• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. User Guide
  4. Operation Guide
  5. Container Registry
  6. (Optional) Signing Container Images

(Optional) Signing Container Images

CCE supports container image signing. Signed container images are less vulnerable to hackers' tampering. Specify related environment variables before you upload container images.

For more information on container image signatures, see https://docs.docker.com/engine/security/trust/content_trust/.

Prerequisites

The Docker version is V1.8.0 or later.

NOTE:

Only Docker V1.8.0 and later versions support container image signing. However, the recommended Docker version is V1.9.0 or later.

Signing Container Images

  1. Log in to your Docker client as the root user.
  2. Run the following command to enable container image signing:

    export DOCKER_CONTENT_TRUST=1

  3. Run the following command to specify the image signature server address:

    export DOCKER_CONTENT_TRUST_SERVER=<https://your-own-notaryserver:4443>

    <https://your-own-notaryserver:4443> indicates the image signature server address.

    Figure 1 Obtaining the image signature server address
    NOTE:

    If you do not specify the image signature server address, the default signature server provided by Docker will be used.

  4. Run the following commands to add the signature server address certificate to the certificate trust list:

    • Commands for Ubuntu and similar distributions (e.g. Debian)

      cd /usr/local/share/ca-certificates

      openssl s_client -host <your-own-notaryserver> -port 4443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > notary-server.crt

      update-ca-certificates

      <your-own-notaryserver> indicates the IP address of the image signature server.

    • Commands for CentOS and similar distributions (e.g. RedHat)

      cd /etc/pki/ca-trust/source/anchors

      openssl s_client -host <your-own-notaryserver> -port 4443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > notary-server.crt

      update-ca-trust extra

      <your-own-notaryserver> indicates the IP address of the image signature server.

Disabling Container Image Signing

If container images do not need to be signed, perform the following steps to disable container image signing:

  1. Log in to your Docker client as the root user.
  2. Run the following command to disable container image signing:

    export DOCKER_CONTENT_TRUST=0

Deleting Container Image Signatures

  1. Download the notary client from https://github.com/docker/notary/releases/tag/v0.4.2.
  2. Log in to your Docker client as the root user.
  3. Run the following command on the notary client to delete container image signatures:

    Command syntax:

    notary -s <https://your-own-notaryserver:4443> -d ~/.docker/trust remove <image repo> <image tag>

    In this command:

    • <https://your-own-notaryserver:4443> indicates the IP address of image signature server.
    • <image repo> indicates the address of container image whose signature will be deleted.
    • <image tag> indicates the tag of container image whose signature will be deleted.

    Command example:

    notary -s https://notary-server:4443  -d ~/.docker/trust remove ihub.com/test/alpine 2.6

  4. Run the following command on the notary client to synchronize changes in container image signatures with the image signature server:

    notary -s <https://your-own-notaryserver:4443> -d ~/.docker/trust publish <image repo> <image tag>