diff --git a/cmd/notary-server/main.go b/cmd/notary-server/main.go
index 044da76108..7b970fe54e 100644
--- a/cmd/notary-server/main.go
+++ b/cmd/notary-server/main.go
@@ -244,8 +244,8 @@ func usage() {
// endpoints. The addr should not be exposed externally. For most of these to
// work, tls cannot be enabled on the endpoint, so it is generally separate.
func debugServer(addr string) {
- logrus.Info("Debug server listening on", addr)
+ logrus.Infof("Debug server listening on %s", addr)
if err := http.ListenAndServe(addr, nil); err != nil {
- logrus.Fatal("error listening on debug interface: ", err)
+ logrus.Fatalf("error listening on debug interface: %v", err)
}
}
diff --git a/cmd/notary-signer/main.go b/cmd/notary-signer/main.go
index ee0ed63613..2d22aaffe0 100644
--- a/cmd/notary-signer/main.go
+++ b/cmd/notary-signer/main.go
@@ -240,8 +240,8 @@ func usage() {
// endpoints. The addr should not be exposed externally. For most of these to
// work, tls cannot be enabled on the endpoint, so it is generally separate.
func debugServer(addr string) {
- log.Println("Debug server listening on", addr)
+ logrus.Infof("Debug server listening on %s", addr)
if err := http.ListenAndServe(addr, nil); err != nil {
- log.Fatalf("error listening on debug interface: %v", err)
+ logrus.Fatalf("error listening on debug interface: %v", err)
}
}
diff --git a/docs/notary-server-config.md b/docs/notary-server-config.md
index 2fbd7754af..a9241b438f 100644
--- a/docs/notary-server-config.md
+++ b/docs/notary-server-config.md
@@ -15,18 +15,9 @@ An example (full) server configuration file.
```json
{
"server": {
- "addr": ":4443",
+ "http_addr": ":4443",
"tls_key_file": "./fixtures/notary-server.key",
"tls_cert_file": "./fixtures/notary-server.crt",
- "auth": {
- "type": "token",
- "options": {
- "realm": "https://auth.docker.io/token",
- "service": "notary-server",
- "issuer": "auth.docker.io",
- "rootcertbundle": "/path/to/auth.docker.io/cert"
- }
- }
},
"trust_service": {
"type": "remote",
@@ -37,17 +28,27 @@ An example (full) server configuration file.
"tls_client_cert": "./fixtures/notary-server.crt",
"tls_client_key": "./fixtures/notary-server.key"
},
+ "storage": {
+ "backend": "mysql",
+ "db_url": "user:pass@tcp(notarymysql:3306)/databasename?parseTime=true"
+ },
+ "auth": {
+ "type": "token",
+ "options": {
+ "realm": "https://auth.docker.io/token",
+ "service": "notary-server",
+ "issuer": "auth.docker.io",
+ "rootcertbundle": "/path/to/auth.docker.io/cert"
+ }
+ },
"logging": {
"level": "debug"
},
- "storage": {
- "backend": "mysql",
- "db_url": "dockercondemo:dockercondemo@tcp(notarymysql:3306)/dockercondemo"
- },
"reporting": {
- "bugsnag": "yes",
- "bugsnag_api_key": "c9d60ae4c7e70c4b6c4ebd3e8056d2b8",
- "bugsnag_release_stage": "notary-server"
+ "bugsnag": {
+ "api_key": "c9d60ae4c7e70c4b6c4ebd3e8056d2b8",
+ "release_stage": "production"
+ }
}
}
```
@@ -58,7 +59,7 @@ Example:
```json
"server": {
- "addr": ":4443",
+ "http_addr": ":4443",
"tls_key_file": "./fixtures/notary-server.key",
"tls_cert_file": "./fixtures/notary-server.crt"
}
@@ -70,7 +71,7 @@ Example:
| Description |
- addr |
+ http_addr |
yes |
The TCP address (IP and port) to listen on. Examples:
@@ -90,8 +91,8 @@ Example:
The path to the private key to use for
HTTPS. Must be provided together with tls_cert_file,
or not at all. If neither are provided, the server will use HTTP
- instead of HTTPS. The path is relative to the directory where
- notary-server is run. |
+ instead of HTTPS. The path is relative to the directory of the
+ configuration file. |
tls_cert_file |
@@ -99,12 +100,130 @@ Example:
The path to the certificate to use for HTTPS.
