TL;DR - how do I run a (potentially insecure) docker registry mirror and trust the content?
I have a series of devices running docker containers on a closed network with no internet access. I'm able to temporarily attach a laptop that has previously had internet access to the network. The end aim is to update the container images each of these devices are running.
I can get this working in principle by:
- Pulling from an internet registry (Docker hub or private) to the laptop.
- Running a registry on the laptop.
Pushing to this registry with
docker tag myorgname/trusttest:latest laptophostname:80/myorgname/trusttest:latest docker push laptophostname:80/myorgname/trusttest:latest- Disconnecting the laptop from the internet and connecting to the closed network.
Telling the devices to do a
docker pull laptophostname:80/myorgname/trusttest:latest docker tag laptophostname:80/myorgname/trusttest:latest myorgname/trusttest:latest
and restarting their containers with the new image (how I do this isn't particularly relevant, let's just say I can communicate laptophostname to them and they do the rest).
What's really important though is that I get it working with Docker Content Trust (aka Notary). Otherwise anyone could just connect to the network and tell the devices to start running arbitrary code.
I can run a Notary server on the laptop too, and this works fine except that when I push the newer image from my local docker to my registry on the laptop (step 3 above) it asks me for new signing keys, i.e. it is giving the container new trust information rather than just copying the original developer created trust.
At the moment I have control over the machine used to do the update (i.e. the laptop) but in the future this may not be the case, so I don't want to have any developer keys on this. Notary advertises that insecure mirrors are a use case, so how do I get it working with docker?
EDIT
This may or may not be relevant, but the idea is that a customer buys one or more of these devices at a time and adds them to the network in stages. I need a way of providing signed software updates, hence the original plan of writing an app to act as a registry mirror. Without content trust it would be easy to trick the devices into running any images.
I suggest that you look at Docker swarm as many of the things you mentioned are handled by Docker swarm. https://docs.docker.com/engine/swarm/
In particular, you can set your laptop as a swarm manager node which is the only node that has permissions to update containers on worker nodes.