0

TL;DR - how do I run a (potentially insecure) docker registry mirror and trust the content?

I have a series of devices running docker containers on a closed network with no internet access. I'm able to temporarily attach a laptop that has previously had internet access to the network. The end aim is to update the container images each of these devices are running.

I can get this working in principle by:

  1. Pulling from an internet registry (Docker hub or private) to the laptop.
  2. Running a registry on the laptop.

  3. Pushing to this registry with

    docker tag myorgname/trusttest:latest 
laptophostname:80/myorgname/trusttest:latest
docker push laptophostname:80/myorgname/trusttest:latest
  4. Disconnecting the laptop from the internet and connecting to the closed network.

  5. Telling the devices to do a

    docker pull laptophostname:80/myorgname/trusttest:latest
docker tag laptophostname:80/myorgname/trusttest:latest 
myorgname/trusttest:latest

and restarting their containers with the new image (how I do this isn't particularly relevant, let's just say I can communicate laptophostname to them and they do the rest).

What's really important though is that I get it working with Docker Content Trust (aka Notary). Otherwise anyone could just connect to the network and tell the devices to start running arbitrary code.

I can run a Notary server on the laptop too, and this works fine except that when I push the newer image from my local docker to my registry on the laptop (step 3 above) it asks me for new signing keys, i.e. it is giving the container new trust information rather than just copying the original developer created trust.

At the moment I have control over the machine used to do the update (i.e. the laptop) but in the future this may not be the case, so I don't want to have any developer keys on this. Notary advertises that insecure mirrors are a use case, so how do I get it working with docker?

EDIT

This may or may not be relevant, but the idea is that a customer buys one or more of these devices at a time and adds them to the network in stages. I need a way of providing signed software updates, hence the original plan of writing an app to act as a registry mirror. Without content trust it would be easy to trick the devices into running any images.

Johnny5
  • 11
  • 5
  • BTW -- our Markdown is not GitHub-flavored, so triple-backticks don't format content any differently than single ones (they only difference is that one can use literal single backticks within them). – Charles Duffy Aug 01 '17 at 15:19

1 Answers1

0

I suggest that you look at Docker swarm as many of the things you mentioned are handled by Docker swarm. https://docs.docker.com/engine/swarm/

In particular, you can set your laptop as a swarm manager node which is the only node that has permissions to update containers on worker nodes.

yamenk
  • 46,736
  • 10
  • 93
  • 87
  • That's an interesting thought but it doesn't fit in well with the rest of the deployment plan - customers buy these devices and add them piecemeal to the network. The manager would almost never be connected. A show stopper though is that I don't necessarily have control over the machine used to do the update. If I allow any manager to update then I have the same problem of basically allowing arbitrary code to run on the devices. It's the developer signed content part that I need. – Johnny5 Aug 02 '17 at 09:27