Reputation: 6242
Determine if Docker image is signed or unsigned
I read through the documentation of Docker Content Trust and some questions came up to the following scenario. I start docker without having DCT enabled and deploy some images. Then I decide to enable DCT so that I can only continue to deploy signed images. What will happen to the unsigned ones that have already been deployed? Will they just continue running?
Can I somehow determine (being inside the application in the container and from host) if the image running is signed or unsigned?
Here is the documentation for DCT
Upvotes: 3
Views: 6234
Answers (2)
Reputation: 412
docker trust inspect <image>
example: docker trust inspect zookeeper
[
{
"Name": "zookeeper",
"SignedTags": [
{
"SignedTag": "3.3",
"Digest": "0c5d4d56fb5b04d9a9212ef5971df194e1481df94eaf8ea6df1aa2bdf3fe9ad3",
"Signers": [
"Repo Admin"
]
},
{
"SignedTag": "3.3.6",
"Digest": "0c5d4d56fb5b04d9a9212ef5971df194e1481df94eaf8ea6df1aa2bdf3fe9ad3",
"Signers": [
"Repo Admin"
]
},
{
"SignedTag": "3.4",
"Digest": "3882d9493d387ba77b7b69e2a031b9396477ec29483d51ceaed645c1389182e5",
"Signers": [
"Repo Admin"
]
},
{
"SignedTag": "latest",
"Digest": "b931ebcdb2efd5bc4cc3db9123ae3cddf7ba51cbe1a282a5ee750425b3ccd48d",
"Signers": [
"Repo Admin"
]
}
],
"Signers": [],
"AdministrativeKeys": [
{
"Name": "Root",
"Keys": [
{
"ID": "bf41a27e3433dc9c65e68987ee5a7f9550b00ddfcfe8f9c2e16bdea76607c1f8"
}
]
},
{
"Name": "Repository",
"Keys": [
{
"ID": "84ac8dbd8ef8a604498f9d0cf7d2fd66e39f1e5d13bd0dc4ece33e5151666aad"
}
]
}
]
}
]
Upvotes: 0
Reputation: 6554
What will happen to the unsigned ones that have already been deployed? Will they just continue running?
If you pull images with docker content trust disabled, and then turn on docker content trust, nothing will happen to the existing images/containers.
The content trust operations are 100% a docker client implementation. The daemon doesn't really know nor care whether an image is signed.
If you have docker content trust enabled, and do a pull, create, or run, the client will look up the trust data and find the sha256 digest of the image that has been signed. The daemon then gets told that it's doing a pull/create/run of that digest.
Can I somehow determine (being inside the application in the container and from host) if the image running is signed or unsigned?
Generally speaking, from inside a container, there is very little exposed. You can't return the image name, the container name, nor even the ports that are published. Even if you could, the daemon is blind to image signing, and only knows that it's been told to run a specific digest.
On the host you can determine whether a running container is using a signed image, but it isn't simply listed in 'docker images' or 'docker ps'. You would have to compare the image with the trust data. There isn't a pre-made UI component that does this for you that I'm aware of.
One thing to keep in mind is that signatures can be updated. Say I'm running ubuntu:14.04, which is a signed image. My container is up and running and all is well. Sooner or later the ubuntu:14.04 image will be updated, and new trust data will be published alongside the update of the image. Now, my container has an out of date image. The next time I go to do a docker pull/create/run, the updated trust data will be gotten, and I'll get the newer image. Part of what DCT guarantees is freshness.
Upvotes: 3
Related Questions
- How to validate the authenticity of docker base images?
- Docker check if container running is ARM or Intel
- How can I be sure that I am pulling a trusted image from docker?
- How to check which version docker image is built upon
- How can I verify a docker image hash?
- How to know which version of an image a container is running?
- Verify the version of ubuntu running in a Docker container
- How can I find a Checksum of a Docker Image
- Determine if docker image built locally or pulled from repo?
- making sure a given docker container is running