From e869e8aa3d0671394f83d0b6ea7d90cb310e5b61 Mon Sep 17 00:00:00 2001 From: Viktor Stanchev Date: Mon, 26 Oct 2015 16:54:47 -0700 Subject: [PATCH] more notary documentation Signed-off-by: Viktor Stanchev --- docs/reference/commandline/cli.md | 11 ++++++++ docs/security/trust/content_trust.md | 5 +++- docs/security/trust/deploying_notary.md | 34 +++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 docs/security/trust/deploying_notary.md diff --git a/docs/reference/commandline/cli.md b/docs/reference/commandline/cli.md index 78d1963d35..573015d01b 100644 --- a/docs/reference/commandline/cli.md +++ b/docs/reference/commandline/cli.md @@ -48,6 +48,8 @@ by the `docker` command line: * `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote. * `DOCKER_CONTENT_TRUST` When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run. +* `DOCKER_CONTENT_TRUST_SERVER` The URL of the Notary server to use. This defaults + to the same URL as the registry. * `DOCKER_TMPDIR` Location for temporary Docker files. Because Docker is developed using 'Go', you can also use any environment @@ -109,6 +111,15 @@ Following is a sample `config.json` file: "psFormat": "table {{.ID}}\\t{{.Image}}\\t{{.Command}}\\t{{.Labels}}" } +### Notary + +If using your own notary server and a self-signed certificate or an internal +Certificate Authority, you need to place the certificate at +`tls//ca.crt` in your docker config directory. + +Alternatively you can trust the certificate globally by adding it to your system's +list of root Certificate Authorities. + ## Help To list the help on any command just execute the command, followed by the diff --git a/docs/security/trust/content_trust.md b/docs/security/trust/content_trust.md index 06024a9e80..e183d17544 100644 --- a/docs/security/trust/content_trust.md +++ b/docs/security/trust/content_trust.md @@ -31,7 +31,10 @@ Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags. Currently, content trust is disabled by default. You must enabled it by setting -the `DOCKER_CONTENT_TRUST` environment variable. +the `DOCKER_CONTENT_TRUST` environment variable. Refer to the +[environment variables](../../reference/commandline/cli.md#environment-variables) +and [Notary](../../reference/commandline/cli.md#notary) configuration +for the docker client for more options. Once content trust is enabled, image publishers can sign their images. Image consumers can ensure that the images they use are signed. publishers and consumers can be diff --git a/docs/security/trust/deploying_notary.md b/docs/security/trust/deploying_notary.md new file mode 100644 index 0000000000..7748c6f92f --- /dev/null +++ b/docs/security/trust/deploying_notary.md @@ -0,0 +1,34 @@ + + +# Deploying Notary Server with Compose + +The easiest way to deploy Notary Server is by using Docker Compose. To follow the procedure on this page, you must have already [installed Docker Compose](../../../compose/install.md). + +1. Clone the Notary repository + + git clone git@github.com:docker/notary.git + +2. Build and start Notary Server with the sample certificates. + + docker-compose up -d + + + For more detailed documentation about how to deploy Notary Server see https://github.com/docker/notary. +3. Make sure that your Docker or Notary client trusts Notary Server's certificate before you try to interact with the Notary server. + +See the instructions for [Docker](../../reference/commandline/cli.md#notary) or +for [Notary](https://github.com/docker/notary#using-notary) depending on which one you are using. + +## If you want to use Notary in production + +Please check back here for instructions after Notary Server has an official +stable release. To get a head start on deploying Notary in production see +https://github.com/docker/notary.