Must be provided together with tls_key_file, or not
at all. If neither are provided, the server will use HTTP instead
- of HTTPS. The path is relative to the directory where notary-server
- is run. |
+ of HTTPS. The path is relative to the directory of the
+ configuration file.
-### `auth` subsection (optional)
+## `trust service` section (required)
+
+This section configures either a remote trust service, such as
+[Notary Signer](notary-signer.md) or a local in-memory ED25519 trust service.
+
+Remote trust service example:
+
+```json
+"trust_service": {
+ "type": "remote",
+ "hostname": "notarysigner",
+ "port": "7899",
+ "key_algorithm": "ecdsa",
+ "tls_ca_file": "./fixtures/root-ca.crt",
+ "tls_client_key": "./fixtures/notary-server.key",
+ "tls_client_cert": "./fixtures/notary-server.crt"
+}
+```
+
+Local trust service example:
+
+```json
+"trust_service": {
+ "type": "local"
+}
+```
+
+
+
+ | Parameter |
+ Required |
+ Description |
+
+
+ type |
+ yes |
+ Must be "remote" or "local" |
+
+
+ hostname |
+ yes if remote |
+ The hostname of the remote trust service |
+
+
+ port |
+ yes if remote |
+ The GRPC port of the remote trust service |
+
+
+ key_algorithm |
+ yes if remote |
+ Algorithm to use to generate keys stored on the
+ signing service. Valid values are "ecdsa",
+ "rsa", and "ed25519". |
+
+
+ tls_ca_file |
+ no |
+ The path to the root CA that signed the TLS
+ certificate of the remote service. This parameter if said root
+ CA is not in the system's default trust roots. The path is
+ relative to the directory of the configuration file. |
+
+
+ tls_client_key |
+ no |
+ The path to the private key to use for TLS mutual
+ authentication. This must be provided together with
+ tls_client_cert or not at all. The path is relative
+ to the directory of the configuration file. |
+
+
+ tls_client_cert |
+ no |
+ The path to the certificate to use for TLS mutual
+ authentication. This must be provided together with
+ tls_client_key or not at all. The path is relative
+ to the directory of the configuration file. |
+
+
+
+
+## `storage` section (required)
+
+The storage section specifies which storage backend the server should use to
+store TUF metadata. Currently, we only support MySQL or an in-memory store.
+
+DB storage example:
+
+```json
+"storage": {
+ "backend": "mysql",
+ "db_url": "user:pass@tcp(notarymysql:3306)/databasename?parseTime=true"
+}
+```
+
+
+
+ | Parameter |
+ Required |
+ Description |
+
+
+ backend |
+ yes |
+ Must be "mysql" or "memory".
+ If "memory" is selected, the db_url
+ is ignored. |
+
+
+ db_url |
+ yes if not memory |
+ The
+ the Data Source Name used to access the DB.
+ (note: please include "parseTime=true" as part of the the DSN) |
+
+
+
+## `auth` section (optional)
This sections specifies the authentication options for the server.
Currently, we only support token authentication.
@@ -155,87 +274,6 @@ authentication post login.)
-## `trust service` section (optional but recommended)
-
-This section is required to specify a remote trust service, such as
-[Notary Signer](notary-signer.md). If it is left out or invalid, a local
-in-memory ED25519 trust service will be used instead.
