From 2a449f3886831ac3b11687dac64c9c4e1117696a Mon Sep 17 00:00:00 2001 From: Anne Henmi Date: Wed, 7 Nov 2018 09:58:57 -0800 Subject: [PATCH] Fixed table, hopefully. --- engine/security/trust/content_trust.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index a68fe3883f..40ac8fb190 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -173,15 +173,20 @@ The signature verification feature is configured in the Docker daemon configurat ``` | ***Stanza*** | ***Description*** | + | ----------------------- |---------------| + | `trust-pinning:root-keys` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.| -|`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| + +|`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| + | `allow-expired-trust-cache` | Specifies whether cached locally expired metadata validates images if an external server is unreachable or does not have image trust metadata. This is necessary for machines which may be often offline, as may be the case for edge. This does not provide mitigations against freeze attacks, which is a necessary to provide availability in low-connectivity environments. | | `mode` | Specifies whether DCT is enabled and enforced. Valid modes are:
`disabled`: Verification is not active and the remainder of the content-trust related metadata will be ignored. *NOTE* that this is the default configuration if “mode” is not specfied.
`permissive`: Verification will be performed, but only failures will only be logged and remain unenforced. This configuration is intended for testing of changes related to content-trust.
`enforced`: DCT will be enforced and an image that cannot be verified successfully will not be pulled or run. | + ***Note:*** The DCT configuration defined here is agnostic of any policy defined in [UCP](https://docs.docker.com/v17.09/datacenter/ucp/2.0/guides/content-trust/#configure-ucp). Images that can be deployed by the UCP trust policy but are disallowed by the Docker Engine