docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve content trust docs in DDC

This commit is contained in:
Joao Fernandes 2017-03-08 10:13:34 -08:00 committed by Joao Fernandes
parent 51d033e640
commit f4b633da73
22 changed files with 1008 additions and 733 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
_data/toc.yaml
View File

@ -1201,19 +1201,11 @@ manuals:
- path: /datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes/
title: Restrict services to worker nodes
- path: /datacenter/ucp/2.1/guides/admin/configure/use-domain-names-to-access-services/
title: Run only the images you trust
- path: /datacenter/ucp/2.1/guides/admin/configure/run-only-the-images-you-trust/
title: Use domain names to access services
- path: /datacenter/ucp/2.1/guides/admin/configure/external-auth/
title: Integrate with LDAP
- sectiontitle: Content trust
section:
- path: /datacenter/ucp/2.1/guides/admin/configure/content-trust/
title: Only allow running signed images
- path: /datacenter/ucp/2.1/guides/admin/configure/content-trust/admin_tasks/
title: Configure the UCP and DTR servers for content trust
- path: /datacenter/ucp/2.1/guides/admin/configure/content-trust/client_configuration/
title: Configure the Docker client to sign images
- path: /datacenter/ucp/2.1/guides/admin/configure/use-trusted-images-for-ci/
title: Use trusted images for continuous integration
- sectiontitle: Manage users
section:
- path: /datacenter/ucp/2.1/guides/admin/manage-users/
@ -1386,6 +1378,8 @@ manuals:
section:
- path: /datacenter/dtr/2.2/guides/user/access-dtr/
title: Configure your Docker Engine
- path: /datacenter/dtr/2.2/guides/user/access-dtr/configure-your-notary-client.md
title: Configure your Notary client
- path: /datacenter/dtr/2.2/guides/user/access-dtr/use-a-cache/
title: Use a cache
- sectiontitle: Manage images
@ -1398,8 +1392,14 @@ manuals:
title: Delete images
- path: /datacenter/dtr/2.2/guides/user/manage-images/scan-images-for-vulnerabilities/
title: Scan images for vulnerabilities
- path: /datacenter/dtr/2.2/guides/user/manage-images/manage-trusted-repositories/
title: Manage trusted repositories
- sectiontitle: Sign images
section:
- path: /datacenter/dtr/2.2/guides/user/manage-images/sign-images/
title: Sign an image
- path: /datacenter/dtr/2.2/guides/user/manage-images/sign-images/delegate-image-signing/
title: Delegate image signing
- path: /datacenter/dtr/2.2/guides/user/manage-images/sign-images/manage-trusted-repositories/
title: Manage trusted repositories
- path: /datacenter/dtr/2.2/guides/user/create-and-manage-webhooks/
title: Create and manage webhooks
- path: /datacenter/dtr/2.2/reference/api/

81
datacenter/dtr/2.2/guides/images/delegate-image-signing-1.svg Normal file
View File