-
-Remote trust service example:
-
-```json
-"trust_service": {
- "type": "remote",
- "hostname": "notarysigner",
- "port": "7899",
- "key_algorithm": "ecdsa",
- "tls_ca_file": "./fixtures/root-ca.crt",
- "tls_client_key": "./fixtures/notary-server.key",
- "tls_client_cert": "./fixtures/notary-server.crt"
-}
-```
-
-Note that this entire section is optional. However, if you would like to use a
-separate trust service (recommended), then you need the required parameters
-below to configure it.
-
-
-
- | Parameter |
- Required |
- Description |
-
-
- type |
- yes |
- Must be "remote"; all other values
- will result in a local trust service (and the rest of the
- parameters will be ignored) |
-
-
- hostname |
- yes |
- The hostname of the remote trust service |
-
-
- port |
- yes |
- The GRPC port of the remote trust service |
-
-
- key_algorithm |
- yes |
- Algorithm to use to generate keys stored on the
- signing service. Valid values are "ecdsa",
- "rsa", and "ed25519". |
-
-
- tls_ca_file |
- no |
- The path to the root CA that signed the TLS
- certificate of the remote service. This parameter if said root
- CA is not in the system's default trust roots. The path is
- relative to the directory where notary-server is run. |
-
-
- tls_client_key |
- no |
- The path to the private key to use for TLS mutual
- authentication. This must be provided together with
- tls_client_cert or not at all. The path is relative
- to the directory where notary-server is run. |
-
-
- tls_client_cert |
- no |
- The path to the certificate to use for TLS mutual
- authentication. This must be provided together with
- tls_client_key or not at all. The path is relative
- to the directory where notary-server is run. |
-
-
-
-
## `logging` section (optional)
The logging section sets the log level of the server. If it is not provided
@@ -268,46 +306,6 @@ below to configure it.
-## `storage` section (optional but recommended)
-
-The storage section specifies which storage backend the server should use to
-store TUF metadata. Currently, we only support MySQL. If this
-section is not provided or invalid, an in-memory store will be used instead.
-
-DB storage example:
-
-```json
-"storage": {
- "backend": "mysql",
- "db_url": "dockercondemo:dockercondemo@tcp(notarymysql:3306)/dockercondemo"
-}
-```
-
-Note that this entire section is optional. However, if you would like to
-use a database backend (recommended), then you need the required parameters
-below to configure it.
-
-
-
- | Parameter |
- Required |
- Description |
-
-
- backend |
- yes |
- Must be "mysql"; all other values will
- result in an in-memory store (and the rest of the parameters will
- be ignored) |
-
-
- db_url |
- yes |
- The URL used to access the DB, which includes both the
- endpoint the username/credentials |
-
-
-
## `reporting` section (optional)
The reporting section contains any configuration for useful for running the
@@ -319,15 +317,18 @@ about these configuration parameters.
```json
"reporting": {
- "bugsnag": "yes",
- "bugsnag_api_key": "c9d60ae4c7e70c4b6c4ebd3e8056d2b8",
- "bugsnag_release_stage": "notary-server"
+ "bugsnag": {
+ "api_key": "c9d60ae4c7e70c4b6c4ebd3e8056d2b8",
+ "release_stage": "production"
+ }
}
```
Note that this entire section is optional. However, if you would like to
-report errors to Bugsnag, then you need the required parameters below to
-configure it.
+report errors to Bugsnag, then you need to include a `bugsnag` subsection,
+along with the required parameters below, to configure it.
+
+**Bugsnag reporting:**
@@ -336,18 +337,12 @@ configure it.
| Description |
- bugsnag |
+ api_key |
yes |
- Any string value. If this value is not set, no errors will be
- reported to Bugsnag (all other parameters will be ignored) |
+ The BugSnag API key to use to report errors. |
- bugsnag_api_key |
- yes |
- The API key to use to report errors. |
-
-
- bugsnag_release_stage |
+ release_stage |
yes |
The current release stage, such as "production". You can
use this value to filter errors in the Bugsnag dashboard. |
diff --git a/docs/notary-server.md b/docs/notary-server.md
index 3a32004199..a068c02191 100644
--- a/docs/notary-server.md
+++ b/docs/notary-server.md
@@ -77,6 +77,7 @@ for more details about the format of the configuration file.
