运行 Notary 服务 - 配置 Notary
Configuring Notary
Depending on the environment and purpose of running Notary services, there are two options: using docker-compose
when running locally or running each service separately, usually through an orchestration layer (Kubernetes, Rancher, Swarm and so on). Configuring the latter is outside the scope of this document, while the former should only be used for demonstration purposes.
The following examples assume you will run Notary on your internal infrastructure and store Docker images on Amazon ECR.
Using docker-compose
The following examples assume that postgres
was the choice of your backend
.
Start by cloning the official repository:
❯ git clone https://github.com/docker/notary.git
❯ git checkout v0.5.0
You can define the configuration via environment variables on the docker-compose.postgres.yml
file that will override config settings. Alternatively you can also edit fixtures/server-config.postgres.json
and fixtures/signer-config.postgres.json
. If you choose to go with the default, no change is required.
Note that if you choose to use fixtures/regenerateTestingCerts.sh
for local testing with Docker for Mac.app
using Docker-in-Docker for simulating multiple clients, make sure to add IP:192.168.65.1
to the subjectAltName
or 192.168.65.1 notaryserver
to /etc/hosts
, otherwise any Docker operation will result in a invalid certificate error.
If you have bootstrapped Notary before, you may need to delete its volume to get the new certificates reloaded (docker volume rm notary_notary_data
). Beware that this will destroy all previously stored testing data.
docker-compose -f docker-compose.postgresql.yml up
If you chose not to sign the certificates using a previously-trusted internal CA, you will need to manually trust the fixtures/root-ca.crt
, otherwise Docker will throw out this error when interacting with Notary:
ERRO[0000] could not reach https://127.0.0.1:4443: Get https://127.0.0.1:4443/v2/: x509: certificate signed by unknown authority
Trust the self-signed Notary’s Intermediate CA:
❯ mkdir -p ~/.docker/tls/127.0.0.1:4443/
❯ cp fixtures/intermediate-ca ~/.docker/tls/127.0.0.1:4443/
From now on, Docker can be instructed to always use the private Notary server:
❯ export DOCKER_CONTENT_TRUST=1
❯ export DOCKER_CONTENT_TRUST_SERVER=https://127.0.0.1:4443
A completely separate environment can be created by using Docker-in-Docker, where delegations can be explored:
❯ docker run -d --privileged -e DOCKER_CONTENT_TRUST=1 -e DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443 docker:dind
905c2a005f34745175299da9652a991860f965bbd1e24642e20c6abb9de03174
Then enter the container:
❯ docker exec -it 905c2a005f34745175299da9652a991860f965bbd1e24642e20c6abb9de03174 sh
/ # echo "192.168.65.1 notaryserver" >> /etc/hosts
/ # wget -O /usr/local/bin/notary https://github.com/docker/notary/releases/download/v0.4.2/notary-Linux-amd64 && chmod a+x /usr/local/bin/notary
Make sure to add the Notary server certificate to /root/.docker/tls/notaryserver:4443/notaryserver.crt
.
If using Amazon ECR for a private registry and credentials are needed, echo them to a local file and pipe it to shell:
❯ cat aws.login | sh