Come up with a docker container trust plan
Docker has this Content Trust concept that will refuse to pull containers unless they are properly signed:
root@odoo:~# export DOCKER_CONTENT_TRUST=1
root@odoo:~# docker pull debian:buster
Pull (1 of 1): debian:buster@sha256:d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466
sha256:d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466: Pulling from library/debian
dc65f448a2e2: Pull complete
Digest: sha256:d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466
Status: Downloaded newer image for debian@sha256:d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466
Tagging debian@sha256:d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466 as debian:buster
docker.io/library/debian:buster
root@odoo:~# docker pull nginx/nginx-ingress
Using default tag: latest
Error: remote trust data does not exist for docker.io/nginx/nginx-ingress: notary.docker.io does not have trust data for docker.io/nginx/nginx-ingress
root@odoo:~#
As you can see from this, the debian image is signed, but the nginx/ingess one is not. However, all dockerhub 'verified' images are signed, so the 'nginx:latest' one is signed:
root@odoo:~# docker pull nginx:latest
Pull (1 of 1): nginx:latest@sha256:ad5552c786f128e389a0263104ae39f3d3c7895579d45ae716f528185b36bc6f
sha256:ad5552c786f128e389a0263104ae39f3d3c7895579d45ae716f528185b36bc6f: Pulling from library/nginx
bc51dd8edc1b: Pull complete
66ba67045f57: Pull complete
bf317aa10aa5: Pull complete
Digest: sha256:ad5552c786f128e389a0263104ae39f3d3c7895579d45ae716f528185b36bc6f
Status: Downloaded newer image for nginx@sha256:ad5552c786f128e389a0263104ae39f3d3c7895579d45ae716f528185b36bc6f
Tagging nginx@sha256:ad5552c786f128e389a0263104ae39f3d3c7895579d45ae716f528185b36bc6f as nginx:latest
docker.io/library/nginx:latest
root@odoo:~#
There is a notary commmand you get get from docker to inspect these things, and we can run our own notary server, but its a bit unclear if this is EE only.
micah@protozoa:~/Downloads$ ./notary -s https://notary.docker.io -d ~/.docker/trust list docker.io/library/debian
NAME DIGEST SIZE (BYTES) ROLE
---- ------ ------------ ----
10 d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466 1638 targets
10-slim 9ab269df3cfa21324fcbfcf5366722d99d77ab480a8cbb0727612f7ea4e6ae27 1638 targets
10.0 2f04d3d33b6027bb74ecc81397abe780649ec89f1a2af18d7022737d0482cefe 1638 targets
10.0-slim 6571c4636d0bb4e4eb0f14f557f8ba9b104fd194dc19241a564d3c3661ea5c30 1638 targets
10.1 41f76363fd83982e14f7644486e1fb04812b3894aa4e396137c3435eaf05de88 1638 targets
10.1-slim 11253793361a12861562d1d7b15b8b7e25ac30dd631e3d206ed1ca969bf97b7d 1638 targets
10.2 d986a531d62903b66e731d475988f5b2ba3a4a90078078cb0f29f9685ee36466 1638 targets
10.2-slim 9ab269df3cfa21324fcbfcf5366722d99d77ab480a8cbb0727612f7ea4e6ae27 1638 targets
6 f3ef067962554c3352dc0c659ca563f73cc396fe0dea2a2c23a7964c6290f782 2748 targets
6.0 c1c8313fae17e4e14f8367e97868667f0902d3ace64ba0e773b0625236e5c761 2750 targets
Only 'Dockerhub Official' images are signed by the dockerhub notary.
Edited by micah