You can also override the parameters of the configuration by
setting environment variables of the form `NOTARY_SERVER_var`.
+
`var` is the ALL-CAPS, `"_"`-delimited path of keys from the top level of the
configuration JSON.
@@ -93,45 +94,58 @@ configuration:
the full path of keys is `storage -> db_url`. So the environment variable you'd
need to set would be `NOTARY_SERVER_STORAGE_DB_URL`.
+For example, if running the binary:
+
+```
+$ export NOTARY_SERVER_STORAGE_DB_URL=myuser:mypass@tcp(my-db)/dbname?parseTime=true
+$ NOTARY_SERVER_LOGGING_LEVEL=info notary-server -config /path/to/config.json
+```
+
Note that you cannot override a key whose value is another map.
-For instance, setting `NOTARY_SERVER_STORAGE=""` will not disable the
-MySQL storage. You can only override keys whose values are strings or numbers.
+For instance, setting
+`NOTARY_SERVER_STORAGE='{"storage": {"backend": "memory"}}'` will not
+set in-memory storage. It just fails to parse. You can only override keys
+whose values are strings or numbers.
-#### Running a Docker image
+#### Running Notary Server
+
+Configuration options:
+
+- `-config=` - The JSON configuration file.
+
+- `-debug` - Passing this flag enables the debugging server on `localhost:8080`.
+ The debugging server provides [pprof](https://golang.org/pkg/net/http/pprof/)
+ and [expvar](https://golang.org/pkg/expvar/) endpoints.
+
+
+Get the official Docker image, which comes with [some sane defaults](
+https://github.com/docker/notary/blob/master/fixtures/server-config-local.json),
+which include a remote trust service but local in-memory backing store.
-Get the official Docker image, which comes with [some defaults](
-https://github.com/docker/notary/blob/master/cmd/notary-server/config.json).
You can override the default configuration with environment variables.
-For example, if you wanted to run it with just a local signing service and
-memory store (not recommended for production):
+For example, if you wanted to run it with just a local signing service instead
+(not recommended for production):
```
$ docker pull docker.io/docker/notary-server
$ docker run -p "4443:4443" \
- -e NOTARY_SERVER_TRUST_SERVICE_TYPE=local \
- -e NOTARY_SERVER_STORAGE_BACKEND=""
- -e NOTARY_SERVER_STORAGE_DB_URL=""
+ -e NOTARY_SERVER_TRUST_SERVICE_TYPE=local
notary-server
```
Alternately, you can run the image with your own configuration file entirely.
-The docker image loads the config file from `/opt/notary-server/config.json`,
-so you can mount a directory with your config file (named `config.json`)
-at `/opt/notary-server`:
+You just need to mount your configuration directory, and then pass the path to
+that configuration file as an argument to the `docker run` command:
```
-$ docker run -p "4443:4443" -v /path/to/config/dir:/opt/notary-server notary-server
+$ docker run -p "4443:4443" -v /path/to/config/dir/on/host:/path/in/container \
+ notary-server -config=/path/in/container/config.json
```
-#### Running the binary
-A JSON configuration file needs to be passed as a parameter/flag when starting
-up the Notary Server binary. Environment variables can also be set in addition
-to the configuration file, but the configuration file is required. For example:
-
-```
-$ export NOTARY_SERVER_STORAGE_DB_URL=myuser:mypass@tcp(my-db)/dbname
-$ NOTARY_SERVER_LOGGING_LEVEL=info notary-server -config /path/to/config.json
-```
+You can also pass the `-debug` flag to the container in addition to the
+configuration file, but the debug server port is not exposed by the container.