@ -0,0 +1,81 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="690px" height="250px" viewBox="0 0 690 250" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 42 (36781) - http://www.bohemiancoding.com/sketch -->
<title>delegate-image-signing-1</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="dtr-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="delegate-image-signing-1">
<g id="all" transform="translate(175.000000, 11.000000)">
<g id="Group" transform="translate(171.000000, 0.000000)">
<g id="teams">
<g id="billing-team" transform="translate(97.000000, 0.000000)">
<path d="M34.5,26.5 C41.820625,26.5 47.75,20.5540625 47.75,13.25 C47.75,5.929375 41.820625,0 34.5,0 C27.179375,0 21.25,5.929375 21.25,13.25 C21.25,20.5540625 27.179375,26.5 34.5,26.5 L34.5,26.5 Z M34.5,33.125 C25.6721875,33.125 8,37.5471875 8,46.375 L8,53 L61,53 L61,46.375 C61,37.5471875 43.3278125,33.125 34.5,33.125 L34.5,33.125 Z" id="Shape-Copy" fill="#FFB463"></path>
<text id="IT-ops-team" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0.799804688" y="70">IT ops team</tspan>
</text>
</g>
<g id="blog-team">
<text id="QA-team" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="1.71972656" y="70">QA team</tspan>
</text>
<path d="M26.5,26.5 C33.820625,26.5 39.75,20.5540625 39.75,13.25 C39.75,5.929375 33.820625,0 26.5,0 C19.179375,0 13.25,5.929375 13.25,13.25 C13.25,20.5540625 19.179375,26.5 26.5,26.5 L26.5,26.5 Z M26.5,33.125 C17.6721875,33.125 3.55271368e-15,37.5471875 3.55271368e-15,46.375 L3.55271368e-15,53 L53,53 L53,46.375 C53,37.5471875 35.3278125,33.125 26.5,33.125 L26.5,33.125 Z" id="Shape-Copy-2" fill="#00B6B5"></path>
</g>
</g>
</g>
<g id="permissions" transform="translate(160.000000, 101.000000)">
<g id="6" transform="translate(105.000000, 84.000000)" fill="#445D6E">
<path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
<path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
<path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
</g>
<g id="5" transform="translate(0.000000, 84.000000)" fill="#C0C9CE">
<path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
<path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
<path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
</g>
<g id="4" transform="translate(105.000000, 42.000000)" fill="#445D6E">
<path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
<path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
<path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
</g>
<g id="3" transform="translate(0.000000, 42.000000)" fill="#C0C9CE">
<path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
<path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
<path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
</g>
<g id="2" transform="translate(105.000000, 0.000000)" fill="#445D6E">
<path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
<path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
<path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
</g>
<g id="1">
<path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings" fill="#C0C9CE"></path>
<path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape" fill="#445D6E"></path>
<path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape" fill="#445D6E"></path>
</g>
</g>
<g id="repos" transform="translate(0.000000, 98.000000)">
<g id="node" transform="translate(0.000000, 84.000000)">
<text id="dev/node" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#82949E">
<tspan x="33" y="19">dev/node</tspan>
</text>
<path d="M27.5661032,5.88472594 C28.0144632,6.52363904 28.1153442,7.24661966 27.8687462,8.05366778 L23.245033,23.2867012 C23.0320619,24.0040773 22.6033176,24.6065612 21.9588,25.0941528 C21.3142824,25.5817443 20.6277311,25.8255401 19.8991459,25.8255401 L4.38028296,25.8255401 C3.51718982,25.8255401 2.68492144,25.5256993 1.88347781,24.9260177 C1.08203418,24.3263361 0.524386344,23.5893443 0.210534294,22.7150421 C-0.0584817485,21.964039 -0.0696907502,21.2522674 0.176907289,20.5797273 C0.176907289,20.5348913 0.193720792,20.3835698 0.227347797,20.1257627 C0.260974802,19.8679557 0.283392806,19.6605891 0.294601808,19.5036631 C0.30581081,19.4139911 0.288997307,19.2934943 0.2441613,19.1421728 C0.199325293,18.9908513 0.18251179,18.8815635 0.193720792,18.8143095 C0.216138795,18.6910105 0.260974802,18.573316 0.328228813,18.4612259 C0.395482824,18.3491359 0.487957089,18.2174302 0.605651607,18.0661086 C0.723346126,17.9147871 0.815820391,17.7830813 0.883074402,17.6709913 C1.14088144,17.2450492 1.39308398,16.7322374 1.63968202,16.1325558 C1.88628006,15.5328742 2.05441509,15.0200624 2.1440871,14.5941203 C2.17771411,14.4820303 2.18051636,14.3138953 2.15249385,14.0897152 C2.12447135,13.8655352 2.1216691,13.7086092 2.1440871,13.6189372 C2.17771411,13.4956382 2.27299062,13.3387121 2.42991665,13.1481591 C2.58684267,12.9576061 2.68211919,12.8287025 2.71574619,12.7614485 C2.95113523,12.3579245 3.18652427,11.8423104 3.42191331,11.2146063 C3.65730234,10.5869022 3.79741487,10.0824971 3.84225087,9.70139105 C3.85345988,9.60051003 3.83944862,9.421166 3.80021712,9.16335896 C3.76098561,8.90555192 3.76378786,8.7486259 3.80862387,8.69258089 C3.85345988,8.54686386 3.9767589,8.37592659 4.17852093,8.17976905 C4.38028296,7.98361152 4.50358198,7.85751025 4.54841799,7.80146524 C4.76138902,7.5100312 4.99958031,7.03645087 5.26299185,6.38072427 C5.52640339,5.72499766 5.68052717,5.18416333 5.72536317,4.75822126 C5.73657218,4.66854924 5.71975867,4.52563447 5.67492267,4.32947694 C5.63008666,4.13331941 5.61887766,3.98480014 5.64129566,3.88391912 C5.66371366,3.79424711 5.71415417,3.69336609 5.79261718,3.58127607 C5.8710802,3.46918605 5.97196121,3.34028253 6.09526023,3.19456551 C6.21855925,3.04884849 6.31383577,2.93115397 6.38108978,2.84148195 C6.47076179,2.70697393 6.56323606,2.53603665 6.65851257,2.32867012 C6.75378909,2.12130359 6.8378566,1.92514606 6.91071511,1.74019753 C6.98357362,1.555249 7.07324564,1.35348697 7.17973116,1.13491143 C7.28621667,0.916335896 7.39550444,0.736991868 7.50759446,0.596879345 C7.61968448,0.456766823 7.76820375,0.325061052 7.95315228,0.201762032 C8.13810081,0.0784630125 8.33986284,0.0140112522 8.55843838,0.00840675134 C8.77701391,0.00280225045 9.0432277,0.0336270054 9.35707975,0.100881016 L9.34026625,0.151321524 C9.76620832,0.050440508 10.0520379,0 10.1977549,0 L22.9928304,0 C23.8222966,0 24.4612097,0.31385205 24.9095697,0.94155615 C25.3579298,1.56926025 25.4588108,2.29784537 25.2122128,3.1273115 L20.605313,18.3603449 C20.201789,19.6942161 19.8010672,20.554507 19.4031476,20.9412176 C19.005228,21.3279282 18.2850497,21.5212834 17.2426125,21.5212834 L2.63167868,21.5212834 C2.32903563,21.5212834 2.1160646,21.6053509 1.99276558,21.773486 C1.86946656,21.95283 1.86386206,22.1938235 1.97595208,22.4964666 C2.24496812,23.2810967 3.05201625,23.6734118 4.39709646,23.6734118 L19.9159594,23.6734118 C20.2410205,23.6734118 20.5548725,23.586542 20.8575156,23.4128025 C21.1601586,23.239063 21.3563162,23.0064762 21.4459882,22.7150421 L26.490039,6.12011498 C26.568502,5.87351694 26.5965245,5.55406039 26.5741065,5.16174532 C27.0000486,5.32988035 27.3307141,5.57087389 27.5661032,5.88472594 L27.5661032,5.88472594 Z M9.6765363,5.91835294 C9.6317003,6.06406997 9.6429093,6.19017124 9.71016331,6.29665675 C9.77741732,6.40314227 9.88950734,6.45638503 10.0464334,6.45638503 L20.269043,6.45638503 C20.41476,6.45638503 20.5576748,6.40314227 20.6977873,6.29665675 C20.8378998,6.19017124 20.9303741,6.06406997 20.9752101,5.91835294 L21.3282937,4.84228877 C21.3731297,4.69657175 21.3619207,4.57047048 21.2946667,4.46398496 C21.2274126,4.35749944 21.1153226,4.30425669 20.9583966,4.30425669 L10.735787,4.30425669 C10.5900699,4.30425669 10.4471552,4.35749944 10.3070427,4.46398496 C10.1669301,4.57047048 10.0744559,4.69657175 10.0296199,4.84228877 L9.6765363,5.91835294 Z M8.28101558,10.2226096 C8.23617957,10.3683267 8.24738858,10.4944279 8.31464259,10.6009134 C8.3818966,10.707399 8.49398662,10.7606417 8.65091264,10.7606417 L18.8735223,10.7606417 C19.0192393,10.7606417 19.1621541,10.707399 19.3022666,10.6009134 C19.4423791,10.4944279 19.5348534,10.3683267 19.5796894,10.2226096 L19.9327729,9.14654546 C19.9776089,9.00082844 19.9663999,8.87472717 19.8991459,8.76824165 C19.8318919,8.66175613 19.7198019,8.60851337 19.5628759,8.60851337 L9.34026625,8.60851337 C9.19454923,8.60851337 9.05163445,8.66175613 8.91152193,8.76824165 C8.77140941,8.87472717 8.67893514,9.00082844 8.63409914,9.14654546 L8.28101558,10.2226096 Z" id="Shape" fill="#E0E4E7"></path>
</g>
<g id="java" transform="translate(0.000000, 42.000000)">
<text id="dev/java" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#82949E">
<tspan x="33" y="19">dev/java</tspan>
</text>
<path d="M27.5661032,5.88472594 C28.0144632,6.52363904 28.1153442,7.24661966 27.8687462,8.05366778 L23.245033,23.2867012 C23.0320619,24.0040773 22.6033176,24.6065612 21.9588,25.0941528 C21.3142824,25.5817443 20.6277311,25.8255401 19.8991459,25.8255401 L4.38028296,25.8255401 C3.51718982,25.8255401 2.68492144,25.5256993 1.88347781,24.9260177 C1.08203418,24.3263361 0.524386344,23.5893443 0.210534294,22.7150421 C-0.0584817485,21.964039 -0.0696907502,21.2522674 0.176907289,20.5797273 C0.176907289,20.5348913 0.193720792,20.3835698 0.227347797,20.1257627 C0.260974802,19.8679557 0.283392806,19.6605891 0.294601808,19.5036631 C0.30581081,19.4139911 0.288997307,19.2934943 0.2441613,19.1421728 C0.199325293,18.9908513 0.18251179,18.8815635 0.193720792,18.8143095 C0.216138795,18.6910105 0.260974802,18.573316 0.328228813,18.4612259 C0.395482824,18.3491359 0.487957089,18.2174302 0.605651607,18.0661086 C0.723346126,17.9147871 0.815820391,17.7830813 0.883074402,17.6709913 C1.14088144,17.2450492 1.39308398,16.7322374 1.63968202,16.1325558 C1.88628006,15.5328742 2.05441509,15.0200624 2.1440871,14.5941203 C2.17771411,14.4820303 2.18051636,14.3138953 2.15249385,14.0897152 C2.12447135,13.8655352 2.1216691,13.7086092 2.1440871,13.6189372 C2.17771411,13.4956382 2.27299062,13.3387121 2.42991665,13.1481591 C2.58684267,12.9576061 2.68211919,12.8287025 2.71574619,12.7614485 C2.95113523,12.3579245 3.18652427,11.8423104 3.42191331,11.2146063 C3.65730234,10.5869022 3.79741487,10.0824971 3.84225087,9.70139105 C3.85345988,9.60051003 3.83944862,9.421166 3.80021712,9.16335896 C3.76098561,8.90555192 3.76378786,8.7486259 3.80862387,8.69258089 C3.85345988,8.54686386 3.9767589,8.37592659 4.17852093,8.17976905 C4.38028296,7.98361152 4.50358198,7.85751025 4.54841799,7.80146524 C4.76138902,7.5100312 4.99958031,7.03645087 5.26299185,6.38072427 C5.52640339,5.72499766 5.68052717,5.18416333 5.72536317,4.75822126 C5.73657218,4.66854924 5.71975867,4.52563447 5.67492267,4.32947694 C5.63008666,4.13331941 5.61887766,3.98480014 5.64129566,3.88391912 C5.66371366,3.79424711 5.71415417,3.69336609 5.79261718,3.58127607 C5.8710802,3.46918605 5.97196121,3.34028253 6.09526023,3.19456551 C6.21855925,3.04884849 6.31383577,2.93115397 6.38108978,2.84148195 C6.47076179,2.70697393 6.56323606,2.53603665 6.65851257,2.32867012 C6.75378909,2.12130359 6.8378566,1.92514606 6.91071511,1.74019753 C6.98357362,1.555249 7.07324564,1.35348697 7.17973116,1.13491143 C7.28621667,0.916335896 7.39550444,0.736991868 7.50759446,0.596879345 C7.61968448,0.456766823 7.76820375,0.325061052 7.95315228,0.201762032 C8.13810081,0.0784630125 8.33986284,0.0140112522 8.55843838,0.00840675134 C8.77701391,0.00280225045 9.0432277,0.0336270054 9.35707975,0.100881016 L9.34026625,0.151321524 C9.76620832,0.050440508 10.0520379,0 10.1977549,0 L22.9928304,0 C23.8222966,0 24.4612097,0.31385205 24.9095697,0.94155615 C25.3579298,1.56926025 25.4588108,2.29784537 25.2122128,3.1273115 L20.605313,18.3603449 C20.201789,19.6942161 19.8010672,20.554507 19.4031476,20.9412176 C19.005228,21.3279282 18.2850497,21.5212834 17.2426125,21.5212834 L2.63167868,21.5212834 C2.32903563,21.5212834 2.1160646,21.6053509 1.99276558,21.773486 C1.86946656,21.95283 1.86386206,22.1938235 1.97595208,22.4964666 C2.24496812,23.2810967 3.05201625,23.6734118 4.39709646,23.6734118 L19.9159594,23.6734118 C20.2410205,23.6734118 20.5548725,23.586542 20.8575156,23.4128025 C21.1601586,23.239063 21.3563162,23.0064762 21.4459882,22.7150421 L26.490039,6.12011498 C26.568502,5.87351694 26.5965245,5.55406039 26.5741065,5.16174532 C27.0000486,5.32988035 27.3307141,5.57087389 27.5661032,5.88472594 L27.5661032,5.88472594 Z M9.6765363,5.91835294 C9.6317003,6.06406997 9.6429093,6.19017124 9.71016331,6.29665675 C9.77741732,6.40314227 9.88950734,6.45638503 10.0464334,6.45638503 L20.269043,6.45638503 C20.41476,6.45638503 20.5576748,6.40314227 20.6977873,6.29665675 C20.8378998,6.19017124 20.9303741,6.06406997 20.9752101,5.91835294 L21.3282937,4.84228877 C21.3731297,4.69657175 21.3619207,4.57047048 21.2946667,4.46398496 C21.2274126,4.35749944 21.1153226,4.30425669 20.9583966,4.30425669 L10.735787,4.30425669 C10.5900699,4.30425669 10.4471552,4.35749944 10.3070427,4.46398496 C10.1669301,4.57047048 10.0744559,4.69657175 10.0296199,4.84228877 L9.6765363,5.91835294 Z M8.28101558,10.2226096 C8.23617957,10.3683267 8.24738858,10.4944279 8.31464259,10.6009134 C8.3818966,10.707399 8.49398662,10.7606417 8.65091264,10.7606417 L18.8735223,10.7606417 C19.0192393,10.7606417 19.1621541,10.707399 19.3022666,10.6009134 C19.4423791,10.4944279 19.5348534,10.3683267 19.5796894,10.2226096 L19.9327729,9.14654546 C19.9776089,9.00082844 19.9663999,8.87472717 19.8991459,8.76824165 C19.8318919,8.66175613 19.7198019,8.60851337 19.5628759,8.60851337 L9.34026625,8.60851337 C9.19454923,8.60851337 9.05163445,8.66175613 8.91152193,8.76824165 C8.77140941,8.87472717 8.67893514,9.00082844 8.63409914,9.14654546 L8.28101558,10.2226096 Z" id="Shape" fill="#E0E4E7"></path>
</g>
<g id="golang">
<text id="dev/nginx" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#82949E">
<tspan x="33" y="19">dev/nginx</tspan>
</text>
<path d="M27.5661032,5.88472594 C28.0144632,6.52363904 28.1153442,7.24661966 27.8687462,8.05366778 L23.245033,23.2867012 C23.0320619,24.0040773 22.6033176,24.6065612 21.9588,25.0941528 C21.3142824,25.5817443 20.6277311,25.8255401 19.8991459,25.8255401 L4.38028296,25.8255401 C3.51718982,25.8255401 2.68492144,25.5256993 1.88347781,24.9260177 C1.08203418,24.3263361 0.524386344,23.5893443 0.210534294,22.7150421 C-0.0584817485,21.964039 -0.0696907502,21.2522674 0.176907289,20.5797273 C0.176907289,20.5348913 0.193720792,20.3835698 0.227347797,20.1257627 C0.260974802,19.8679557 0.283392806,19.6605891 0.294601808,19.5036631 C0.30581081,19.4139911 0.288997307,19.2934943 0.2441613,19.1421728 C0.199325293,18.9908513 0.18251179,18.8815635 0.193720792,18.8143095 C0.216138795,18.6910105 0.260974802,18.573316 0.328228813,18.4612259 C0.395482824,18.3491359 0.487957089,18.2174302 0.605651607,18.0661086 C0.723346126,17.9147871 0.815820391,17.7830813 0.883074402,17.6709913 C1.14088144,17.2450492 1.39308398,16.7322374 1.63968202,16.1325558 C1.88628006,15.5328742 2.05441509,15.0200624 2.1440871,14.5941203 C2.17771411,14.4820303 2.18051636,14.3138953 2.15249385,14.0897152 C2.12447135,13.8655352 2.1216691,13.7086092 2.1440871,13.6189372 C2.17771411,13.4956382 2.27299062,13.3387121 2.42991665,13.1481591 C2.58684267,12.9576061 2.68211919,12.8287025 2.71574619,12.7614485 C2.95113523,12.3579245 3.18652427,11.8423104 3.42191331,11.2146063 C3.65730234,10.5869022 3.79741487,10.0824971 3.84225087,9.70139105 C3.85345988,9.60051003 3.83944862,9.421166 3.80021712,9.16335896 C3.76098561,8.90555192 3.76378786,8.7486259 3.80862387,8.69258089 C3.85345988,8.54686386 3.9767589,8.37592659 4.17852093,8.17976905 C4.38028296,7.98361152 4.50358198,7.85751025 4.54841799,7.80146524 C4.76138902,7.5100312 4.99958031,7.03645087 5.26299185,6.38072427 C5.52640339,5.72499766 5.68052717,5.18416333 5.72536317,4.75822126 C5.73657218,4.66854924 5.71975867,4.52563447 5.67492267,4.32947694 C5.63008666,4.13331941 5.61887766,3.98480014 5.64129566,3.88391912 C5.66371366,3.79424711 5.71415417,3.69336609 5.79261718,3.58127607 C5.8710802,3.46918605 5.97196121,3.34028253 6.09526023,3.19456551 C6.21855925,3.04884849 6.31383577,2.93115397 6.38108978,2.84148195 C6.47076179,2.70697393 6.56323606,2.53603665 6.65851257,2.32867012 C6.75378909,2.12130359 6.8378566,1.92514606 6.91071511,1.74019753 C6.98357362,1.555249 7.07324564,1.35348697 7.17973116,1.13491143 C7.28621667,0.916335896 7.39550444,0.736991868 7.50759446,0.596879345 C7.61968448,0.456766823 7.76820375,0.325061052 7.95315228,0.201762032 C8.13810081,0.0784630125 8.33986284,0.0140112522 8.55843838,0.00840675134 C8.77701391,0.00280225045 9.0432277,0.0336270054 9.35707975,0.100881016 L9.34026625,0.151321524 C9.76620832,0.050440508 10.0520379,0 10.1977549,0 L22.9928304,0 C23.8222966,0 24.4612097,0.31385205 24.9095697,0.94155615 C25.3579298,1.56926025 25.4588108,2.29784537 25.2122128,3.1273115 L20.605313,18.3603449 C20.201789,19.6942161 19.8010672,20.554507 19.4031476,20.9412176 C19.005228,21.3279282 18.2850497,21.5212834 17.2426125,21.5212834 L2.63167868,21.5212834 C2.32903563,21.5212834 2.1160646,21.6053509 1.99276558,21.773486 C1.86946656,21.95283 1.86386206,22.1938235 1.97595208,22.4964666 C2.24496812,23.2810967 3.05201625,23.6734118 4.39709646,23.6734118 L19.9159594,23.6734118 C20.2410205,23.6734118 20.5548725,23.586542 20.8575156,23.4128025 C21.1601586,23.239063 21.3563162,23.0064762 21.4459882,22.7150421 L26.490039,6.12011498 C26.568502,5.87351694 26.5965245,5.55406039 26.5741065,5.16174532 C27.0000486,5.32988035 27.3307141,5.57087389 27.5661032,5.88472594 L27.5661032,5.88472594 Z M9.6765363,5.91835294 C9.6317003,6.06406997 9.6429093,6.19017124 9.71016331,6.29665675 C9.77741732,6.40314227 9.88950734,6.45638503 10.0464334,6.45638503 L20.269043,6.45638503 C20.41476,6.45638503 20.5576748,6.40314227 20.6977873,6.29665675 C20.8378998,6.19017124 20.9303741,6.06406997 20.9752101,5.91835294 L21.3282937,4.84228877 C21.3731297,4.69657175 21.3619207,4.57047048 21.2946667,4.46398496 C21.2274126,4.35749944 21.1153226,4.30425669 20.9583966,4.30425669 L10.735787,4.30425669 C10.5900699,4.30425669 10.4471552,4.35749944 10.3070427,4.46398496 C10.1669301,4.57047048 10.0744559,4.69657175 10.0296199,4.84228877 L9.6765363,5.91835294 Z M8.28101558,10.2226096 C8.23617957,10.3683267 8.24738858,10.4944279 8.31464259,10.6009134 C8.3818966,10.707399 8.49398662,10.7606417 8.65091264,10.7606417 L18.8735223,10.7606417 C19.0192393,10.7606417 19.1621541,10.707399 19.3022666,10.6009134 C19.4423791,10.4944279 19.5348534,10.3683267 19.5796894,10.2226096 L19.9327729,9.14654546 C19.9776089,9.00082844 19.9663999,8.87472717 19.8991459,8.76824165 C19.8318919,8.66175613 19.7198019,8.60851337 19.5628759,8.60851337 L9.34026625,8.60851337 C9.19454923,8.60851337 9.05163445,8.66175613 8.91152193,8.76824165 C8.77140941,8.87472717 8.67893514,9.00082844 8.63409914,9.14654546 L8.28101558,10.2226096 Z" id="Shape" fill="#E0E4E7"></path>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

