I am using docker notary to establish a trust in the images I download from my private docker registry. While I am able to work out all(push, pull) quite well while I am running on one single host. However in a multi-node(server/client) situation I am just wondering how to get the publishers public key. This publisher key will be than run alongside docker engine pull from a client host. Here the server host has the registry as well as docker-notary server/signer.
Regards
Ashish
Docker Content Trust (powered by Notary) by default will perform TOFUs when downloading trust data for an image - the "s" for indicating this is over HTTPS.
If you're using standalone Notary, you can provide trust-pinning configuration to pin to a specific public key or CA against a publisher's TUF root key (though importing certs to Notary repos is WIP, and scheduled for next point release).
I encourage you to check out the relevant Notary client config information and this PR for more information about how to set this up in Notary -- Docker Content Trust integration is WIP.
I am also new to Notary and coming up to speed. My understanding of Notary (which is built on TUF) is TOFU (trust on first use). So what you need is to be able to connect over SSL to the Notary server, which will then download the publisher certs automatically. You trust what you get the first time (hence, TOFU) and then after that the publisher certs are used to validate all future verification / key updates / etc.
Related
I have a kafka connect cluster (cp_kafka_connect_base) on docker, and I need to include a .pem file in order to connect to a source over TLS. It seems there are already a number of trusted certificates included in connect, so how would I add a new trusted certificate without invalidating the old ones?
Specific problem
I want to use MongoDB Source Connector, alongside a number of other connectors. As per documentation, I have imported my .pem certificate in a .jks store, and added the following envvars to my kafka connect containers:
KAFKA_OPTS="
-Djavax.net.ssl.trustStore=mystore.jks
-Djavax.net.ssl.trustStorePassword=mypass
This lets me connect to my data source, but invalidates other TLS connections, unless I add them all to my .jks. Since all other TLS connections work out of the box, I shouldn't need to manually import every single one of them to a .jks, just to make one connector implementation happy.
I have also tried setting:
CONNECT_SSL_TRUSTSTORE_TYPE: "PEM"
CONNECT_SSL_TRUSTSTORE_LOCATION: "myloc"
but the truststore location config isn't known, and TLS doesn't work:
WARN The configuration 'ssl.truststore.location' was supplied but isn't a known config. (org.apache.kafka.clients.consumer.ConsumerConfig:384)
I'm trying to use registry.centos.org with docker.
I've tried the add the below to /etc/docker/daemon.json as, intuitively this would seem like the obvious place to add it, and the logical variable name.
{
"insecure-registries": ["172.30.0.0/16"],
"secure-registries": ["registry.centos.org"]
}
I then tried to restart the docker service, but it failed to restart.
Google provides lots of links on how to setup a secure registry, but I couldnt find any info on how to add new secure registries to docker configuration.
Likewise the website for registry.centos.org also doesnt provide any info on how to do this.
If you are able to pull the image, then there's nothing further to do. All external registries by default are secure, which means docker will require a TLS connection and valid certificate for the registry server. The insecure registry section is to allow exceptions to this rule.
There is also the option to override the CA certificate for a registry server, which is useful if you have a self hosted registry server, with TLS, but an unknown CA. For this, you would place the CA certificate, and any intermediate certificates, in /etc/docker/certs.d/${hostname}:${port}/ca.crt e.g. /etc/docker/certs.d/registry.example.com:5000/ca.crt.
I've suddenly got this message after a month of docker trust working fine for me via GitLab CI.
I have a Gitlab Runner that mounts the ~/.docker/trust (so its persisted) and pushes it to our QA registry.
tag_image_test:
stage: tag_image
script:
- docker login -u "gitlab-ci-token" -p "$CI_BUILD_TOKEN" $CI_REGISTRY
- docker pull "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}"
- export DOCKER_CONTENT_TRUST=1
- export DOCKER_CONTENT_TRUST_SERVER=$QA_REGISTRY_SIGNER
- export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=$QA_REGISTRY_SIGNER_ROOT_PASSPHRASE
- export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$QA_REGISTRY_SIGNER_REPO_PASSPHRASE
- docker login -u "$QA_REGISTRY_USERNAME" -p "$QA_REGISTRY_PASSWORD" $QA_REGISTRY_URL
- export PROJ_PATH=$(echo -en $CI_PROJECT_PATH | tr '[:upper:]' '[:lower:]')
- docker tag "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}" "${QA_REGISTRY_IMAGE}/${PROJ_PATH}:${CI_COMMIT_REF_SLUG}"
- docker push "${QA_REGISTRY_IMAGE}/${PROJ_PATH}:${CI_COMMIT_REF_SLUG}"
However the push commands ends with:
time="2019-03-18T11:51:14Z" level=debug msg="failed to verify TUF data for: qa.registry.local/mygroup/myimage, valid signatures did not meet threshold for "
time="2019-03-18T11:51:14Z" level=debug msg="downloaded 1.root is invalid: could not rotate trust to a new trusted root: failed to validate data with current trusted certificates"
time="2019-03-18T11:51:14Z" level=debug msg="Client Update (Root): could not rotate trust to a new trusted root: failed to validate data with current trusted certificates"
could not rotate trust to a new trusted root: failed to validate data with current trusted certificates
When I look at the root.json file, the expiry is not for a long time:
"expires":"2029-02-08T15:07:05.172338131Z"
Same for targets.json:
"expires":"2022-02-10T15:07:05.173954376Z"
So I'm at a loss for what is going on and probably don't understand what it is trying to do. Does anyone have any insight?
