dockercon eu 2015: what's new with docker trusted registry
TRANSCRIPT
What’s New with Docker Trusted Registry (v1.4.0)?
Jon Chu & Rajat GoelPM, EnterpriseDirector of Engineering, Enterprise
Docker Trusted Registry Recap
2
Registry for building, storing and managing images securely, within your firewall
Maintain control over Docker images to meet your security or regulatory compliance requirements.
Content is King…to Build-Ship-Run
Run
Trusted Registry
Base Image Tested Production
Development Test Staging Production Scale Out
Build Ship
DTR Primary Usage Scenarios
CI/CD with Docker
• Centrally located base images• Store individual build images• Pull tested images to production
Containers as a Service
• Deploy Jenkins executors or Hadoop nodes• Instant-on developer environment• Selected curated apps from a catalog• Dynamic composition of micro-services (“PAAS”)
Pre DTR 1.4
General Features
• Admin & Health UI• Registry Storage Status• LDAP/AD Integration• RBAC API (Admin, R/W, R/O)• User actions/API audit logs• Registry v2 API & v2 Image Support• One click install/upgrade
Platform Features
• Storage drivers for filesystem, s3, and azure• Support Tooling• Support for Ubuntu, RHEL, CentOS• Tested at 300 concurrent pulls/instance
DTR 1.4 Release
General Features
• Orgs, Teams & Repo permissions UI• Search index, API & UI• Interactive API documentation• Image deletion from index• Image garbage collection
Experimental • Docker Content Trust: View Docker Notary signatures in DTR
Architecture
Datastore
Storage Drivers
Admin UIAudit and Event logs
Directory Services
LoadBalancer
Registry ServersAdminServer
AuthServer
Log Aggregator
Docker Engines
PostgreSQL
LDAPS 636Local Syslog
Docker Client
> docker
HTTPS 443
Demo Time
8
9
Deep Dive: Delete
10
Deep Dive: Delete
11
Deep Dive: Garbage Collection
12
Overview: Docker Content Trust● Built on TUF● Designed to make good security easy!● Validates the publisher, not the safety of their
content!
13
Overview: Docker Content Trust● Built on TUF● Designed to make good security easy!● Validates the publisher, not the safety of their
content!
14
Overview: Docker Content Trust
Image Forgery
15
Overview: Docker Content Trust
Why not GPG?
Replay Attacks
TOFUs
13
17
Docker Content Trust Integration
Docker Universal Control Plane Integration
Future Plans and Features
Docker Universal Control Plane Integration
● End-to-end authn integration with LDAP/AD
● Cross product RBAC across orgs● Complete CI/CD visibility
Description
DCT: Image Promotion & Policy Enforcement
● Cryptographically signed layers● Promote images through signatures
● dev signed -> QA signed -> prod signed● Policy enforcement through integrations
Description
Sysadmin
Dev
Prod Ops
International AvailabilityDocker Subscription available for Europe
Hourly and annual subscriptions available from AWS Marketplace
Subscription licenses available
L1 and L2 support for US and Europe
Bring your own license to deploy Docker VHD in Azure Marketplace to
European zones
www.docker.com/aws www.docker.com/ibm www.docker.com/microsoft
30 day free trial www.docker.com/try-dtr
Thank you!Jon & Rajat@chu_jon, [email protected]@rajat_g, [email protected]