docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update content_trust.md 

Converted table to markdown
This commit is contained in:
Maria Bermudez 2018-11-07 15:56:20 -08:00 committed by GitHub
parent 1755ede5d9
commit 4da484fbe8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
engine/security/trust/content_trust.md
View File

@ -171,37 +171,13 @@ The signature verification feature is configured in the Docker daemon configurat
}
}
```
<table>
<tr>
<td><b>Stanza</b></td>
<td><b>Description</b></td>
</tr>
<tr>
<td><code>trust-pinning:root-keys</code></td>
<td>Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an images name matches more than one glob, then the most specific (longest) one is chosen.</td>
</tr>
<tr>
<td><code>trust-pinning:library-images</code></td>
<td>This option pins the official libraries (<code>docker.io/library/*</code>) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by <code>trust-pinning:root-keys<\code>. If `trustpinning:root-keys` specifies a key mapping for <code>docker.io/library/*</code>, those keys will be preferred for trust pinning. Otherwise, if a more general <code>docker.io/*</code> or <code>*</code> are specified, the official images key will be preferred.</td>
</tr>
<tr>
<td><code>allow-expired-trust-cache</code></td>
<td>Specifies whether cached locally expired metadata validates images if an external server is unreachable or does not have image trust metadata. This is necessary for machines which may be often offline, as may be the case for edge. This does not provide mitigations against freeze attacks, which is a necessary to provide availability in low-connectivity environments.</td>
</tr>
<tr>
<td><code>mode</code></td>
<td>Specifies whether DCT is enabled and enforced. Valid modes are: <code>disabled</code>:
Verification is not active and the remainder of the content-trust related metadata will be ignored.
*NOTE* that this is the default configuration if <code>mode</code> is not specfied.<br>
<code>permissive</code>: Verification will be performed, but only failures will only be logged and
remain unenforced. This configuration is intended for testing of changes related to content-trust.
<br>
<code>enforced</code>: DCT will be enforced and an image that cannot be verified successfully will not
be pulled or run.
</td>
</tr>
</table>
| | |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| \*\*Stanza\*\* | \*\*Description\*\* |
| \`trust-pinning:root-keys\` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata. The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an images name matches more than one glob, then the most specific (longest) one is chosen. |
| \`trust-pinning:library-images\` | This option pins the official libraries (\`docker.io/library/\*\`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by \`trust-pinning:root-keys\<\\code\>. If \`trustpinning:root-keys\` specifies a key mapping for \`docker.io/library/\*\`, those keys will be preferred for trust pinning. Otherwise, if a more general \`docker.io/\*\` or \`\*\` are specified, the official images key will be preferred.\` |
| \`allow-expired-trust-cache\` | Specifies whether cached locally expired metadata validates images if an external server is unreachable or does not have image trust metadata. This is necessary for machines which may be often offline, as may be the case for edge. This does not provide mitigations against freeze attacks, which is a necessary to provide availability in low-connectivity environments. |
| \`mode\` | Specifies whether DCT is enabled and enforced. Valid modes are: \`disabled\`: Verification is not active and the remainder of the content-trust related metadata will be ignored. \*NOTE\* that this is the default configuration if \`mode\` is not specfied. \`permissive\`: Verification will be performed, but only failures will only be logged and remain unenforced. This configuration is intended for testing of changes related to content-trust. \`enforced\`: DCT will be enforced and an image that cannot be verified successfully will not be pulled or run. |
***Note:*** The DCT configuration defined here is agnostic of any policy defined in
[UCP](https://docs.docker.com/v17.09/datacenter/ucp/2.0/guides/content-trust/#configure-ucp).