How do we setup docker notary-server, notary-signer, and notary-client for private registry such as nexus?

Question

I have setup below infrastructure for notary:

1. notary server
2. notary signer
3. mariadb database for both "notary server" and "notary signer" using docker-compose.

I would like to use my private docker registry (nexus) which is deployed in different machine with the notary infrastructure which I have up and running.

Could you please let me know the step by step process for the same?

I am extending my findings:

I am trying to setup my own notary service using the instructions available in this link https://github.com/theupdateframework/notary

What I have done:

git clone https://github.com/theupdateframework/notary.git
cd notary
3 )$ docker-compose build
$ docker-compose up -d

After performing above steps I got a 3 container up and running on my docker host (Running on Local laptop -Ubuntu16.04)

1. notary_server
2. notary_signer
3. mariadb:10.1.28

Now in order to use my local notary service with private registry nexus (hosted as a container in other machine) I have done the below steps:

/etc/hosts entry
127.0.0.1 notary-server
mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary

After this I have tested the connection using below command and it succeed.

openssl s_client -connect :4443 -CAfile fixtures/root-ca.crt -no_ssl3 -no_ssl2

Now in order to sign the image and push it to private registry I have set the below environment variable.

DOCKER_CONTENT_TRUST_SERVER=https://notary-server:4443
DOCKER_CONTENT_TRUST=1

Problem: When I issue a docker push command like below

sudo docker push nexus.xyz.com:5000/nginx:latest (I have done proper tag before)

it does not go through signing , it directly push the image to private registry

But when I use

sudo docker push --disable-content-trust=false nexus.xyz.com:5000/nginx:latest

it signed the image and push , but does not show any trusted content when I use

notary list nexus.xyz.com:5000/nginx:latest

Question: Do I need to do any other configuration in order to use my own notary service?

Any help would be really appreciated.

Answer 1

I was able to get this working as you described. Though, when pushing I did:

docker push localhost:5000/uname/nginx:latest

*noting I have my own private registry running locally

Also, this saves you from having to edit /etc/hosts:

notary -s https://localhost:4443 list localhost:5000/gt3389b/myfirstimage

Answer 2

sudo docker push --disable-content-trust=false nexus.xyz.com:5000/nginx:latest

runs as user root, thus the home changes.

You should try to copy the .docker and .notary to the root's home directory. Or add the current user to the docker group and run the docker command without sudo.