156
datacenter/dtr/2.2/guides/images/sign-an-image-1.svg Normal file
View File

@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="383px" viewBox="0 0 740 383" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 42 (36781) - http://www.bohemiancoding.com/sketch -->
<title>sign-an-image-1</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<rect id="path-3" x="0" y="0" width="172" height="67.5" rx="2"></rect>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="172" height="67.5" fill="white">
<use xlink:href="#path-3"></use>
</mask>
<circle id="path-5" cx="4" cy="4" r="4"></circle>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-5" fill="black"></use>
</mask>
<rect id="path-7" x="0" y="0" width="172" height="67.5" rx="2"></rect>
<mask id="mask-8" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="172" height="67.5" fill="white">
<use xlink:href="#path-7"></use>
</mask>
<circle id="path-9" cx="4" cy="4" r="4"></circle>
<mask id="mask-10" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-9" fill="black"></use>
</mask>
<rect id="path-11" x="0" y="0" width="228" height="144"></rect>
<mask id="mask-12" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="228" height="144" fill="white">
<use xlink:href="#path-11"></use>
</mask>
</defs>
<g id="dtr-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="sign-an-image-1">
<g id="Group" transform="translate(53.000000, 12.000000)">
<g id="left">
<g id="stack" transform="translate(0.000000, 94.000000)">
<text id="DTR" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#E0E4E7">
<tspan x="10.8218828" y="172.009524">DTR</tspan>
</text>
<rect id="group" stroke="#E0E4E7" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="0" width="368" height="180" rx="2"></rect>
<g id="components" transform="translate(10.000000, 9.000000)">
<g id="Group-2" transform="translate(0.000000, 109.000000)">
<g id="notary" transform="translate(176.000000, 0.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="notary-server" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="42.9926758" y="23">notary server</tspan>
</text>
</g>
<g id="registry">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="172" height="34" rx="2"></rect>
<text font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="61.9145508" y="23">registry</tspan>
</text>
</g>
<g id="internals" transform="translate(0.000000, 31.000000)">
<g id="right" transform="translate(176.000000, 0.000000)">
<g id="arrow-1" transform="translate(86.500000, 27.000000) scale(1, -1) rotate(-90.000000) translate(-86.500000, -27.000000) translate(60.000000, 23.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#FFFFFF" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="box" transform="translate(0.000000, 48.000000)" stroke="#1488C6" stroke-width="2" fill="#FFFFFF">
<use id="Rectangle" mask="url(#mask-4)" xlink:href="#path-3"></use>
</g>
</g>
<g id="left">
<g id="arrow-1" transform="translate(86.500000, 27.000000) scale(1, -1) rotate(-90.000000) translate(-86.500000, -27.000000) translate(60.000000, 23.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-5"></use>
<use stroke="#FFFFFF" mask="url(#mask-6)" stroke-width="4" xlink:href="#path-5"></use>
</g>
</g>
<g id="box" transform="translate(0.000000, 48.000000)">
<use id="Rectangle" stroke="#1488C6" mask="url(#mask-8)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-7"></use>
<text id="dev/nginx:1" font-family="CourierNewPS-BoldMT, Courier New" font-size="14" font-weight="bold" fill="#637986">
<tspan x="7" y="21">dev/nginx:1</tspan>
</text>
</g>
</g>
</g>
</g>
<g id="others" transform="translate(0.000000, 38.000000)" fill="#82949E">
<rect id="Rectangle-138" x="0" y="0" width="348" height="67" rx="2"></rect>
</g>
<g id="front-end">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="348" height="34" rx="2"></rect>
<text font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="143.509277" y="23">front-end</tspan>
</text>
</g>
</g>
</g>
<g id="user" transform="translate(130.000000, 0.000000)">
<text id="&gt;-docker-push" font-family="CourierNewPS-BoldMT, Courier New" font-size="14" font-weight="bold" fill="#637986">
<tspan x="0" y="47">&gt; docker push</tspan>
</text>
<path d="M55,13 C58.59125,13 61.5,10.083125 61.5,6.5 C61.5,2.90875 58.59125,-1.77635684e-15 55,-1.77635684e-15 C51.40875,-1.77635684e-15 48.5,2.90875 48.5,6.5 C48.5,10.083125 51.40875,13 55,13 L55,13 Z M55,16.25 C50.669375,16.25 42,18.419375 42,22.75 L42,26 L68,26 L68,22.75 C68,18.419375 59.330625,16.25 55,16.25 L55,16.25 Z" id="Shape" fill="#82949E"></path>
</g>
</g>
<g id="arrow" transform="translate(381.500000, 120.000000) scale(1, -1) translate(-381.500000, -120.000000) translate(355.000000, 116.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-9"></use>
<use stroke="#FFFFFF" mask="url(#mask-10)" stroke-width="4" xlink:href="#path-9"></use>
</g>
</g>
<g id="browser" transform="translate(407.000000, 103.000000)">
<use id="chrome" stroke="#82949E" mask="url(#mask-12)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-11"></use>
<g id="table" transform="translate(9.000000, 60.000000)" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<g id="data" transform="translate(0.000000, 25.000000)">
<text id="dave">
<tspan x="145" y="13">dave.lauper</tspan>
</text>
<text id="9baa">
<tspan x="61" y="13">9baa16</tspan>
</text>
<text id="1">
<tspan x="0" y="13">1</tspan>
</text>
</g>
<g id="header">
<text id="last">
<tspan x="145" y="13">last pushed</tspan>
</text>
<text id="id">
<tspan x="61" y="13">id</tspan>
</text>
<text id="tag">
<tspan x="0" y="13">tag</tspan>
</text>
</g>
</g>
<g id="repo" transform="translate(0.000000, 26.000000)">
<rect id="header" fill="#82949E" x="0" y="0" width="228" height="27"></rect>
<text id="dev/nginx" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">dev/nginx</tspan>
</text>
</g>
<g id="header">
<path d="M9.5,79.5 L217.5,79.5" id="Line" stroke="#E0E4E7" stroke-linecap="square"></path>
<rect fill="#1488C6" x="0" y="0" width="228" height="27"></rect>
<text id="docker-trusted-regis" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">docker trusted registry</tspan>
</text>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