+In order to view the debug endpoints, you will have to `docker exec` into
+your container.
### What happens if the server is compromised
@@ -157,7 +171,7 @@ know that something is wrong.
### Ops features
-Notary server provides the following endpoints for operational friendliness:
+Notary Server provides the following features for operational friendliness:
1. A health endpoint at `/_notary_server/health` which returns 200 and a
body of `{}` if the server is healthy, and a 500 with a map of
diff --git a/docs/notary-signer-config.md b/docs/notary-signer-config.md
index 0cec02fb77..696eb31590 100644
--- a/docs/notary-signer-config.md
+++ b/docs/notary-signer-config.md
@@ -17,8 +17,8 @@ An example (full) server configuration file.
"server": {
"http_addr": ":4444",
"grpc_addr": ":7899",
- "cert_file": "./fixtures/notary-signer.crt",
- "key_file": "./fixtures/notary-signer.key",
+ "tls_cert_file": "./fixtures/notary-signer.crt",
+ "tls_key_file": "./fixtures/notary-signer.key",
"client_ca_file": "./fixtures/notary-server.crt"
},
"logging": {
@@ -26,21 +26,31 @@ An example (full) server configuration file.
},
"storage": {
"backend": "mysql",
- "db_url": "dockercondemo:dockercondemo@tcp(notarymysql:3306)/dockercondemo"
+ "db_url": "user:pass@tcp(notarymysql:3306)/databasename?parseTime=true",
+ "default_alias": "password1"
+ },
+ "reporting": {
+ "bugsnag": {
+ "api_key": "c9d60ae4c7e70c4b6c4ebd3e8056d2b8",
+ "release_stage": "production"
+ }
}
}
```
## `server` section (required)
+"server" in this case refers to Notary Signer's HTTP/GRPC server, not
+"Notary Server".
+
Example:
```json
"server": {
"http_addr": ":4444",
"grpc_addr": ":7899",
- "cert_file": "./fixtures/notary-signer.crt",
- "key_file": "./fixtures/notary-signer.key",
+ "tls_cert_file": "./fixtures/notary-signer.crt",
+ "tls_key_file": "./fixtures/notary-signer.key",
"client_ca_file": "./fixtures/notary-server.crt"
}
```
@@ -83,18 +93,18 @@ Example:
- key_file |
+ tls_key_file |
yes |
The path to the private key to use for
- HTTPS. The path is relative to the directory where
- notary-signer is run. |
+ HTTPS. The path is relative to the directory of the
+ configuration file.
- cert_file |
+ tls_cert_file |
yes |
The path to the certificate to use for
- HTTPS. The path is relative to the directory where
- notary-signer is run. |
+ HTTPS. The path is relative to the directory of the
+ configuration file.
client_ca_file |
@@ -103,21 +113,23 @@ Example:
mutual authentication. If provided, any clients connecting to
Notary Signer will have to have a client certificate signed by
this root. If not provided, mutual authentication will not be
- required. The path is relative to the directory where
- notary-signer is run.
+ required. The path is relative to the directory of the
+ configuration file.
## `storage` section (required)
-We only support MySQL, currently, and it must be provided.
+This is used to store encrypted priate keys. We only support MySQL or an
+in-memory store, currently.
Example:
```json
"storage": {
"backend": "mysql",
- "db_url": "dockercondemo:dockercondemo@tcp(notarymysql:3306)/dockercondemo"
+ "db_url": "user:pass@tcp(notarymysql:3306)/databasename?parseTime=true",
+ "default_alias": "password1"
}
```
@@ -130,31 +142,53 @@ Example:
backend |
yes |
- Must be "mysql" |
+ Must be "mysql" or "memory".
+ If "memory" is selected, the db_url
+ is ignored. |
db_url |
- yes |
- The URL used to access the DB, which includes both the
- endpoint the username/credentials |
+ yes if not memory |
+ The
+ the Data Source Name used to access the DB.
