Initial local setup¶
Before you can use Docker Content Trust (DCT), you must complete local setup.
Enable DCT¶
DCT is active on the server, but must be opted in to by any Docker client
who wants to use it. This is done by setting the DOCKER_CONTENT_TRUST
environment variable. It must be enabled whenever DCT is used locally.
export DOCKER_CONTENT_TRUST=1
Configure CA certificates¶
You can skip this section and move on to Sign images that MKE can trust, if:
Your CA certificate is issued by a well-know root CA.
Your MSR is installed on the local machine and is configured as an insecure registry, although this is mostly a development and test configuration.
If the MSR is configured with a self-signed CA certificate, you must configure the machine that runs the docker trust commands to trust the CA , certificate as detailed below.
Caution
It is not possible to use DCT with a remote MSR that is set up as an insecure registry in the Docker daemon configuration. This is because the Docker client does not use the server daemon for Notary operations, but instead communicates directly with the MSR Notary service. The client does not read the insecure registry configuration from the server, and there is no way to configure the client for insecure registries.
To configure your machine to trust a self-signed CA:
Create a certificate directory for the MSR host in the Docker configuration directory:
export MSR=<registy-hostname> mkdir -p ~/.docker/certs.d/${MSR}
Download the MSR CA certificate into the newly created directory:
curl -ks https://$MSR/ca > ~/.docker/certs.d/${MSR}/ca.crt
Restart the Docker daemon.
Verify that you do not receive certificate errors when accessing MSR using the Docker CLI by running
docker login ${MSR}
.Create a symlink between the
certs.d
andtls
directories:ln -s certs.d ~/.docker/tls