166
datacenter/dtr/2.2/guides/images/sign-an-image-2.svg Normal file
View File

@ -0,0 +1,166 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="383px" viewBox="0 0 740 383" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 42 (36781) - http://www.bohemiancoding.com/sketch -->
<title>sign-an-image-2</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<rect id="path-3" x="0" y="0" width="172" height="67.5" rx="2"></rect>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="172" height="67.5" fill="white">
<use xlink:href="#path-3"></use>
</mask>
<circle id="path-5" cx="4" cy="4" r="4"></circle>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-5" fill="black"></use>
</mask>
<rect id="path-7" x="0" y="0" width="172" height="67.5" rx="2"></rect>
<mask id="mask-8" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="172" height="67.5" fill="white">
<use xlink:href="#path-7"></use>
</mask>
<circle id="path-9" cx="4" cy="4" r="4"></circle>
<mask id="mask-10" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-9" fill="black"></use>
</mask>
<rect id="path-11" x="0" y="0" width="228" height="144"></rect>
<mask id="mask-12" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="228" height="144" fill="white">
<use xlink:href="#path-11"></use>
</mask>
</defs>
<g id="dtr-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="sign-an-image-2">
<g id="Group" transform="translate(53.000000, 12.000000)">
<g id="left">
<g id="stack" transform="translate(0.000000, 94.000000)">
<text id="DTR" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#E0E4E7">
<tspan x="10.8218828" y="172.009524">DTR</tspan>
</text>
<rect id="group" stroke="#E0E4E7" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="0" width="368" height="180" rx="2"></rect>
<g id="components" transform="translate(10.000000, 9.000000)">
<g id="Group-2" transform="translate(0.000000, 109.000000)">
<g id="notary" transform="translate(176.000000, 0.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="notary-server" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="42.9926758" y="23">notary server</tspan>
</text>
</g>
<g id="registry">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="172" height="34" rx="2"></rect>
<text font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="61.9145508" y="23">registry</tspan>
</text>
</g>
<g id="internals" transform="translate(0.000000, 31.000000)">
<g id="right" transform="translate(176.000000, 0.000000)">
<g id="arrow-1" transform="translate(86.500000, 27.000000) scale(1, -1) rotate(-90.000000) translate(-86.500000, -27.000000) translate(60.000000, 23.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#FFFFFF" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="box" transform="translate(0.000000, 48.000000)">
<use id="Rectangle" stroke="#1488C6" mask="url(#mask-4)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-3"></use>
<text id="dev/nginx:1-digest:" font-family="CourierNewPS-BoldMT, Courier New" font-size="14" font-weight="bold" fill="#637986">
<tspan x="7" y="21">dev/nginx:1</tspan>
<tspan x="7" y="37"> digest: m647f0</tspan>
<tspan x="7" y="53"> signed-by: 53f4a3</tspan>
</text>
</g>
</g>
<g id="left">
<g id="arrow-1" transform="translate(86.500000, 27.000000) scale(1, -1) rotate(-90.000000) translate(-86.500000, -27.000000) translate(60.000000, 23.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-5"></use>
<use stroke="#FFFFFF" mask="url(#mask-6)" stroke-width="4" xlink:href="#path-5"></use>
</g>
</g>
<g id="box" transform="translate(0.000000, 48.000000)">
<use id="Rectangle" stroke="#1488C6" mask="url(#mask-8)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-7"></use>
<text id="dev/nginx:1" font-family="CourierNewPS-BoldMT, Courier New" font-size="14" font-weight="bold" fill="#637986">
<tspan x="7" y="21">dev/nginx:1</tspan>
</text>
</g>
</g>
</g>
</g>
<g id="others" transform="translate(0.000000, 38.000000)" fill="#82949E">
<rect id="Rectangle-138" x="0" y="0" width="348" height="67" rx="2"></rect>
</g>
<g id="front-end">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="348" height="34" rx="2"></rect>
<text font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="143.509277" y="23">front-end</tspan>
</text>
</g>
</g>
</g>
<g id="user" transform="translate(54.000000, 0.000000)">
<text id="&gt;-export-DOCKER_CONT" font-family="CourierNewPS-BoldMT, Courier New" font-size="14" font-weight="bold" fill="#637986">
<tspan x="0" y="47">&gt; export DOCKER_CONTENT_TRUST=1</tspan>
<tspan x="0" y="63">docker push</tspan>
</text>
<path d="M131,13 C134.59125,13 137.5,10.083125 137.5,6.5 C137.5,2.90875 134.59125,-1.77635684e-15 131,-1.77635684e-15 C127.40875,-1.77635684e-15 124.5,2.90875 124.5,6.5 C124.5,10.083125 127.40875,13 131,13 L131,13 Z M131,16.25 C126.669375,16.25 118,18.419375 118,22.75 L118,26 L144,26 L144,22.75 C144,18.419375 135.330625,16.25 131,16.25 L131,16.25 Z" id="Shape" fill="#82949E"></path>
</g>
</g>
<g id="arrow" transform="translate(381.500000, 120.000000) scale(1, -1) translate(-381.500000, -120.000000) translate(355.000000, 116.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-9"></use>
<use stroke="#FFFFFF" mask="url(#mask-10)" stroke-width="4" xlink:href="#path-9"></use>
</g>
</g>
<g id="browser" transform="translate(407.000000, 103.000000)">
<use id="chrome" stroke="#82949E" mask="url(#mask-12)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-11"></use>
<g id="table" transform="translate(9.000000, 60.000000)">
<g id="data" transform="translate(0.000000, 25.000000)" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<text id="dave">
<tspan x="145" y="13">dave.lauper</tspan>
</text>
<text id="9baa">
<tspan x="61" y="13">9baa16</tspan>
</text>
<text id="1">
<tspan x="0" y="13">1</tspan>
</text>
</g>
<g id="signed" transform="translate(9.000000, 28.000000)">
<circle id="sign" fill="#00B6B5" cx="5.5" cy="5.5" r="5.5"></circle>
<polyline id="Path-2" stroke="#FFFFFF" stroke-linecap="round" points="2.33138415 5.0401346 4.66576739 7.30973903 8.53446401 3.34959331"></polyline>
</g>
<g id="header" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<text id="last">
<tspan x="145" y="13">last pushed</tspan>
</text>
<text id="id">
<tspan x="61" y="13">id</tspan>
</text>
<text id="tag">
<tspan x="0" y="13">tag</tspan>
</text>
</g>
</g>
<g id="repo" transform="translate(0.000000, 26.000000)">
<rect id="header" fill="#82949E" x="0" y="0" width="228" height="27"></rect>
<text id="dev/nginx" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">dev/nginx</tspan>
</text>
</g>
<g id="header">
<path d="M9.5,79.5 L217.5,79.5" id="Line" stroke="#E0E4E7" stroke-linecap="square"></path>
<rect fill="#1488C6" x="0" y="0" width="228" height="27"></rect>
<text id="docker-trusted-regis" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">docker trusted registry</tspan>
</text>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
datacenter/dtr/2.2/guides/images/sign-an-image-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 249 KiB

123
datacenter/dtr/2.2/guides/user/access-dtr/configure-your-notary-client.md Normal file
View File

@ -0,0 +1,123 @@
---
title: Configure your Notary client
description: Learn how to configure your Notary client to push and pull images from Docker Trusted Registry.
keywords: docker, registry, notary, trust
---
The Docker CLI client makes it easy to sign images but to streamline that
process it generates a set of private and public keys that are not tied
to your UCP account. This means that you'll be able to push and sign images to
DTR, but UCP won't trust those images since it doesn't know anything about
the keys you're using.
So before signing and pushing images to DTR you should:
* Configure the Notary CLI client
* Import your UCP private keys to the Notary client
This allows you to start signing images with the private keys in your UCP
client bundle, that UCP can trace back to your user account.
## Download the Notary CLI client
If you're using Docker for Mac or Docker for Windows, you already have the
`notary` command installed.
If you're running Docker on a Linux distribution, you can [download the
latest version](https://github.com/docker/notary/releases). As an example:
```bash
# Get the latest binary
curl <download-url> -o notary
# Make it executable
chmod +x notary
# Move it to a location in your path
sudo mv notary /usr/bin/
```
## Configure the Notary CLI client
Before you use the Notary CLI client, you need to configure it to make it
talk with the Notary server that's part of DTR.
There's two ways to do this, either by passing flags to the notary command,
or using a configuration file.
### With flags
Run the Notary command with:
```bash
notary --server https://<dtr-url> --trustDir ~/.docker/trust --tlscacert <dtr-ca.pem>
```
Here's what the flags mean:
| Flag | Purpose |
|:--------------|:----------------------------------------------------------------------------------------------------------------------------------|
| `--server` | The Notary server to query |
| `--trustDir` | Path to the local directory where trust metadata will be stored |
| `--tlscacert` | Path to the DTR CA certificate. If you've configured your system to trust the DTR CA certificate, you don't need to use this flag |
To avoid having to type all the flags when using the command, you can set an
alias:
```none
# Bash
alias notary="notary --server https://<dtr-url> --trustDir ~/.docker/trust --tlscacert <dtr-ca.pem>"
# PowerShell
set-alias notary "notary --server https://<dtr-url> --trustDir ~/.docker/trust --tlscacert <dtr-ca.pem>"
```
### With a configuration file
You can also configure Notary by creating a `~/.notary/config.json` file with
the following content:
```json
{
"trust_dir" : "~/.docker/trust",
"remote_server": {
"url": "<dtr-url>",
"root_ca": "<dtr-ca.pem>"
}
}
```
To validate your configuration, try running the `notary list` command on a
DTR repository that already has signed images:
```none
# Assumes you've configured notary
notary list <dtr-repository>
```
The command should print a list of digests for each signed image on the
repository.
## Import your UCP key
The last step in configuring the Notary CLI client is to import the private
key of your UCP client bundle.
[Get a new client bundle if you don't have one yet](/datacenter/ucp/2.1/guides/user/access-ucp/cli-based-access.md).
Import the private key in your UCP bundle into the Notary CLI client:
```none
# Assumes you've configured notary
notary key import <path-to-key.pem>
```
The private key is copied to `~/.docker/trust`, and you'll be prompted for a
password to encrypt it.
You can validate what keys Notary knows about by running:
```none
notary key list
```
The key you've imported should be listed with the role `delegation`.

