Include service support for DCT in engine (#1177)

Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
2019-06-13 15:50:35 -04:00 · 2019-06-13 15:50:35 -04:00 · e7d69b14a7
parent f721add5e2
commit e7d69b14a7
1 changed files with 105 additions and 99 deletions
--- a/engine/security/trust/content_trust.md
+++ b/engine/security/trust/content_trust.md
@ -229,10 +229,16 @@ Hub](https://hub.docker.com/search?image_filter=official&type=image), or User
 trusted sources, with repositories and tags signed with the commands [above](#signing-images-with-docker-content-trust).

 Engine Signature Verification prevents the following:
-* `$ docker container run` of an unsigned image.
-* `$ docker pull` of an unsigned image.
+* `$ docker container run` of an unsigned or altered image.
+* `$ docker pull` of an unsigned or altered image.
 * `$ docker build` where the `FROM` image is not signed or is not scratch.

+> **Note**: The implicit pulls and runs performed by worker
+> nodes for a [Swarm service](/engine/swarm/services.md) on `$ docker service create` and
+> `$ docker service update` are also verified. Tag resolution of services
+> requires that all nodes in the Swarm including managers have content trust
+> enabled and similarly configured.
+
 DCT does not verify that a running container’s filesystem has not been altered
 from what was in the image. For example, it does not prevent a container from
 writing to the filesystem, once the container is running, nor does it prevent