I’m still learning docker, but are you sure it is root.json that it is looking in and not roots.json.
Based on the configuration here, it should be looking in roots.json for the trusted certs.
Maybe you are pushing to the wrong file to identify your roots, or you could just have a typo in your post.
In any case, this is helpful:
https://github.com/cirocosta/docker-cli/blob/master/vendor/github.com/theupdateframework/notary/trustpinning/certs.go
How those errors are generated are seen there with comments for why those errors occur.
For example, regarding your key rotation error:
// ErrRootRotationFail is returned when we fail to do a full root key rotation
// by either failing to add the new root certificate, or delete the old ones
it's only a locally corrupted state right? You should be able to fix it with a notary remove server.example.com/test1.
The fix I want to get in for this is lazy initialization where one no longer has to explicitly call notary init. As part of lazy initialization, we would always query the server for existing data before assuming it needs to be created locally.
A shorter term fix may be to check the server, or if network connectivity isn't available, the local cache, for existing data. At the moment I believe init assumes the repo doesn't exist and overwrites any existing cache.
Also please make sure to configure DNS and made host entry in host file.
For the purposes of UCP Signing Policy, configured via the “Content Trust” section of the Admin Settings, it’s necessary that we can identify the image was signed by a member of the UCP organization. We do that by making use of client bundles that you can download for your user account from UCP. Client Bundles contain a “cert.pem” file which is an x509 certificate signed by the UCP Certificate Authority, and a “key.pem” file which is the private key matched with the certificate.
You need to create the “targets/releases” delegation and one other delegation, e.g. “targets/my_user” and add the “cert.pem” as the public signing key to both. When another service then inspects the trust data, they can determine that the certificate belongs to a member of the UCP organization and their signatures should be trusted. You then need to import the key.pem so it is available for signing when you push.
The documentation 23 provides more information and specific commands to run, specifically the “Initialize a Repo” section.
I have the following scenario:
I want to run three services (intranet only) in windows docker containers on a windows host
an IdentityServer4
an Api (which uses the IdSvr for authorization)
a Webclient (which uses the api as Datalayer and the IdSvr for authorization)
All three services are running with asp.netcore 2.1 (with microsoft/dotnet:2.1-aspnetcore-runtime as base) and using certificates signed by a local CA.
The problem I'm facing now is that i cannot get the api or the webclient into trusting these certificates.
E.g. if I call the api the authentication-middleware tries to call the IdSvr but gets an error on GET '~/.well-known/openid-configuration' because of an untrusted ssl certificate.
Is there any way to get the services into trusting every certificate issued by the local CA? I've already tried this way but either I'm doing it wrong or it just doesn't work out.
Imho a docker container must have its own CertStore otherwise none trusted https connection would be possible. So my idea is to get the root certificate from the docker hosts CertStore (which trusts the CA) into the container but I don't know how to achieve this.
I have the registry v2 container and docker_auth up and running. The registry uses self sign certificate which was created with my CA. I can pull and push images without any problem so the configuration is working properly.
I would like to have a UI for this registry to browse images. I have tried many of them:
https://github.com/kwk/docker-registry-frontend not support token based auth
https://shipyard-project.com only supports v1 registries
https://github.com/SUSE/Portus looks quite heavy weight for me
https://github.com/mkuchin/docker-registry-web i configure it with my keyfile and set the issuer. But i couldn't add my repo, it always returns 401. In the docker registry i found "token intended for another audience: \"mydockerrepo:5000\"". I tried with different names but none of them worked. I check the crt and key files and i use the correct crt-key pair.
Is there any other UI i should try?
Can somebody help me with the "audience" error message?