+ (note: please include "parseTime=true" as part of the the DSN) |
+
+
+ default_alias |
+ yes if not memory |
+ This parameter specifies the alias of the current
+ password used to encrypt the private keys in the DB. All new
+ private keys will be encrypted using this password, which
+ must also be provided as the environment variable
+ NOTARY_SIGNER_<default_alias_value>. |
+**Required environment variable:**
+NOTARY_SIGNER_<default_alias_value>
+
+**Optional environment variables:**
+NOTARY_SIGNER_<old_alias_value> for as many old alias values
+as needed. This will ensure that older private keys, encrypted with older
+passwords, can be decrypted.
## `logging` section (optional)
-The logging section sets the log level of the server. If not provided, or if
-any part of this section is invalid, the server defaults to an ERROR logging
-level.
+The logging section sets the log level of the server. If it is not provided
+or invalid, the signer defaults to an ERROR logging level.
Example:
```json
"logging": {
- "level": 2
+ "level": "debug"
}
```
+Note that this entire section is optional. However, if you would like to
+specify a different log level, then you need the required parameters
+below to configure it.
+
| Parameter |
@@ -164,9 +198,52 @@ Example:
level |
yes |
- An integer between 0 and 5, representing values
- "debug" (5), "info" (4),
- "warning" (3), "error"(2),
- "fatal" (1), or "panic"(0) |
+ One of "debug", "info",
+ "warning", "error", "fatal",
+ or "panic" |
+
+
+
+
+## `reporting` section (optional)
+
+The reporting section contains any configuration for useful for running the
+service, such as reporting errors. Currently, we only support reporting errors
+to [Bugsnag](https://bugsnag.com).
+
+See [bugsnag-go](https://github.com/bugsnag/bugsnag-go/) for more information
+about these configuration parameters.
+
+```json
+"reporting": {
+ "bugsnag": {
+ "api_key": "c9d60ae4c7e70c4b6c4ebd3e8056d2b8",
+ "release_stage": "production"
+ }
+}
+```
+
+Note that this entire section is optional. However, if you would like to
+report errors to Bugsnag, then you need to include a `bugsnag` subsection,
+along with the required parameters below, to configure it.
+
+**Bugsnag reporting:**
+
+
+
+ | Parameter |
+ Required |
+ Description |
+
+
+ api_key |
+ yes |
+ The BugSnag API key to use to report errors. |
+
+
+ release_stage |
+ yes |
+ The current release stage, such as "production". You can
+ use this value to filter errors in the Bugsnag dashboard. |
diff --git a/docs/notary-signer.md b/docs/notary-signer.md
index 8ae01a16b4..b9998aacdc 100644
--- a/docs/notary-signer.md
+++ b/docs/notary-signer.md
@@ -29,6 +29,20 @@ that is compromised can sign any number of other client certs.
As an example, please see [this script](opensslCertGen.sh) to see how to
generate client SSL certs with basic constraints using OpenSSL.
+### Signer storage
+
+Notary Signer uses MySQL as a backend for storing the encrypted private keys
+that is responsible for. The private keys[wrapped](
+https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31#section-4.4)
+and [encrypted](
+https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31#section-4.8)
+using [Javascript Object Signing and Encryption](
+https://github.com/dvsekhvalnov/jose2go).
+
+The passphrase used to encrypt the keys is passed as an environment variable,
+the name of which [is specified by the confguration file](
+notary-signer-config.md#storage-section-required).
+
### How to configure and run Notary Signer
A JSON configuration file is used to configure Notary Signer. Please see the
@@ -37,6 +51,7 @@ for more details about the format of the configuration file.
You can also override the parameters of the configuration by
setting environment variables of the form `NOTARY_SIGNER_var`.
+
`var` is the ALL-CAPS, `"_"`-delimited path of keys from the top level of the
configuration JSON.