21
datacenter/dtr/2.2/guides/user/access-dtr/index.md
View File

@ -27,13 +27,26 @@ system to trust that certificate.
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the macOS trust store](https://support.apple.com/kb/PH18677?locale=en_US).
[add that certificate to macOS Keychain](https://support.apple.com/kb/PH20129).
After adding the CA certificate to Keychain, restart Docker for Mac.
### Windows
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the Windows trust store](https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx).
certificate used by DTR. Open Windows Explorer, right-click the
file you've downloaded, and choose **Install certificate**.
Then, select the following options:
* Store location: local machine
* Check 'place all certificates in the following store'
* Click 'Browser', and select 'Trusted Root Certificate Authorities'
* Click 'Finish'
[Learn more about managing TLS certificates](https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx).
After adding the CA certificate to Windows, restart Docker for Windows.
### Ubuntu/ Debian
@ -95,7 +108,7 @@ $ sudo /bin/systemctl restart docker.service
sudo /etc/init.d/docker restart
```
## Login into DTR
## Log into DTR
To validate that your Docker daemon trusts DTR, trying authenticating against
DTR.

72
datacenter/dtr/2.2/guides/user/manage-images/sign-images/delegate-image-signing.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Delegate image signing
description: Learn how to grant permission for others to sign images in Docker Trusted Registry.
keywords: docker, registry, sign, trust
---
Instead of signing all the images yourself, you can delegate that task
to other users.
A typical workflow looks like this:
1. A repository owner creates a repository in DTR, and initializes the trust
metadata for that repository
3. Team members download a UCP client bundle and share their public key
certificate with the repository owner
4. The repository owner delegates signing to the team members
5. Team members can sign images using the private keys in their UCP client
bundles
In this example, the IT ops team creates and initializes trust for the
`dev/nginx`. Then they allow users in the QA team to push and sign images in
that repository.
![teams](../../../images/delegate-image-signing-1.svg)
## Create a repository and initialize trust
A member of the IT ops team starts by configuring their
[Notary CLI client](../../access-dtr/configure-your-notary-client.md).
Then they create the `dev/nginx` repository,
[initialize the trust metadata](index.md) for that repository, and grant
write access to members of the QA team, so that they can push images to that
repository.
## Ask for the public key certificates
The member of the IT ops team then asks the QA team for their public key
certificate files that are part of their UCP client bundle.
If they don't have a UCP client bundle,
[they can download a new one](/datacenter/ucp/2.1/guides/user/access-ucp/cli-based-access.md).
## Delegate image signing
When delegating trust, you associate a public key certificate with a role name.
UCP requires that you delegate trust to two different roles:
* `targets/releases`
* `targets/<role>`, where `<role>` is the UCP team the user belongs to
In this example we'll delegate trust to `targets/releases` and `targets/qa`:
```none
# Delegate trust, and add that public key with the role targets/releases
notary delegation add --publish \
dtr.example.org/dev/nginx targets/releases \
--all-paths <user-1-cert.pem> <user-2-cert.pem>
# Delegate trust, and add that public key with the role targets/admin
notary delegation add --publish \
dtr.example.org/dev/nginx targets/qa \
--all-paths <user-1-cert.pem> <user-2-cert.pem>
```
Now members from the QA team just have to [configure their Notary CLI client
with UCP private keys](../../access-dtr/configure-your-notary-client.md)
to be able to [push and sign images](index.md) into the `dev/nginx` repository.
## Where to go next
* [Manage trusted repositories](manage-trusted-repositories.md)

170
datacenter/dtr/2.2/guides/user/manage-images/sign-images/index.md Normal file
View File

@ -0,0 +1,170 @@
---
title: Sign an image
description: Learn how to sign the images you push to Docker Trusted Registry.
keywords: docker, registry, sign, trust
---
By default, when you push an image to DTR, the Docker CLI client doesn't
sign the image.
![image without signature](../../../images/sign-an-image-1.svg)
You can configure the Docker CLI client to sign the images you push to DTR.
This allows whoever pulls your image to validate if they are getting the image
you created, or a forged one.
To sign an image you can run:
```none
export DOCKER_CONTENT_TRUST=1
docker push <dtr-domain>/<repository>/<image>:<tag>
```
This pushes the image to DTR and creates trust metadata. It also creates
public and private key pairs to sign the trust metadata, and push that metadata
to the Notary Server internal to DTR.
![image with signature](../../../images/sign-an-image-2.svg)
## Sign images that UCP can trust
With the command above you'll be able to sign your DTR images, but UCP won't
trust them because it can't tie the private key you're using to sign the images
to your UCP account.
To sign images in a way that UCP trusts them you need to:
* Configure your Notary client
* Initialize trust metadata for the repository
* Delegate signing to the keys in your UCP client bundle
In this example we're going to pull an NGINX image from Docker Store,
re-tag it as `dtr.example.org/dev/nginx:1`, push the image to DTR and sign it
in a way that is trusted by UCP. If you manage multiple repositories, you'll
have to do the same procedure for every one of them.
### Configure your Notary client
Start by [configuring your Notary client](../../access-dtr/configure-your-notary-client.md).
This ensures the Docker an Notary CLI clients know about your UCP private keys.
### Initialize the trust metadata
Then you need to initialize the trust metadata for the new repository, and
the easiest way to do it is by pushing an image to that repository. Navigate to
the **DTR web UI**, and create a repository for your image.
In this example we've created the `dev/nginx` repository.
From the Docker CLI client, pull an NGINX image from Docker Store,
re-tag it, sign and push it to DTR.
```bash
# Pull NGINX from Docker Store
docker pull nginx:latest
# Re-tag NGINX
docker tag nginx:latest dtr.example.org/dev/nginx:1
# Log into DTR
docker login dtr.example.org
# Sign and push the image to DTR
export DOCKER_CONTENT_TRUST=1
docker push dtr.example.org/dev/nginx:1
```
This pushes the image to DTR and initializes the trust metadata for that
repository.
![DTR](../../../images/sign-an-image-3.png){: .with-border}
DTR shows that the image is signed, but UCP won't trust the image
because it doesn't have any information about the private keys used to sign
the image.
### Delegate trust to your UCP keys
To sign images in a way that is trusted by UCP, you need to delegate trust, so
that you can sign images with the private keys in your UCP client bundle.
When delegating trust you associate a public key certificate with a role name.
UCP requires that you delegate trust to two different roles:
* `targets/releases`
* `targets/<role>`, where `<role>` is the UCP team the user belongs to
In this example we'll delegate trust to `targets/releases` and `targets/admin`:
```none
# Delegate trust, and add that public key with the role targets/releases
notary delegation add --publish \
dtr.example.org/dev/nginx targets/releases \
--all-paths <ucp-cert.pem>
# Delegate trust, and add that public key with the role targets/admin
notary delegation add --publish \
dtr.example.org/dev/nginx targets/admin \
--all-paths <ucp-cert.pem>
```
To push the new signing metadata to the Notary server, you'll have to push
the image again:
```none
docker push dtr.example.org/dev/nginx:1
```
## Under the hood
Both Docker and Notary CLI clients interact with the Notary server to:
* Keep track of the metadata of signed images
* Validate the signatures of the images you pull
This metadata is also kept locally in `~/.docker/trust`.
```none
.
|-- private
| |-- root_keys
| | `-- 993ad247476da081e45fdb6c28edc4462f0310a55da4acf1e08404c551d94c14.key
| `-- tuf_keys
| `-- dtr.example.org
| `-- dev
| `-- nginx
| |-- 98a93b2e52c594de4d13d7268a4a5f28ade5fc1cb5f44cc3a4ab118572a86848.key
| `-- f7917aef77d0d4bf8204af78c0716dac6649346ebea1c4cde7a1bfa363c502ce.key
`-- tuf
`-- dtr.example.org
`-- dev
`-- nginx
|-- changelist
`-- metadata
|-- root.json
|-- snapshot.json
|-- targets.json
`-- timestamp.json
```
The `private` directory contains the private keys the Docker CLI client uses
to sign the images. Make sure you create backups of this directory so that
you don't lose your signing keys.
The Docker and Notary CLI clients integrates with Yubikey. If you have a Yubikey
plugged in when initializing trust for a repository, the root key is stored on
the Yubikey instead of in the trust directory.
When you run any command that needs the `root` key, Docker and Notary CLI
clients look on the Yubikey first, and uses the trust directory as a fallback.
The `tuf` directory contains the trust metadata for the images you've
signed. For each repository there are four files.
| File | Description |
|:-----------------|:--------------------------------------------------------------------------------------------------------------------------|
| `root.json` | Has data about other keys and their roles. This data is signed by the root key. |
| `targets.json` | Has data about the digest and size for an image. This data is signed by the target key. |
| `snapshot.json` | Has data about the version number of the root.json and targets.json files. This data is signed by the snapshot key. |
| `timestamp.json` | Has data about the digest, size, and version number for the snapshot.json file. This data is signed by the timestamp key. |
[Learn more about trust metadata](/notary/service_architecture.md).

54
datacenter/dtr/2.2/guides/user/manage-images/manage-trusted-repositories.md → datacenter/dtr/2.2/guides/user/manage-images/sign-images/manage-trusted-repositories.md
View File

@ -1,20 +1,48 @@
---
description: Learn how to use the Notary CLI client to manage trusted repositories
keywords: dtr, trust, notary, registry, security
title: Manage trusted repositories
description: Learn how to use the Notary CLI client to manage trusted repositories
keywords: dtr, trust, notary, security
redirect_from:
- /datacenter/dtr/2.2/guides/user/manage-images/manage-trusted-repositories/
---
Once you install the Notary CLI client, you can use it to manage your signing
keys, authorize other team members to sign images, and rotate the keys if
a private key has been compromised.
Once you
[configure the Notary CLI client](../../access-dtr/configure-your-notary-client.md),
you can use it to manage your private keys, list trust data from any repository
you have access to, authorize other team members to sign images, and rotate
keys if a private key has been compromised.
When using the Notary CLI client you need to specify where is Notary server
you want to communicate with, and where to store the private keys and cache for
the CLI client.
## List trust data
```bash
# Create an alias to always have the notary client talking to the right server
$ alias notary="notary -s https://<dtr_url> -d ~/.docker/trust"
List the trust data for a repository by running:
```none
$ notary list <dtr_url>/<account>/<repository>
```
You can get one of the following errors, or a list with the images that have
been signed:
| Message | Description |
|:--------------------------------------------|:-----------------------------------------------------------------------------------------------------------------|
| `fatal: client is offline` | Either the repository server can't be reached, or your Notary CLI client is misconfigured |
| `fatal: <dtr_url> does not have trust data` | There's no trust data for the repository. Either run `notary init` or sign and push an image to that repository. |
| `No targets present in this repository` | The repository has been initialized, but doesn't contain any signed images |
## Initialize trust for a repository
There's two ways to initialize trust data for a repository. You can either
sign and push an image to that repository:
```none
export DOCKER_CONTENT_TRUST=1
docker push <dtr_url>/<account>/<repository>
```
or
```
notary init --publish <dtr_url>/<account>/<repository>
```
## Manage staged changes
@ -122,5 +150,5 @@ directory where your private keys are stored, with the `-d` flag.
## Where to go next
* [Run only the images you trust](index.md)
* [Get started with Notary](/notary/getting_started.md)
* [Learn more about Notary](/notary/advanced_usage.md)
* [Notary architecture](/notary/service_architecture.md)

