What’s New with Docker Trusted Registry (v1.4.0)?

Jon Chu & Rajat GoelPM, EnterpriseDirector of Engineering, Enterprise

Docker Trusted Registry Recap

2

Registry for building, storing and managing images securely, within your firewall

Maintain control over Docker images to meet your security or regulatory compliance requirements.

Content is King…to Build-Ship-Run

Run

Trusted Registry

Base Image Tested Production

Development Test Staging Production Scale Out

Build Ship

DTR Primary Usage Scenarios

CI/CD with Docker

• Centrally located base images• Store individual build images• Pull tested images to production

Containers as a Service

• Deploy Jenkins executors or Hadoop nodes• Instant-on developer environment• Selected curated apps from a catalog• Dynamic composition of micro-services (“PAAS”)

Pre DTR 1.4

General Features

• Admin & Health UI• Registry Storage Status• LDAP/AD Integration• RBAC API (Admin, R/W, R/O)• User actions/API audit logs• Registry v2 API & v2 Image Support• One click install/upgrade

Platform Features

• Storage drivers for filesystem, s3, and azure• Support Tooling• Support for Ubuntu, RHEL, CentOS• Tested at 300 concurrent pulls/instance

DTR 1.4 Release

General Features

• Orgs, Teams & Repo permissions UI• Search index, API & UI• Interactive API documentation• Image deletion from index• Image garbage collection

Experimental • Docker Content Trust: View Docker Notary signatures in DTR

Architecture

Datastore

Storage Drivers

Admin UIAudit and Event logs

Directory Services

LoadBalancer

Registry ServersAdminServer

AuthServer

Log Aggregator

Docker Engines

PostgreSQL

LDAPS 636Local Syslog

Docker Client

> docker

HTTPS 443

Demo Time

8

9

Deep Dive: Delete

10

Deep Dive: Delete

11

Deep Dive: Garbage Collection

12

Overview: Docker Content Trust● Built on TUF● Designed to make good security easy!● Validates the publisher, not the safety of their

content!

13

Overview: Docker Content Trust● Built on TUF● Designed to make good security easy!● Validates the publisher, not the safety of their

content!

14

Overview: Docker Content Trust

Image Forgery

15

Overview: Docker Content Trust

Why not GPG?

Replay Attacks

TOFUs

13

17

Docker Content Trust Integration

Docker Universal Control Plane Integration

Future Plans and Features

Docker Universal Control Plane Integration

● End-to-end authn integration with LDAP/AD

● Cross product RBAC across orgs● Complete CI/CD visibility

Description

DCT: Image Promotion & Policy Enforcement

● Cryptographically signed layers● Promote images through signatures

● dev signed -> QA signed -> prod signed● Policy enforcement through integrations

Description

Sysadmin

Dev

Prod Ops

International AvailabilityDocker Subscription available for Europe

Hourly and annual subscriptions available from AWS Marketplace

Subscription licenses available

L1 and L2 support for US and Europe

Bring your own license to deploy Docker VHD in Azure Marketplace to

European zones

www.docker.com/aws www.docker.com/ibm www.docker.com/microsoft

30 day free trial www.docker.com/try-dtr

Thank you!Jon & Rajat@chu_jon, jon.chu@docker.com@rajat_g, rajat.goel@docker.com