Enforce content trust with trust key and yaml subkeys for image and org

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2025-07-20 01:29:07 +00:00 · 2017-04-07 15:36:43 -07:00 · 2017-04-07 15:36:43 -07:00 · a947ded0fb
commit a947ded0fb
parent d15a4e7370
8 changed files with 59 additions and 11 deletions
--- a/examples/docker.yml
+++ b/examples/docker.yml
@ -56,5 +56,8 @@ daemon:
    binds:
     - /dev:/dev
     - /lib/modules:/lib/modules
+trust:
+  image:
+    - mobylinux/kernel
 outputs:
  - format: kernel+initrd
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@ -72,6 +72,9 @@ daemon:
     - CAP_SETGID
     - CAP_DAC_OVERRIDE
    net: host
+trust:
+  image:
+    - mobylinux/kernel
 files:
  - path: etc/docker/daemon.json
    contents: '{"debug": true}'
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@ -50,6 +50,9 @@ daemon:
    binds:
     - /root/.ssh:/root/.ssh
     - /etc/resolv.conf:/etc/resolv.conf
+trust:
+  image:
+    - mobylinux/kernel
 files:
  - path: root/.ssh/authorized_keys
    contents: '#your ssh key here'
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@ -47,6 +47,9 @@ daemon:
     - CAP_SETGID
     - CAP_DAC_OVERRIDE
    net: host
+trust:
+  image:
+    - mobylinux/kernel
 files:
  - path: etc/docker/daemon.json
    contents: '{"debug": true}'
--- a/moby.yml
+++ b/moby.yml
@ -50,6 +50,9 @@ daemon:
 files:
  - path: etc/docker/daemon.json
    contents: '{"debug": true}'
+trust:
+  image:
+    - mobylinux/kernel
 outputs:
  - format: kernel+initrd
  - format: iso-bios
--- a/src/cmd/moby/build.go
+++ b/src/cmd/moby/build.go
@ -10,6 +10,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"

 	log "github.com/Sirupsen/logrus"
 	"github.com/docker/moby/src/initrd"
@ -49,6 +50,26 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) {
 	}
 }

+func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
+	for _, img := range config.Image {
+		// First check for an exact tag match
+		if img == fullImageName {
+			return true
+		}
+		// Also check for an image name only match:
+		if img == strings.TrimSuffix(fullImageName, ":") {
+			return true
+		}
+	}
+
+	for _, org := range config.Org {
+		if strings.HasPrefix(fullImageName, org+"/") {
+		}
+		return true
+	}
+	return false
+}
+
 // Perform the actual build process
 func buildInternal(name string, pull bool, conf string) {
 	if name == "" {
@ -72,9 +93,9 @@ func buildInternal(name string, pull bool, conf string) {
 	w := new(bytes.Buffer)
 	iw := initrd.NewWriter(w)

-	if pull {
+	if pull || enforceContentTrust(m.Kernel.Image, &m.Trust) {
 		log.Infof("Pull kernel image: %s", m.Kernel.Image)
-		err := dockerPull(m.Kernel.Image)
+		err := dockerPull(m.Kernel.Image, enforceContentTrust(m.Kernel.Image, &m.Trust))
 		if err != nil {
 			log.Fatalf("Could not pull image %s: %v", m.Kernel.Image, err)
 		}
@ -100,9 +121,9 @@ func buildInternal(name string, pull bool, conf string) {
 	// convert init images to tarballs
 	log.Infof("Add init containers:")
 	for _, ii := range m.Init {
-		if pull {
+		if pull || enforceContentTrust(ii, &m.Trust) {
 			log.Infof("Pull init image: %s", ii)
-			err := dockerPull(ii)
+			err := dockerPull(ii, enforceContentTrust(ii, &m.Trust))
 			if err != nil {
 				log.Fatalf("Could not pull image %s: %v", ii, err)
 			}
@ -118,9 +139,9 @@ func buildInternal(name string, pull bool, conf string) {

 	log.Infof("Add system containers:")
 	for i, image := range m.System {
-		if pull {
+		if pull || enforceContentTrust(image.Image, &m.Trust) {
 			log.Infof("  Pull: %s", image.Image)
-			err := dockerPull(image.Image)
+			err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust))
 			if err != nil {
 				log.Fatalf("Could not pull image %s: %v", image.Image, err)
 			}
@ -142,9 +163,9 @@ func buildInternal(name string, pull bool, conf string) {

 	log.Infof("Add daemon containers:")
 	for _, image := range m.Daemon {
-		if pull {
+		if pull || enforceContentTrust(image.Image, &m.Trust) {
 			log.Infof("  Pull: %s", image.Image)
-			err := dockerPull(image.Image)
+			err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust))
 			if err != nil {
 				log.Fatalf("Could not pull image %s: %v", image.Image, err)
 			}
--- a/src/cmd/moby/config.go
+++ b/src/cmd/moby/config.go
@ -27,6 +27,7 @@ type Moby struct {
 	Init   []string
 	System []MobyImage
 	Daemon []MobyImage
+	Trust  TrustConfig
 	Files  []struct {
 		Path      string
 		Directory bool
@ -43,6 +44,12 @@ type Moby struct {
 	}
 }

+// TrustConfig is the type of a content trust config
+type TrustConfig struct {
+	Image []string
+	Org   []string
+}
+
 // MobyImage is the type of an image config
 type MobyImage struct {
 	Name              string
--- a/src/cmd/moby/docker.go
+++ b/src/cmd/moby/docker.go
@ -236,13 +236,18 @@ func dockerRm(container string) error {
 	return nil
 }

-func dockerPull(image string) error {
+func dockerPull(image string, trustedPull bool) error {
 	log.Debugf("docker pull: %s", image)
 	docker, err := exec.LookPath("docker")
 	if err != nil {
 		return errors.New("Docker does not seem to be installed")
 	}
-	args := []string{"pull", image}
+	var args = []string{"pull"}
+	if trustedPull {
+		log.Debugf("pulling %s with content trust", image)
+		args = append(args, "--disable-content-trust=false")
+	}
+	args = append(args, image)
 	cmd := exec.Command(docker, args...)

 	stderrPipe, err := cmd.StderrPipe()
@ -294,7 +299,7 @@ func dockerInspectImage(cli *client.Client, image string) (types.ImageInspect, e
 	inspect, _, err := cli.ImageInspectWithRaw(context.Background(), image, false)
 	if err != nil {
 		if client.IsErrImageNotFound(err) {
-			pullErr := dockerPull(image)
+			pullErr := dockerPull(image, false)
 			if pullErr != nil {
 				return types.ImageInspect{}, pullErr
 			}