Setting Up a Content Trust Sandbox

--- description: Play in a trust sandbox keywords: trust, security, root, keys, repository, sandbox title: Play in a content trust sandbox aliases: - /security/trust/trust_sandbox/ --- This page explains how to set up and use a sandbox for experimenting with trust. The sandbox allows you to configure and try trust operations locally without impacting your production images. Before working through this sandbox, you should have read through the [trust overview](index.md). ## Prerequisites These instructions assume you are running in Linux or macOS. You can run this sandbox on a local machine or on a virtual machine. You need to have privileges to run docker commands on your local machine or in the VM. This sandbox requires you to install two Docker tools: Docker Engine >= 1.10.0 and Docker Compose >= 1.6.0. To install the Docker Engine, choose from the [list of supported platforms](../../install/_index.md). To install Docker Compose, see the [detailed instructions here](/manuals/compose/install/_index.md). ## What is in the sandbox? If you are just using trust out-of-the-box you only need your Docker Engine client and access to the Docker Hub. The sandbox mimics a production trust environment, and sets up these additional components. | Container | Description | |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------| | trustsandbox | A container with the latest version of Docker Engine and with some preconfigured certificates. This is your sandbox where you can use the `docker` client to test trust operations. | | Registry server | A local registry service. | | Notary server | The service that does all the heavy-lifting of managing trust | This means you run your own content trust (Notary) server and registry. If you work exclusively with the Docker Hub, you would not need these components. They are built into the Docker Hub for you. For the sandbox, however, you build your own entire, mock production environment. Within the `trustsandbox` container, you interact with your local registry rather than the Docker Hub. This means your everyday image repositories are not used. They are protected while you play. When you play in the sandbox, you also create root and repository keys. The sandbox is configured to store all the keys and files inside the `trustsandbox` container. Since the keys you create in the sandbox are for play only, destroying the container destroys them as well. By using a docker-in-docker image for the `trustsandbox` container, you also don't pollute your real Docker daemon cache with any images you push and pull. The images are stored in an anonymous volume attached to this container, and can be destroyed after you destroy the container. ## Build the sandbox In this section, you use Docker Compose to specify how to set up and link together the `trustsandbox` container, the Notary server, and the Registry server. 1. Create a new `trustsandbox` directory and change into it. $ mkdir trustsandbox $ cd trustsandbox 2. Create a file called `compose.yaml` with your favorite editor. For example, using vim: $ touch compose.yaml $ vim compose.yaml 3. Add the following to the new file. version: "2" services: notaryserver: image: dockersecurity/notary_autobuilds:server-v0.5.1 volumes: - notarycerts:/var/lib/notary/fixtures networks: - sandbox environment: - NOTARY_SERVER_STORAGE_TYPE=memory - NOTARY_SERVER_TRUST_SERVICE_TYPE=local

This section guides you through setting up a local sandbox environment to experiment with Docker content trust without affecting your production images. It details the prerequisites, including Docker Engine and Docker Compose, and explains the components of the sandbox: a trustsandbox container, a local registry server, and a Notary server. The sandbox uses Docker Compose to link these components, allowing you to create and destroy keys and images within the sandbox without impacting your real Docker environment.