
+
+The easiest way to deploy Notary Server is by using Docker Compose. To follow the procedure on this page, you must have already [installed Docker Compose](../../../compose/install.md).
+
+1. Clone the Notary repository
+
+        git clone git@github.com:docker/notary.git
+
+2. Build and start Notary Server with the sample certificates.
+
+        docker-compose up -d
+
+
+    For more detailed documentation about how to deploy Notary Server see https://github.com/docker/notary.
+3. Make sure that your Docker or Notary client trusts Notary Server's certificate before you try to interact with the Notary server.
+
+See the instructions for [Docker](../../reference/commandline/cli.md#notary) or
+for [Notary](https://github.com/docker/notary#using-notary) depending on which one you are using.
+
+## If you want to use Notary in production
+
+Please check back here for instructions after Notary Server has an official
+stable release. To get a head start on deploying Notary in production see
+https://github.com/docker/notary.