Home Explore Blog CI



docker
4th chunk of `content/manuals/engine/security/trust/trust_sandbox.md`
d600cd5fabd4e772759c144b1704ef0333fcfeb6737ae52f000000010000095c
        Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926
        sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926: Pulling from test/trusttest
        Digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926
        Status: Downloaded newer image for sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926
        Tagging sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 as sandboxregistry:5000/test/trusttest:latest


### Test with malicious images

What happens when data is corrupted and you try to pull it when trust is
enabled? In this section, you go into the `sandboxregistry` and tamper with some
data. Then, you try and pull it.

1.  Leave the `trustsandbox` shell and container running.

2.  Open a new interactive terminal from your host, and obtain a shell into the
    `sandboxregistry` container.

        $ docker container exec -it sandboxregistry bash
        root@65084fc6f047:/#

3.  List the layers for the `test/trusttest` image you pushed:

    ```console
    root@65084fc6f047:/# ls -l /var/lib/registry/docker/registry/v2/repositories/test/trusttest/_layers/sha256
    total 12
    drwxr-xr-x 2 root root 4096 Jun 10 17:26 a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    drwxr-xr-x 2 root root 4096 Jun 10 17:26 aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042
    drwxr-xr-x 2 root root 4096 Jun 10 17:26 cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd
    ```

4.  Change into the registry storage for one of those layers (this is in a different directory):

        root@65084fc6f047:/# cd /var/lib/registry/docker/registry/v2/blobs/sha256/aa/aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042

5.  Add malicious data to one of the `trusttest` layers:

        root@65084fc6f047:/# echo "Malicious data" > data

6.  Go back to your `trustsandbox` terminal.

7.  List the `trusttest` image.

        / # docker image ls | grep trusttest
        REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE
        docker/trusttest                      latest              cc7629d1331a        11 months ago       5.025 MB
Title: Tampering with Image Data in the Registry
Summary
This section guides the user through the process of accessing the `sandboxregistry` container, identifying the layers of the `test/trusttest` image, navigating to the storage location of one of these layers, and adding malicious data to it. It then instructs the user to return to the `trustsandbox` terminal and list the `trusttest` image.