Docker Community Forums

Share and learn in the Docker community.

Docker content trust as fail both upload and download image when enable by export DOCKER_CONTENT_TRUST=1

docker
beta

(Labdockerthailand) #1
 Following the document (Ref: https://docs.docker.com/engine/security/trust/content_trust/#image-tags-and-content-trust). We had been tried to POC this concept of signing image on Ubuntu 16.04 server (Docker version 17.12.0-ce). 

 Unfortunately as we try to turn on "export DOCKER_CONTENT_TRUST=1" on host. We facing that all image pull request was error with "unable to reach trust server at this time: 503" as we tried to debug. We facing error about notary service for this section as detail below (We understand that when we turn on this feature. All unsign image will not found. Anyway this error is not relate or expect behavior.

praparn@ubuntumaster:~$ export DOCKER_CONTENT_TRUST=1
praparn@ubuntumaster:~$ docker --debug image pull labdocker/alpine:latest
DEBU[0000] reading certificate directory: /home/praparn/.docker/tls/notary.docker.io
DEBU[0001] No yubikey found, using alternative key storage: no library found
DEBU[0001] Making dir path: /home/praparn/.docker/trust/tuf/docker.io/labdocker/alpine/changelist
DEBU[0003] received HTTP status 503 when requesting root.
unable to reach trust server at this time: 503.
praparn@ubuntumaster:~$ export DOCKER_CONTENT_TRUST=0
praparn@ubuntumaster:~$ docker --debug image pull labdocker/alpine:latest
latest: Pulling from labdocker/alpine
c52e3ed763ff: Already exists
Digest: sha256:58ddabab68c640c5026b274e597afb3bdb0f57da7394fbd300d77044ff89c645
Status: Image is up to date for labdocker/alpine:latest

==================================================================================
praparn@ubuntumaster:~$ docker system info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 17.12.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-62-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 988.3MiB
Name: ubuntumaster
ID: YI7E:53QQ:V5FU:KEIM:GGPM:PDFB:F343:X5NW:3UKU:3QDQ:K4RC:PGOX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: praparn
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support


(Labdockerthailand) #2

Reference to this case is come from notary server on hub.docker.com is down. Now it back to normal state. https://github.com/docker/hub-feedback/issues/1360