From 2a449f3886831ac3b11687dac64c9c4e1117696a Mon Sep 17 00:00:00 2001 From: Anne Henmi Date: Wed, 7 Nov 2018 09:58:57 -0800 Subject: [PATCH 1/8] Fixed table, hopefully. --- engine/security/trust/content_trust.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index a68fe3883f..40ac8fb190 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -173,15 +173,20 @@ The signature verification feature is configured in the Docker daemon configurat ``` | ***Stanza*** | ***Description*** | + | ----------------------- |---------------| + | `trust-pinning:root-keys` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.| -|`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| + +|`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| + | `allow-expired-trust-cache` | Specifies whether cached locally expired metadata validates images if an external server is unreachable or does not have image trust metadata. This is necessary for machines which may be often offline, as may be the case for edge. This does not provide mitigations against freeze attacks, which is a necessary to provide availability in low-connectivity environments. | | `mode` | Specifies whether DCT is enabled and enforced. Valid modes are:
`disabled`: Verification is not active and the remainder of the content-trust related metadata will be ignored. *NOTE* that this is the default configuration if “mode” is not specfied.
`permissive`: Verification will be performed, but only failures will only be logged and remain unenforced. This configuration is intended for testing of changes related to content-trust.
`enforced`: DCT will be enforced and an image that cannot be verified successfully will not be pulled or run. | + ***Note:*** The DCT configuration defined here is agnostic of any policy defined in [UCP](https://docs.docker.com/v17.09/datacenter/ucp/2.0/guides/content-trust/#configure-ucp). Images that can be deployed by the UCP trust policy but are disallowed by the Docker Engine From 36fd87206c97300b20c2891a3b28a989853f5365 Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:01:22 -0800 Subject: [PATCH 2/8] Update content_trust.md --- engine/security/trust/content_trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index 40ac8fb190..33bfcce1e7 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -174,7 +174,7 @@ The signature verification feature is configured in the Docker daemon configurat | ***Stanza*** | ***Description*** | -| ----------------------- |---------------| +| --- | --- | | `trust-pinning:root-keys` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.| From 902c115d4d7c59dbb782fa96301c4658edce111b Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:04:44 -0800 Subject: [PATCH 3/8] Update content_trust.md --- engine/security/trust/content_trust.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index 33bfcce1e7..cd73a25e7f 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -172,7 +172,14 @@ The signature verification feature is configured in the Docker daemon configurat } ``` -| ***Stanza*** | ***Description*** | + + + + + +
***Stanza******Description***
+ +| | | | --- | --- | From d32723440e4b42ce2dde948d45690f4b157c533b Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:09:17 -0800 Subject: [PATCH 4/8] Update content_trust.md --- engine/security/trust/content_trust.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index cd73a25e7f..4762b262b1 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -177,12 +177,11 @@ The signature verification feature is configured in the Docker daemon configurat + + + +
***Stanza*** ***Description***
| `trust-pinning:root-keys`Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.
- -| | | - -| --- | --- | - | `trust-pinning:root-keys` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.| |`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| From e87a26decc6fc7b7b06ff122de2799c67b4eb633 Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:11:23 -0800 Subject: [PATCH 5/8] Update content_trust.md --- engine/security/trust/content_trust.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index 4762b262b1..84bf0bfa38 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -174,15 +174,18 @@ The signature verification feature is configured in the Docker daemon configurat
- - + + - + + + + +
***Stanza******Description***StanzaDescription
| `trust-pinning:root-keys`trust-pinning:root-keys Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.
trust-pinning:library-imagesThis option pins the official libraries (docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.
-| `trust-pinning:root-keys` | Root key IDs are canonical IDs that sign the root metadata of the image trust data. In Docker Certified Trust (DCT), the root keys are unique certificates tying the name of the image to the repo metadata.  The private key ID (the canonical key ID) corresponding to the certificate does not depend on the image name. If an image’s name matches more than one glob, then the most specific (longest) one is chosen.| |`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| From 2791870005f3c46714d5579d495fe4051dded339 Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:16:11 -0800 Subject: [PATCH 6/8] Update content_trust.md --- engine/security/trust/content_trust.md | 27 ++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index 84bf0bfa38..0ef505081c 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -183,19 +183,26 @@ The signature verification feature is configured in the Docker daemon configurat - + + + + + + + + +
trust-pinning:library-imagesThis option pins the official libraries (docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.This option pins the official libraries (docker.io/library/*<\code>) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by trust-pinning:root-keys<\code>. If `trustpinning:root-keys` specifies a key mapping for docker.io/library/*, those keys will be preferred for trust pinning. Otherwise, if a more general docker.io/* or * are specified, the official images key will be preferred.
