Building and Playing in the Content Trust Sandbox

don't pollute your real Docker daemon cache with any images you push and pull. The images are stored in an anonymous volume attached to this container, and can be destroyed after you destroy the container. ## Build the sandbox In this section, you use Docker Compose to specify how to set up and link together the `trustsandbox` container, the Notary server, and the Registry server. 1. Create a new `trustsandbox` directory and change into it. $ mkdir trustsandbox $ cd trustsandbox 2. Create a file called `compose.yaml` with your favorite editor. For example, using vim: $ touch compose.yaml $ vim compose.yaml 3. Add the following to the new file. version: "2" services: notaryserver: image: dockersecurity/notary_autobuilds:server-v0.5.1 volumes: - notarycerts:/var/lib/notary/fixtures networks: - sandbox environment: - NOTARY_SERVER_STORAGE_TYPE=memory - NOTARY_SERVER_TRUST_SERVICE_TYPE=local sandboxregistry: image: registry:2.4.1 networks: - sandbox container_name: sandboxregistry trustsandbox: image: docker:dind networks: - sandbox volumes: - notarycerts:/notarycerts privileged: true container_name: trustsandbox entrypoint: "" command: |- sh -c ' cp /notarycerts/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt && update-ca-certificates && dockerd-entrypoint.sh --insecure-registry sandboxregistry:5000' volumes: notarycerts: external: false networks: sandbox: external: false 4. Save and close the file. 5. Run the containers on your local system. $ docker compose up -d The first time you run this, the docker-in-docker, Notary server, and registry images are downloaded from Docker Hub. ## Play in the sandbox Now that everything is setup, you can go into your `trustsandbox` container and start testing Docker content trust. From your host machine, obtain a shell in the `trustsandbox` container. $ docker container exec -it trustsandbox sh / # ### Test some trust operations Now, pull some images from within the `trustsandbox` container. 1. Download a `docker` image to test with. / # docker pull docker/trusttest docker pull docker/trusttest Using default tag: latest latest: Pulling from docker/trusttest b3dbab3810fc: Pull complete a9539b34a6ab: Pull complete Digest: sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a Status: Downloaded newer image for docker/trusttest:latest 2. Tag it to be pushed to our sandbox registry: / # docker tag docker/trusttest sandboxregistry:5000/test/trusttest:latest 3. Enable content trust. / # export DOCKER_CONTENT_TRUST=1 4. Identify the trust server. / # export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443 This step is only necessary because the sandbox is using its own server. Normally, if you are using the Docker Public Hub this step isn't necessary. 5. Pull the test image. / # docker pull sandboxregistry:5000/test/trusttest Using default tag: latest Error: remote trust data does not exist for sandboxregistry:5000/test/trusttest: notaryserver:4443 does not have trust data for sandboxregistry:5000/test/trusttest You see an error, because this content doesn't exist on the `notaryserver` yet. 6. Push and sign the trusted image. / # docker push sandboxregistry:5000/test/trusttest:latest The push refers to a repository [sandboxregistry:5000/test/trusttest] 5f70bf18a086: Pushed c22f7bc058a9: Pushed

This section provides step-by-step instructions to build the content trust sandbox using Docker Compose. It outlines how to create the `compose.yaml` file with the necessary configurations for the Notary server, sandbox registry, and trustsandbox container. It also details how to start the containers, access the trustsandbox, and perform basic content trust operations, such as pulling, tagging, and pushing images to the local sandbox registry. It also shows how to enable content trust and identify the trust server within the sandbox environment.