BIN
datacenter/images/dtr_repo_find_gun.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
datacenter/images/signed_image_in_dtr.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
datacenter/images/ucp_content_trust_detail.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
datacenter/images/ucp_content_trust_settings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 56 KiB

387
datacenter/ucp/2.1/guides/admin/configure/content-trust/admin_tasks.md
View File

@ -1,387 +0,0 @@
---
title: Configure the UCP and DTR servers for content trust
description: Configuration tasks for using content trust on UCP and DTR servers
---
These tasks allow an administrator to set up the UCP and DTR servers to require
content trust and to delegate the ability to sign images to UCP users. For an
overview of content trust in UCP, see [Run only the images you trust](index.md).
After completing these steps, continue to
[Client configuration for content trust in UCP](client_configuration.md).
## Prerequisites
Before completing these tasks, set up the teams for signing and add users to
them. For instance, if your business requirement is that images need to be
signed by `engineering`, `security`, and `quality` teams, set up those teams and
add the appropriate users to them. See
[Set up teams](/datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-teams.md)
and
[Create and manage users](/ucp/2.1/guides/admin/manage-users/create-and-manage-users.md).
## Overview
The administrator needs to complete the following tasks to configure UCP and DTR
for image signing.
2. [Configure UCP](#configure-ucp) to only allow signed images to be used.
3. [Set up the Docker Notary CLI client](#set-up-the-docker-notary-client)
locally so that the administrator can initialize the trusted image
repository.
4. [Initialize the trusted image repository](#initialize-the-trusted-image-repository)
which will store trusted images.
5. [Delegate image signing](#delegate-image-signing) so that the appropriate
users are able to sign images. This step is optional, and assumes that the
UCP administrator will not be the only one signing images.
## Configure UCP
This step configures UCP to only allow deployment of signed images, as well as
the teams that must sign an image before it can be trusted. Set up the users
and groups before starting this step.
1. Go to the **UCP web UI**, navigate to the **Admin Settings** page, and click
the **Content Trust** menu item.
![Content Trust settings](/datacenter/images/ucp_content_trust_settings.png)
2. Select the **Only run signed images** option.
Click the **REQUIRE SIGNATURE FROM ALL OF THESE TEAMS** field and choose
one or more teams. DDC will consider an image to be trustworthy only if it
is signed by a member of _every team_ you select. The requirement can be
fulfilled by a single user who is a member of all the teams, or by a signer
in each team.
> **Note**: If you don't specify any team (by leaving the field blank), an
> image will be trusted as long as it is signed by any UCP user whose keys
> are [configured in the Notary client](#set-up-the-docker-notary-client).
The following screenshot shows a configuration that requires images to be
signed by a member of the `engineering` team.
![Content Trust settings detail](/datacenter/images/ucp_content_trust_detail.png)
3. Click **Update** to apply the changes.
UCP is now configured to only allow use of signed images, but you don't have the
ability to sign images yet. Next,
[set up the Docker Notary CLI client](#set-up-the-docker-notary-client).
## Set up the Docker Notary CLI client
After [configuring UCP](#configure-ucp), you need to specify which Docker images
can be trusted, using the Docker Notary server that is built into Docker Trusted
Registry (DTR). The following procedure configures the Notary server to store
signed metadata about the Docker images you trust. This set-up step only needs
to be done on the client of an administrator responsible for setting up
repositories and delegating the ability to sign images.
1. **If you are on a Linux client**, install the Notary binary. If you use Docker
for Mac or Docker for Windows, the Notary client is included in your
installation.
- [Download the latest client archive](https://github.com/docker/notary/releases).
- Extract the archive.
- Rename the binary to `notary` and set it to executable. Either move it to
a location in your path or modify the examples below to include the full
path to the binary.
2. Configure the Notary client to communicate with the DTR server and store
its metadata in the correct location. You can either use a
[Notary configuration file](/notary/reference/client-config.md) or manually
specify the following flags when you run the `notary` command.
|Flag |Purpose |
|-------------------|------------------------------------------------------|
| `-s <dtr_url>` | The hostname or IP address of the DTR server |
| `-d <trust_directory>` | The path to the local directory where trust metadata will be stored |
| `--tlscacert <dtr_ca.pem>` | The path to the trust certificate for DTR. Only required if your DTR registry is not using certificates signed by a globally trusted certificate authority, such as self-signed certificates. Download the trust certificate from `https://<dtr_url>/ca` either from your browser or using `curl` or `wget`.|
> **Tip**: If you don't want to provide the `-s`, `-d`, and `--tlscacert`
> parameters each time you run a Nptary command, you can set up an alias in
> Bash (Linux or macOS) or PowerShell (Windows) to save some typing. The
> following examples do not include the `--tlscacert` flag, but you can add
> it if necessary. All of the `notary` commands in the rest of this topic
> assume that you have set up the alias.
>
> - **Bash**: Type the following, or add it to your `~/.profile` file to make
> it permanent. Replace `<dtr_url>` with the hostname or IP address of your
> DTR instance.
>
> alias notary="notary -s https://<dtr_url> -d ~/.docker/trust"
>
> - **PowerShell**: Type the following, or add it to your `profile.ps1` to
> make it permanent.
>
> PS C:\> set-alias notary "notary -s https://<dtr_url> -d ~/.docker/trust"
>
>
> After setting up the alias, you only need to type `notary` and the server
> and destination directory will be included in the command automatically.
{: id="notary_alias_config_note" }
3. Find the _globally unique name (GUN)_ for your repository. The GUN
is the `<registry/<account>/<repository>` string, such as
`dtr-example.com/engineering/my-repo`. You can find the GUN for a repository
by browsing to it in the DTR web UI and copying the part of the
**Pull command** after `docker pull`.
Next, [initialize a trusted image repository](#set-up-a-trusted-image-repository).
## Initialize the trusted image repository
> **Tip - Yubikey integration**: Notary supports integration with Yubikey. If
> you have a Yubikey plugged in when you initialize a repository with Notary,
> the root key is stored on the Yubikey instead of in the trust directory. When
> you run any command that needs the `root` key, Notary looks on the Yubikey
> first, and uses the trust directory as a fallback.
This procedure needs to be done on the client of an administrator responsible for
setting up repositories. It needs to be done once per signing repository.
In these examples, add the `-s`, `-d`, and `--tlscacert` parameters you need
before `<GUN>` if you decided not to configure Notary using a
[configuration file](/notary/reference/client-config.md){: target="_blank" class="_" }
or a [terminal alias](#notary_alias_config_note").
1. In the DTR web UI, create a new repository or browse to an existing
repository that you want to reconfigure as a trusted image repository.
Make a note of the GUN for the repository by copying the contents of the
**Pull command** field after `docker pull`.
![Finding the GUN in the DTR UI](/datacenter/images/dtr_repo_find_gun.png)
2. At the command line on your client, check whether Notary has information
about the repository. Most likely if you are performing this task for the
first time, the repository is not initialized.
```bash
$ notary list <GUN>
```
The response may be one of the following:
- `fatal: client is offline`: Either the repository server can't be reached,
or DTR is using certificates which are not signed by a globally trusted
certificate authority, such as self-signed certificates. Run `notary list`
again, adding the `--tlscacert` flag, with the path to the certificate
authority for DTR. To get the certificate, download `https://<dtr_url>/ca`
from your browser or using `curl` or `wget`. This certificate is
different from the UCP trust certificate in the UCP client bundle.
- `fatal: <dtr_url> does not have trust data for ddc-staging-dtr.qa.aws.dckr.io/engineering/redis`:
The repository has not yet been initialized and you need to run
`notary init`. Continue to step 2.
- `No targets present in this repository.`: The repository has been
initialized, but contains no signed images. You do not need to do step 2.
- A list of signed image tags, their digests, and the role of the private
key used to sign the metadata. This indicates that the repository is configured
correctly and images have been signed and uploaded. You do not need to do
step 2.
2. To initialize the repository, run `notary init`, setting the `-p` flag to
the GUN of the repository. You will be prompted to set passphrases for
three different keys:
- The `root` key is used to sign the `targets` and `snapshot` keys.
- The `targets` key will be used to sign the keys of users authorized to sign
images and designate them as trusted.
- The `snapshot` key is used for snapshotting the repository, which is an
optimization for updating the trust data.
```bash
$ notary init <GUN>
No root keys found. Generating a new root key...
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 717fa4b:
Repeat passphrase for new root key with ID 717fa4b:
Enter passphrase for new targets key with ID 776d924 (<GUN>):
Repeat passphrase for new targets key with ID 776d924 (<GUN>):
Enter passphrase for new snapshot key with ID d3cc399 (<GUN>):
Repeat passphrase for new snapshot key with ID d3cc399 (<GUN>):
Enter username: admin
Enter password:
```
As the help text in the command says, it's important to choose good
passphrases and to save them in a secure location such as a password
manager. The final username and password prompt are for the DTR login.
Several important files are saved in the trust directory (the location you
specified as the value of the `-d` flag. The following is an example listing
of the trust directory:
```none
├── private
│   ├── root_keys
│   │   └── 92c11d487023de4447ef57747e84e7364cd7c62a4be28d8714ec05afe2f130f8.key
│   └── tuf_keys
│   └── dtr-example.com
│   └── engineering
│   └── testrepo
│   ├── 87a129ea47a4112fec6b989bde35f6ddea8325638450d41b3f44fabaf49dbe3d.key
│   └── aa4b236c610e3d951c930bf2a503861c41808ac28369bfbaf5c075b62cb3dd41.key
└── tuf
└── dtr-example.com
└── engineering
└── testrepo
├── changelist
└── metadata
├── root.json
├── snapshot.json
└── targets.json
```
The `tuf` directory contains metadata needed by Notary. The `private`
directory contains the root key, target key, and snapshots key. It is
important to protect these keys, especially the root key. If you are using
the Yubikey integration feature, the root key is already stored on your
Yubikey. You should back up the entire `private` subdirectory to secure
offline storage and remove the `root_keys` subdirectory from the trust
directory. If you do not use a Yubikey, back up the entire trust
directory to secure offline storage, and bring it online only when you need
to perform Notary operations.
3. The metadata has been created but only exists on your client. To publish
it to DTR, use `notary publish`.
```bash
$ notary publish <GUN>
Pushing changes to <GUN>
Enter username: admin
Enter password:
Enter passphrase for targets key with ID 63c2d66:
Enter passphrase for snapshot key with ID 6ac388d:
Successfully published changes for repository <GUN>
```
You will be prompted for the DTR login, the passphrase for the `targets` key,
and the passphrase for the `snapshot` key.
Typically, the administrator is not part of the group which is authorized to
sign images. If you do attempt to sign images and you are not part of one of the
correct groups, the image will not be available to UCP.
Continue to [delegate image signing](#delegate-image-signing) to give the
appropriate users the ability to sign images.
You can also
[learn more about the keys used by Notary](/engine/security/trust/trust_key_mng.md).
## Delegate image signing
The administrator who manages Docker Trusted Registry is often not part of the
group which is allowed to sign images. This is where
[Notary delegation roles](/notary/advanced_usage.md) come in. Delegation roles
provide:
- Simple collaboration workflows
- Fine-grained permissions within a collection's contents across delegations
- Ability to dynamically add or remove keys from delegation roles when
collaborators join or leave trusted repositories
When you [initialized the trusted repository](#nitialize-the-trusted-image-repository),
three keys were created:
- The `root` key signs the `targets` and `snapshot` keys.
- The `targets` key is used by Notary for delegation roles, which act as signers.
- Each change in the repository needs to be signed by the `snapshot` key.
To avoid the need to distribute the `snapshot` key to each person who will sign
images, you can configure the Notary server to manage it. In order to do this,
you need to also rotate the `snapshots` key, so that private keys do not need
to be transferred between the client and server.
1. Rotate the key and configure the Notary server to manage it. This operation
only needs to be done once for each trusted repository.
```bash
$ notary key rotate <GUN> snapshot --server-managed
```
You are prompted for the DTR credentials followed by the passphrase for the
`root` key.
2. For each user who should be able to sign images, ask that user to create a
client bundle. They should:
1. Go to the UCP web UI.
2. Click your username at the top right. Click **Profile**.
3. Click **Create a Client Bundle**. A file is downloaded called
`ucp-bundle-<username>.zip`.
4. Extract the zip file. The important file within the archive is the
`cert.pem`, which is the user certificate.
5. Send you the `cert.pem` **through a secure, trusted channel**. If you
plan to create more than one delegation, rename the `cert.pem` with the
username or other identifying information.
3. Run the following command to add the `targets/releases` delegation role for
each user, using the `cert.pem` files. You can specify multiple `cert.pem`
files at once.
```bash
$ notary delegation add -p <GUN> targets/releases --all-paths user1.pem user2.pem
```
You will be prompted for your DTR credentials and the passphrase for the
`targets` key.
> **Note**: You can also add arbitrary delegations, but `targets/releases`
> is a special delegation, and is treated as an actual release branch for
> Docker Content Trust. If a Docker client has content trust enabled, and
> the client runs `docker pull`, this delegation is what signals that the
> content is trusted.
Each user who can release images should be added to the `targets/releases`
role.
4. Create at least one more delegation and add users to it, or UCP will not
honor the signed content. This delegation indicates the team that is signing
the release.
Docker recommends adding one delegation per team. For instance, if you have
an `engineering` team and a `qa` team, add a delegation for each of these.
If a user is a member of both teams, that user will be able to indicate
which team they are signing on behalf of. Notary has no limit on how many
delegation roles can exist.
Valid delegation roles take the form of `targets/<delegation>`. Do not include
a trailing slash.
The following command adds `user1` to the `targets/engineering` delegation:
```bash
$ notary delegation add -p <GUN> targets/engineering --all-paths user1.pem
```
You will be prompted for your DTR credentials followed by the passphrase
for the `targets` key.
5. Securely remove the `.pem` files of the users you added delegations to. If
these keys are compromised, they could be used to sign images which should
not be trusted.
## Next steps
The Notary server is now configured to allow users to sign images. Next, each
user needs to [configure their client](client_configuration.md)
and [sign some images](client_configuration.md#sign-and-push-images).
[Learn more about the targets/releases role](/engine/security/trust/trust_delegation.md).