allow-expired-trust-cacheSpecifies whether cached locally expired metadata validates images if an external server is unreachable or does not have image trust metadata. This is necessary for machines which may be often offline, as may be the case for edge. This does not provide mitigations against freeze attacks, which is a necessary to provide availability in low-connectivity environments.
modeSpecifies whether DCT is enabled and enforced. Valid modes are: disabled: + Verification is not active and the remainder of the content-trust related metadata will be ignored. + *NOTE* that this is the default configuration if mode is not specfied.
+ permissive: Verification will be performed, but only failures will only be logged and + remain unenforced. This configuration is intended for testing of changes related to content-trust. +
+ enforced<\code>: DCT will be enforced and an image that cannot be verified successfully will not + be pulled or run. +
-|`trust-pinning:library-images` | This option pins the official libraries (`docker.io/library/*`) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by `trust-pinning:root-keys`. If `trustpinning:root-keys` specifies a key mapping for `docker.io/library/*`, those keys will be preferred for trust pinning. Otherwise, if a more general `docker.io/*` or `*` are specified, the official images key will be preferred.| - -| `allow-expired-trust-cache` | Specifies whether cached locally expired metadata validates images if an external server is unreachable or does not have image trust metadata. This is necessary for machines which may be often offline, as may be the case for edge. This does not provide mitigations against freeze attacks, which is a necessary to provide availability in low-connectivity environments. | -| `mode` | Specifies whether DCT is enabled and enforced. Valid modes are:
-`disabled`: Verification is not active and the remainder of the content-trust related metadata will be ignored. *NOTE* that this is the default configuration if “mode” is not specfied.
-`permissive`: Verification will be performed, but only failures will only be logged and remain unenforced. This configuration is intended for testing of changes related to content-trust.
-`enforced`: DCT will be enforced and an image that cannot be verified successfully will not be pulled or run. | - - ***Note:*** The DCT configuration defined here is agnostic of any policy defined in [UCP](https://docs.docker.com/v17.09/datacenter/ucp/2.0/guides/content-trust/#configure-ucp). Images that can be deployed by the UCP trust policy but are disallowed by the Docker Engine From ff81152728ce56340dd98ef805003cf7f086bbf4 Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:16:52 -0800 Subject: [PATCH 7/8] Update content_trust.md --- engine/security/trust/content_trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index 0ef505081c..21ffcd0b4c 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -183,7 +183,7 @@ The signature verification feature is configured in the Docker daemon configurat - + From a7e7f2e89a66f08bc7816b100d1f3b3fdd63e3c5 Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Wed, 7 Nov 2018 10:17:27 -0800 Subject: [PATCH 8/8] Update content_trust.md --- engine/security/trust/content_trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index 21ffcd0b4c..0d9293fe9b 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -197,7 +197,7 @@ The signature verification feature is configured in the Docker daemon configurat permissive: Verification will be performed, but only failures will only be logged and remain unenforced. This configuration is intended for testing of changes related to content-trust.
- enforced<\code>: DCT will be enforced and an image that cannot be verified successfully will not + enforced: DCT will be enforced and an image that cannot be verified successfully will not be pulled or run.
trust-pinning:library-imagesThis option pins the official libraries (docker.io/library/*<\code>) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by trust-pinning:root-keys<\code>. If `trustpinning:root-keys` specifies a key mapping for docker.io/library/*, those keys will be preferred for trust pinning. Otherwise, if a more general docker.io/* or * are specified, the official images key will be preferred.This option pins the official libraries (docker.io/library/*) to the hard-coded Docker official images root key. DCT trusts the official images by default. This is in addition to whatever images are specified by trust-pinning:root-keys<\code>. If `trustpinning:root-keys` specifies a key mapping for docker.io/library/*, those keys will be preferred for trust pinning. Otherwise, if a more general docker.io/* or * are specified, the official images key will be preferred.
allow-expired-trust-cache