@@ -57,40 +72,58 @@ Note that you cannot override a key whose value is another map.
For instance, setting `NOTARY_SIGNER_STORAGE=""` will not disable the
MySQL storage. You can only override keys whose values are strings or numbers.
-#### Running a Docker image
+For example, if running the binary:
+
+```
+$ export NOTARY_SIGNER_STORAGE_DB_URL=myuser:mypass@tcp(my-db)/dbname?parseTime=true
+$ NOTARY_SIGNER_LOGGING_LEVEL=info notary-signer -config /path/to/config.json
+```
+
+Note that you cannot override a key whose value is another map.
+For instance, setting
+`NOTARY_SIGNER_STORAGE='{"storage": {"backend": "memory"}}'` will not
+set in-memory storage. It just fails to parse. You can only override keys
+whose values are strings or numbers.
+
+#### Running Notary Signer
+
+Configuration options:
+
+- `-config=` - The JSON configuration file.
+
+- `-debug` - Passing this flag enables the debugging server on `localhost:8080`.
+ The debugging server provides [pprof](https://golang.org/pkg/net/http/pprof/)
+ and [expvar](https://golang.org/pkg/expvar/) endpoints.
+
+Get the official Docker image, which comes with [some sane defaults](
+https://github.com/docker/notary/blob/master/fixtures/signer-config-local.json),
+which uses a local in-memory backing store (not recommended for production).
-Get the official Docker image, which comes with [some defaults](
-https://github.com/docker/notary/blob/master/cmd/notary-signer/config.json).
You can override the default configuration with environment variables.
-For example, if you wanted to run it with your own MySQL DB and a different
-logging level:
+For example, if you wanted to run it with your own DB
+(recommended for production):
```
$ docker pull docker.io/docker/notary-signer
-$ docker run -p "4443:4443" \
- -e NOTARY_SIGNER_LOGGING_LEVEL=info \
+$ docker run -p "4444:4444" \
+ -e NOTARY_SIGNER_STORAGE_DB_BACKEND="mysql" \
-e NOTARY_SIGNER_STORAGE_DB_URL="myuser:mypass@tcp(my-db)/dbName"
notary-signer
```
Alternately, you can run the image with your own configuration file entirely.
-The docker image loads the config file from `/opt/notary-signer/config.json`,
-so you can mount a directory with your config file (named `config.json`)
-at `/opt/notary-signer`:
+You just need to mount your configuration directory, and then pass the path to
+that configuration file as an argument to the `docker run` command:
```
-$ docker run -p "4443:4443" -v /path/to/config/dir:/opt/notary-signer notary-signer
+$ docker run -p "4444:4444" -v /path/to/config/dir/on/host:/path/in/container \
+ notary-signer -config=/path/in/container/config.json
```
-#### Running the binary
-A JSON configuration file needs to be passed as a parameter/flag when starting
-up the Notary Signer binary. Environment variables can also be set in addition
-to the configuration file, but the configuration file is required. For example:
-
-```
-$ export NOTARY_SIGNER_STORAGE_DB_URL=myuser:mypass@tcp(my-db)/dbname
-$ NOTARY_SIGNER_LOGGING_LEVEL=info notary-signer -config /path/to/config.json
-```
+You can also pass the `-debug` flag to the container in addition to the
+configuration file, but the debug server port is not exposed by the container.
+In order to view the debug endpoints, you will have to `docker exec` into
+your container.
### What happens if the signer is compromised
@@ -105,3 +138,10 @@ The attacker can prevent Notary Signer from signing timestap metadata from
Notary Server and return invalid public key IDs when the Notary Server
requests it. This means an attacker can execute a denial of service attack
that prevents the Notary Server from being able to update any metadata.
+
+### Ops features
+
+Notary Signer provides the following features for operational friendliness:
+
+1. A [Bugsnag](https://bugsnag.com) hook for error logs, if a Bugsnag
+ configuration is provided.