255
datacenter/ucp/2.1/guides/admin/configure/content-trust/client_configuration.md
View File

@ -1,255 +0,0 @@
---
title: Configure the Docker client to sign images
description:
---
After an administrator
[configures the UCP and DTR servers for content trust](admin_tasks.md) and
[delegates users to be able to sign images](admin_tasks.md#delegate-image-signing),
each of those users needs to configure their system for image signing. This
topic covers the required configuration steps, as well as how to sign and
push images.
Each user who will sign images needs to follow these steps.
## Import the user's signing key
Users who need to sign images should import the `key.pem` file from their UCP
client bundle into Docker. The user probably downloaded the client bundle when
they sent the administrator their `cert.pem` so the administrator could
[delegate signing to them](#delegate-image-signing).
Import the private key associated with the user certificate. You must specify
the trust directory `~/.docker/private`. If the `~/.docker/private` directory
does not yet exist, Notary will create it.
- **Linux or macOS**:
```bash
$ notary -d ~/.docker/trust key import /path/to/key.pem
```
- **Windows**:
```powershell
PS C:\> notary -d ~/.docker/trust key import /path/to/key.pem
```
You are prompted for a passphrase. Save it in a secure location such as a
password manager. You will need to provide the passphrase each time you sign an
image.
## Configure the Docker client
These steps may need to be performed for each Docker user who will push images
to the trusted repository, and also on each Docker client which should only be
allowed to pull and use trusted images.
### Linux or MacOS
1. **Required**: Set the `DOCKER_CONTENT_TRUST` environment variable to `1`.
You can do this temporarily or permanently.
- To set the environment variable for the current command-line session, type
the following into the terminal where you will be running `docker` commands:
```bash
$ export DOCKER_CONTENT_TRUST=1
```
This environment variable will be effective until you close the command
prompt.
- To set the environmment variable for just a single command, add it before
the command:
```bash
$ DOCKER_CONTENT_TRUST=1 docker pull...
```
- To set the environment variable permanently, edit the `~/.profile` file
and add the following line:
```bash
export DOCKER_CONTENT_TRUST=1
```
2. **If your DTR instance uses certificates not signed by a public certificate authority (CA)**:
Configure the local Docker daemon and client to trust the DTR server's
certificate. You need to do this step if you see an error like the following
when you try to [sign and push an image](#sign-and-push-an-image).
```none
x509: certificate signed by unknown authority
```
This procedure is different if you are on a Linux or macOS client:
- **Linux**:
1. Download the certificate add it to a subdirectory of the
`/etc/docker/certs.d/` directory.
```bash
$ sudo mkdir -p /etc/docker/certs.d/<dtr-domain-name>
$ curl -k https://<host_or_ip_of_dtr_host>/ca -o <dtr-domain-name>.crt
$ sudo mv <dtr-domain-name>.crt /etc/docker/certs.d/<dtr-domain-name>/ca.crt
```
2. Configure the Docker client to use certificates available to the
Docker daemon by creating a symbolic link from `/etc/docker/certs.d/`
to `~/.docker/tls/`
```bash
$ ln -s /etc/docker/certs.d ~/.docker/tls
```
3. Restart Docker using one of the following commands:
- `sudo systemctl restart docker`
- `sudo service docker restart`
- **macOS**:
1. Download the certificate and name the output file
`<dtr-domain-name>.crt`.
```bash
$ curl -k https://<host_or_ip_of_dtr_host>/ca -o <dtr-domain-name>.crt
```
2. Import the certificate into the macOS keychain. This example uses the
command line, but you can use the **Keychain Access** application
instead.
```bash
$ sudo security add-trusted-cert -d \
-r trustRoot \
-k /Library/Keychains/System.keychain \
<dtr-domain-name>.crt
```
3. Restart Docker for Mac. Click the Docker icon in the toolbar and click
**restart**.
The Docker daemon and client now trust the DTR server. Continue to
[Sign and push an image](#sign-and-push-an-image).
### Windows
1. Set the `DOCKER_CONTENT_TRUST` environment variable to `1`. You can do this
temporarily or permanently.
- To set the environment variable for the current PowerShell session, type the
following into the PowerShell terminal where you will be running `docker` commands:
```powershell
PS C:\> $env:DOCKER_CONTENT_TRUST = "1"
```
This environment variable will be effective until you close the PowerShell
session.
- To set the environment variable permanently for the logged-in user, use the
following command:
```powershell
PS C:\> [Environment]::SetEnvironmentVariable("DOCKER_CONTENT_TRUST", "1", "User")
```
The variable is set immediately.
Whichever method you use, you can verify that the environment variable is set
by typing `$Env:DOCKER_CONTENT_TRUST` at the command line.
2. **If your DTR instance uses certificates not signed by a public certificate authority (CA)**:
Configure the local Docker daemon and client to trust the DTR server's
certificate. You need to do this step if you see an error like the following
when you try to [sign and push an image](#sign-and-push-an-image).
1. Download the certificate by browsing to the URL
`https://<dtr-domain-name>/ca`. The certificate is shown in the browser
as a text file. Choose **File** / **Save As** and save the file as
`<dtr-domain-name>.crt`.
2. Open Windows Explorer and go to the directory where you saved the file.
Right-click `<dtr-domain-name>.crt` and choose **Install certificate**.
- Select **Local machine** for the store location.
- Select **Place all certificates in the following store**.
- Click **Browse** and select **Trusted Root Certificate Authorities**.
- Click **Finish**.
3. Restart Docker for Windows. Click the Docker icon in the Notifications
area and click **Settings**. Click **Reset** and choose
**Restart Docker**.
The Docker daemon and client now trust the DTR server. Continue to
[Sign and push an image](#sign-and-push-an-image).
## Sign and push an image
After [Configuring the signer's Notary and Docker clients](#onfigure-the-signers-otary-and-ocker-clients),
the user can sign and push images to Docker Trusted Registry. These steps are
the same on Linux, macOS, or Windows.
1. Log into DTR.
```bash
$ docker login <dtr_url>
```
You are prompted for your DTR credentials.
2. Tag the image with a tag in the format `<GUN>:imagename`. The following
example tags the `ubuntu:16.04` image as `ubuntu` in your trusted
repository. This will signal to the `docker push` command that the image tag
contains a repository.
```bash
$ docker tag ubuntu:16.04 dtr-example.com/engineering/testrepo:ubuntu
```
3. Sign and push the tagged image, so that your deployments can use it. The
following example signs and pushes the image created in the previous step.
You are prompted for the delegation key passphrase.
```bash
$ docker push dtr-example.com/engineering/testrepo:ubuntu
The push refers to a repository [dtr-example.com/engineering/testrepo]
5eb5bd4c5014: Pushed
d195a7a18c70: Pushed
af605e724c5a: Pushed
59f161c3069d: Pushed
4f03495a4d7d: Pushed
ubuntu: digest: sha256:4c0b138bdaaefa6a1c290ba8d8a97a568f43c0f8f25c733af54d3999da12dfd4 size: 1357
Signing and pushing trust metadata
Enter passphrase for delegation key with ID ff97e18:
Successfully signed "dtr-example.com/engineering/testrepo":ubuntu
```
4. To test pulling the image, remove it locally, then pull it.
```bash
$ docker image remove dtr-example.com/engineering/testrepo:ubuntu
$ docker pull dtr-example.com/engineering/testrepo:ubuntu
```
5. You can verify that the image exists in the repository using the DTR web UI.
Go to the DTR web UI and click **Repositories**. Choose the repository and
go to **Images**.
![Trusted image in DTR repository](/datacenter/images/signed_image_in_dtr.png)
The signed, trusted image is available in your trusted repository.
## Where to go next
* [Restrict services to worker nodes](restrict-services-to-worker-nodes.md)

