Clarifying use of flag
Updating with Seb's comments Updating with comments from review Signed-off-by: Mary Anthony <mary@docker.com>
This commit is contained in:
parent
552c361f39
commit
a2f545c86d
|
@ -138,13 +138,13 @@ for details on creating, securing, and backing up your keys.
|
|||
This section surveys the typical trusted operations users perform with Docker
|
||||
images.
|
||||
|
||||
### Enable content trust
|
||||
### Enable and disable content trust per-shell or per-invocation
|
||||
|
||||
Enable content trust by setting the `DOCKER_CONTENT_TRUST` environment variable.
|
||||
Enabling per-shell is useful because you can have one shell configured for
|
||||
trusted operations and another terminal shell for untrusted operations. You can
|
||||
also add this declaration to your shell profile to have it turned on always by
|
||||
default.
|
||||
In a shell, you can enable content trust by setting the `DOCKER_CONTENT_TRUST`
|
||||
environment variable. Enabling per-shell is useful because you can have one
|
||||
shell configured for trusted operations and another terminal shell for untrusted
|
||||
operations. You can also add this declaration to your shell profile to have it
|
||||
turned on always by default.
|
||||
|
||||
To enable content trust in a `bash` shell enter the following command:
|
||||
|
||||
|
@ -152,17 +152,30 @@ To enable content trust in a `bash` shell enter the following command:
|
|||
export DOCKER_CONTENT_TRUST=1
|
||||
```
|
||||
|
||||
Once set, each of the "tag" operations require key for trusted tag. All of these
|
||||
commands also support the `--disable-content-trust` flag. This flag allows
|
||||
publishers to run individual operations on tagged images without content trust on an
|
||||
as-needed basis.
|
||||
Once set, each of the "tag" operations requires a key for a trusted tag.
|
||||
|
||||
In an environment where `DOCKER_CONTENT_TRUST` is set, you can use the
|
||||
`--disable-content-trust` flag to run individual operations on tagged images
|
||||
without content trust on an as-needed basis.
|
||||
|
||||
```bash
|
||||
$ docker pull --disable-content-trust docker/trusttest:untrusted
|
||||
```
|
||||
|
||||
To invoke a command with content trust enabled regardless of whether or how the `DOCKER_CONTENT_TRUST` variable is set:
|
||||
|
||||
```bash
|
||||
$ docker build --disable-content-trust=false -t docker/trusttest:testing .
|
||||
```
|
||||
|
||||
All of the trusted operations support the `--disable-content-trust` flag.
|
||||
|
||||
|
||||
### Push trusted content
|
||||
|
||||
To create signed content for a specific image tag, simply enable content trust and push
|
||||
a tagged image. If this is the first time you have pushed an image using content trust
|
||||
on your system, the session looks like this:
|
||||
To create signed content for a specific image tag, simply enable content trust
|
||||
and push a tagged image. If this is the first time you have pushed an image
|
||||
using content trust on your system, the session looks like this:
|
||||
|
||||
```bash
|
||||
$ docker push docker/trusttest:latest
|
||||
|
@ -183,19 +196,19 @@ Enter passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1
|
|||
Repeat passphrase for new tagging key with id docker.io/docker/trusttest (3a932f1):
|
||||
Finished initializing "docker.io/docker/trusttest"
|
||||
```
|
||||
When you push your first tagged image with content trust enabled, the `docker` client
|
||||
recognizes this is your first push and:
|
||||
When you push your first tagged image with content trust enabled, the `docker`
|
||||
client recognizes this is your first push and:
|
||||
|
||||
- alerts you that it will create a new offline key
|
||||
- requests a passphrase for the key
|
||||
- generates an offline key in the `~/.docker/trust` directory
|
||||
- generates a tagging key for in the `~/.docker/trust` directory
|
||||
|
||||
The passphrase you chose for both the offline key and your content key-pair should
|
||||
be randomly generated and stored in a *password manager*.
|
||||
The passphrase you chose for both the offline key and your content key-pair
|
||||
should be randomly generated and stored in a *password manager*.
|
||||
|
||||
It is important to note, if you had left off the `latest` tag, content trust is skipped.
|
||||
This is true even if content trust is enabled and even if this is your first push.
|
||||
> **NOTE**: If you omit the `latest` tag, content trust is skipped. This is true
|
||||
even if content trust is enabled and even if this is your first push.
|
||||
|
||||
```bash
|
||||
$ docker push docker/trusttest
|
||||
|
@ -286,6 +299,3 @@ $ docker push --disable-content-trust docker/trusttest:untrusted
|
|||
* [Manage keys for content trust](/security/trust/trust_key_mng)
|
||||
* [Automation with content trust](/security/trust/trust_automation)
|
||||
* [Play in a content trust sandbox](/security/trust/trust_sandbox)
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue