Docker Community Forums

Share and learn in the Docker community.

Using Notary Service - Publishing Docker Images to Nexus Repository


(Anthony Alcamo) #1

I am running my own Notary service and would like to securely publish Docker images to a Nexus repository. I have installed and configured Docker Client and Server 17.03.1-ee-3, Notary Client 0.4.3, and Notary Server and Signer 0.4.3 as well.

After creating a Notary Trusted Collection, if I attempt to push it to our Nexus repository, it fails:
docker push nexus-server:5000/lob/project/image:1.7
The push refers to a repository [nexus-server:5000/lob/project/image]
9ca8c628d8e7: Layer already exists
827264d42df6: Layer already exists
1.7: digest: sha256:72364ad16… size: 737
Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate signed by unknown authority

I have initialized several Notary Trusted Collections as I’m unsure which if any would be correct: e.g.
notary init nexus-server:5000/lob/project
notary init nexus-server:5000/lob/project/image
notary init nexus-server/lob/project
notary init nexus-server/lob/project/image

My Notary project was built and currently resides in the /root/notary directory (to be changed), and I am running with the default configuration, certificates, and keys.

My Notary client configuration file resides at /root/.notary/config.json and contains the following:
{
“trust_dir” : “/root/.docker/trust”,
“remote_server”: {
“url”: “https://notary-server:4443”,
“root_ca”: “/root/notary/fixtures/root-ca.crt”,
“tls_client_cert”: “/root/notary/fixtures/secure.example.com.crt”,
“tls_client_key”: “/root/notary/fixtures/secure.example.com.key”
}
}

My trust directory is located at /root/.docker/trust and contains a structure similar to this:
trust
├── private
│ ├── root_keys
│ │ └── afc97e7e66ea9d6ccf4d28041cdc2ca37681cd7e165c12a1b1a2f295348e0eef.key
│ └── tuf_keys
│ ├── nexus-server
│ │ └── lob
│ │ └── project
│ │ ├── aec39e0f44248541af75a75860ad345d0b6503855a2c0b7e538c547db99265c1.key
│ │ ├── d1b61a4c863e8649a0ccf743666723193a7f8deb1657d0a6daac7a58220b7cbf.key
│ │ └── image
│ │ ├── 3eae9536bbd528829470f60d49728d520d26154b5abfd903fa3e3f6ed75cf625.key
│ │ └── ca2e8540e6e17071d7f711806f42a1fdacc71bbcc885dc7023b3ee3e500dafe2.key
│ └── nexus-server:5000
│ └── lob
│ └── project
│ ├── 151ab3b0d2135a488f320548ccb9a34781cf14211809ffb9fd30782de7c131ff.key
│ ├── 3dda171231e95b6aa3d83316ea9e9d2f2964d810492152021e084a935cff209f.key
│ └── image
│ ├── 204c826398684d94722b17735f4284c7e56e0e64219ecb105232bd6d187d39e7.key
│ └── be8e50cd9e1de1fa68480444dfd508901d5576994c18ee5f36c3af90e54a3d09.key
└── tuf
├── nexus-server
│ └── lob
│ └── project
│ ├── image
│ │ └── metadata
│ │ ├── root.json
│ │ ├── snapshot.json
│ │ └── targets.json
│ └── metadata
│ ├── root.json
│ ├── snapshot.json
│ └── targets.json
└── nexus-server:5000
└── lob
└── project
├── image
│ └── metadata
│ ├── root.json
│ ├── snapshot.json
│ └── targets.json
└── metadata
├── root.json
├── snapshot.json
└── targets.json