61
datacenter/ucp/2.1/guides/admin/configure/content-trust/index.md
View File

@ -1,61 +0,0 @@
---
description: Configure a Docker UCP cluster to only allow running applications that use images you trust.
keywords: docker, ucp, backup, restore, recovery
title: Run only the images you trust
redirect_from:
- /datacenter/ucp/2.1/guides/admin/configure/only-allow-running-signed-images/
---
## About trusted images
When transferring data among networked systems, _trust_ is a central concern. In
particular, when communicating over an untrusted medium such as the internet, it
is critical to ensure the integrity and the publisher of all the data a system
operates on. Docker allows you to push images to, and pull images from, public
and private registries.
Docker provides a mechanism called
[content trust](/engine/security/trust/content_trust.md), which you can use to
verify that the contents of the image have been approved by people you trust,
and to prevent untrusted images from being used in your UCP instance.
### Example workflow for using trusted images
An example workflow that takes advantage of content trust might look like this:
1. Developers push code into source control.
2. A CI system performs automated tests. If the tests pass, the CI system
builds and cryptographically signs an image containing the code.
3. A quality engineering team pulls the image signed by the CI system and
performs quality tests on it. When the image is approved for production,
part of the approval process is to cryptographically sign the image again.
4. If any image is not signed both by the CI group and the QA group, UCP
refuses to deploy it.
## Configuration overview
First, an administrator performs the following configuration tasks, which are
detailed in [Server-side tasks for content trust in UCP](admin_tasks.md).
1. Configure UCP.
2. Configure the Notary client on the administrator's system.
3. Initialize the trusted repository in DTR.
4. Delegate image signing to users in the correct groups.
Afterward, members of approved teams perform the following tasks, which are
detailed in [Configure the Docker client to sign images](client_configuration.md):
1. Set up the Docker CLI to use the signing certificates from the UCP client
bundle and to require images to be signed when pulling them from
repositories.
2. Sign and push an image to a repository.
## Next steps
- [Server-side tasks for content trust in UCP](admin_tasks.md)
- [Configure the Docker client to sign images](client_configuration.md)

60
datacenter/ucp/2.1/guides/admin/configure/run-only-the-images-you-trust.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Run only the images you trust
description: Configure a Docker UCP cluster to only allow running applications that use images you trust.
keywords: docker, ucp, security, trust
redirect_from:
- /datacenter/ucp/2.1/guides/admin/configure/only-allow-running-signed-images/
- /datacenter/ucp/2.1/guides/admin/configure/use-trusted-images-for-ci/
---
With Docker Universal Control Plane you can enforce applications to only use
Docker images signed by UCP users you trust. When a user tries to deploy an
application to the cluster, UCP checks if the application uses a Docker image
that is not trusted, and wont continue with the deployment if thats the case.
![Enforce image signing](../../images/run-only-the-images-you-trust-1.svg)
By signing and verifying the Docker images, you ensure that the images being
used in your cluster are the ones you trust and havent been altered either in
the image registry or on their way from the image registry to your UCP cluster.
## Example workflow
Here's an example of a typical workflow:
1. A developer makes changes to a service and pushes their changes to a version
control system
2. A CI system creates a build, runs tests, and pushes an image to DTR with the
new changes
3. The quality engineering team pulls the image and runs more tests. If
everything looks good they sign and push the image
4. The IT operations team deploys a service. If the image used for the service
was signed by the QA team, UCP deploys it. Otherwise UCP refuses to deploy.
## Configure UCP
To configure UCP to only allow running services that use Docker images you
trust, go to the **UCP web UI**, navigate to the **Settings** page, and click
the **Content Trust** tab.
Select the **Run only signed images** option to only allow deploying
applications if they use images you trust.
![UCP settings](../../images/run-only-the-images-you-trust-2.png){: .with-border}
With this setting, UCP allows deploying any image as long as the image has
been signed. It doesn't matter who signed the image.
To enforce that the image needs to be signed by specific teams, include those
teams in the **Require signature from** field.
![UCP settings](../../images/run-only-the-images-you-trust-3.png){: .with-border}
If you specify multiple teams, the image needs to be signed by a member of each
team, or someone that is a member of all those teams.
Click **Update** for UCP to start enforcing the policy.
## Where to go next
* [Sign and push images to DTR](/datacenter/dtr/2.2/guides/user/manage-images/sign-images/index.md)

2
datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system.md
View File

@ -55,4 +55,4 @@ options that can accomplish this (e.g. Shield plug-in for Kibana)
## Where to go next
* [Require all images to be signed](content-trust.md)
* [Require all images to be signed](restrict-services-to-worker-nodes.md)

109
datacenter/ucp/2.1/guides/images/run-only-the-images-you-trust-1.svg Normal file
View File

@ -0,0 +1,109 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="178px" viewBox="0 0 740 178" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 42 (36781) - http://www.bohemiancoding.com/sketch -->
<title>content-trust-3</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<circle id="path-3" cx="4" cy="4" r="4"></circle>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-3" fill="black"></use>
</mask>
<rect id="path-5" x="0" y="0" width="228" height="144"></rect>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="228" height="144" fill="white">
<use xlink:href="#path-5"></use>
</mask>
</defs>
<g id="dtr-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="content-trust-3">
<g id="Group" transform="translate(14.000000, 17.000000)">
<g id="user" transform="translate(0.000000, 47.000000)">
<text id="&gt;-docker-service-cre" font-family="CourierNewPS-BoldMT, Courier New" font-size="12" font-weight="bold" line-spacing="16" fill="#637986">
<tspan x="0" y="46">&gt; docker service create \</tspan>
<tspan x="0" y="62"> dtr.example.org/dev/nginx:1</tspan>
</text>
<path d="M90,13 C93.59125,13 96.5,10.083125 96.5,6.5 C96.5,2.90875 93.59125,-1.77635684e-15 90,-1.77635684e-15 C86.40875,-1.77635684e-15 83.5,2.90875 83.5,6.5 C83.5,10.083125 86.40875,13 90,13 L90,13 Z M90,16.25 C85.669375,16.25 77,18.419375 77,22.75 L77,26 L103,26 L103,22.75 C103,18.419375 94.330625,16.25 90,16.25 L90,16.25 Z" id="Shape" fill="#82949E"></path>
</g>
<g id="arrow" transform="translate(238.500000, 72.000000) scale(1, -1) translate(-238.500000, -72.000000) translate(216.000000, 68.000000)">
<path d="M2,4 L45,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#FFFFFF" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="ucp" transform="translate(262.000000, 0.000000)">
<g transform="translate(1.000000, 116.000000)">
<rect id="ucp-box" fill="#1488C6" x="0" y="0" width="180" height="27"></rect>
<text id="UCP" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="75.3596444" y="19">UCP</tspan>
</text>
</g>
<rect id="Rectangle-138" stroke="#82949E" stroke-width="2" x="0" y="0" width="181.124057" height="144" rx="2"></rect>
<g id="service" transform="translate(3.000000, 85.000000)">
<rect fill="#1488C6" x="0" y="2" width="30" height="27" rx="2"></rect>
<g id="signed" transform="translate(21.000000, 0.000000)">
<circle id="sign" fill="#00B6B5" cx="5.5" cy="5.5" r="5.5"></circle>
<polyline id="Path-2" stroke="#FFFFFF" stroke-linecap="round" points="2.33138415 5.0401346 4.66576739 7.30973903 8.53446401 3.34959331"></polyline>
</g>
</g>
</g>
<g id="arrow" transform="translate(466.500000, 72.000000) scale(1, -1) translate(-466.500000, -72.000000) translate(440.000000, 68.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-3"></use>
<use stroke="#FFFFFF" mask="url(#mask-4)" stroke-width="4" xlink:href="#path-3"></use>
</g>
</g>
<g id="dtr" transform="translate(485.000000, 0.000000)">
<use id="chrome" stroke="#82949E" mask="url(#mask-6)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-5"></use>
<g id="table" transform="translate(9.000000, 60.000000)">
<g id="data" transform="translate(0.000000, 25.000000)" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<text id="dave">
<tspan x="145" y="13">dave.lauper</tspan>
</text>
<text id="9baa">
<tspan x="61" y="13">9baa16</tspan>
</text>
<text id="1">
<tspan x="0" y="13">1</tspan>
</text>
</g>
<g id="signed" transform="translate(9.000000, 28.000000)">
<circle id="sign" fill="#00B6B5" cx="5.5" cy="5.5" r="5.5"></circle>
<polyline id="Path-2" stroke="#FFFFFF" stroke-linecap="round" points="2.33138415 5.0401346 4.66576739 7.30973903 8.53446401 3.34959331"></polyline>
</g>
<g id="header" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<text id="last">
<tspan x="145" y="13">last pushed</tspan>
</text>
<text id="id">
<tspan x="61" y="13">id</tspan>
</text>
<text id="tag">
<tspan x="0" y="13">tag</tspan>
</text>
</g>
</g>
<g id="repo" transform="translate(0.000000, 26.000000)">
<rect id="header" fill="#82949E" x="0" y="0" width="228" height="27"></rect>
<text id="dev/nginx" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">dev/nginx</tspan>
</text>
</g>
<g id="header">
<path d="M9.5,79.5 L217.5,79.5" id="Line" stroke="#E0E4E7" stroke-linecap="square"></path>
<rect fill="#1488C6" x="0" y="0" width="228" height="27"></rect>
<text id="docker-trusted-regis" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">docker trusted registry</tspan>
</text>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 7.5 KiB

BIN
datacenter/ucp/2.1/guides/images/run-only-the-images-you-trust-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 202 KiB

BIN
datacenter/ucp/2.1/guides/images/run-only-the-images-you-trust-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 212 KiB