beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rename to flags and environment variables to content trust

Browse source 
Update help line to allow 90 characters instead of 80

The trust flag pushes out the help description column wider, requiring more room to display help messages.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This commit is contained in:
Derek McGowan 2015-07-24 01:59:42 -07:00
parent 3e90b12d42
commit 259cadb0b1
12 changed files with 136 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
api/client/trust.go
View file

@ -37,7 +37,7 @@ var untrusted bool
func addTrustedFlags(fs *flag.FlagSet, verify bool) {
var trusted bool
if e := os.Getenv("DOCKER_TRUST"); e != "" {
if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
if t, err := strconv.ParseBool(e); t || err != nil {
// treat any other value as true
trusted = true
@ -47,7 +47,7 @@ func addTrustedFlags(fs *flag.FlagSet, verify bool) {
if verify {
message = "Skip image verification"
}
fs.BoolVar(&untrusted, []string{"-untrusted"}, !trusted, message)
fs.BoolVar(&untrusted, []string{"-disable-content-trust"}, !trusted, message)
}
func isTrusted() bool {
@ -79,7 +79,7 @@ func (cli *DockerCli) certificateDirectory(server string) (string, error) {
}
func trustServer(index *registry.IndexInfo) string {
if s := os.Getenv("DOCKER_TRUST_SERVER"); s != "" {
if s := os.Getenv("DOCKER_CONTENT_TRUST_SERVER"); s != "" {
if !strings.HasPrefix(s, "https://") {
return "https://" + s
}
@ -178,9 +178,9 @@ func convertTarget(t client.Target) (target, error) {
func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out)
env := map[string]string{
"root": os.Getenv("DOCKER_TRUST_ROOT_PASSPHRASE"),
"targets": os.Getenv("DOCKER_TRUST_TARGET_PASSPHRASE"),
"snapshot": os.Getenv("DOCKER_TRUST_SNAPSHOT_PASSPHRASE"),
"root": os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
"targets": os.Getenv("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE"),
"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE"),
}
return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) {
if v := env[alias]; v != "" {

4
docs/reference/commandline/cli.md
View file

@ -49,8 +49,8 @@ by the `docker` command line:
unsuitable for Docker.
* `DOCKER_RAMDISK` If set this will disable 'pivot_root'.
* `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote.
* `DOCKER_TRUST` When set Docker uses notary to sign and verify images.
Equates to `--untrusted=false` for build, create, pull, push, run.
* `DOCKER_CONTENT_TRUST` When set Docker uses notary to sign and verify images.
Equates to `--disable-content-trust=false` for build, create, pull, push, run.
* `DOCKER_TMPDIR` Location for temporary Docker files.
Because Docker is developed using 'Go', you can also use any environment

102
docs/reference/commandline/create.md
View file

@ -17,57 +17,57 @@ Creates a new container.
Create a new container
-a, --attach=[] Attach to STDIN, STDOUT or STDERR
--add-host=[] Add a custom host-to-IP mapping (host:ip)
--blkio-weight=0 Block IO weight (relative weight)
-c, --cpu-shares=0 CPU shares (relative weight)
--cap-add=[] Add Linux capabilities
--cap-drop=[] Drop Linux capabilities
--cgroup-parent="" Optional parent cgroup for the container
--cidfile="" Write the container ID to the file
--cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota
--cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
--device=[] Add a host device to the container
--dns=[] Set custom DNS servers
--dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables
--entrypoint="" Overwrite the default ENTRYPOINT of the image
--env-file=[] Read in a file of environment variables
--expose=[] Expose a port or a range of ports
-h, --hostname="" Container host name
--help=false Print usage
-i, --interactive=false Keep STDIN open even if not attached
--ipc="" IPC namespace to use
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
--label-file=[] Read in a line delimited file of labels
--link=[] Add link to another container
--log-driver="" Logging driver for container
--log-opt=[] Log driver specific options
--lxc-conf=[] Add custom lxc options
-m, --memory="" Memory limit
--mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33)
--memory-swap="" Total memory (memory + swap), '-1' to disable swap
--memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
--name="" Assign a name to the container
--net="bridge" Set the Network mode for the container
--oom-kill-disable=false Whether to disable OOM Killer for the container or not
-P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use
--privileged=false Give extended privileges to this container
--read-only=false Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always)
--security-opt=[] Security options
-t, --tty=false Allocate a pseudo-TTY
--untrusted=true Skip image verification
-u, --user="" Username or UID
--ulimit=[] Ulimit options
--uts="" UTS namespace to use
-v, --volume=[] Bind mount a volume
--volumes-from=[] Mount volumes from the specified container(s)
-w, --workdir="" Working directory inside the container
-a, --attach=[] Attach to STDIN, STDOUT or STDERR
--add-host=[] Add a custom host-to-IP mapping (host:ip)
--blkio-weight=0 Block IO weight (relative weight)
-c, --cpu-shares=0 CPU shares (relative weight)
--cap-add=[] Add Linux capabilities
--cap-drop=[] Drop Linux capabilities
--cgroup-parent="" Optional parent cgroup for the container
--cidfile="" Write the container ID to the file
--cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota
--cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
--device=[] Add a host device to the container
--dns=[] Set custom DNS servers
--dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables
--entrypoint="" Overwrite the default ENTRYPOINT of the image
--env-file=[] Read in a file of environment variables
--expose=[] Expose a port or a range of ports
-h, --hostname="" Container host name
--help=false Print usage
-i, --interactive=false Keep STDIN open even if not attached
--ipc="" IPC namespace to use
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
--label-file=[] Read in a line delimited file of labels
--link=[] Add link to another container
--log-driver="" Logging driver for container
--log-opt=[] Log driver specific options
--lxc-conf=[] Add custom lxc options
-m, --memory="" Memory limit
--mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33)
--memory-swap="" Total memory (memory + swap), '-1' to disable swap
--memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
--name="" Assign a name to the container
--net="bridge" Set the Network mode for the container
--oom-kill-disable=false Whether to disable OOM Killer for the container or not
-P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use
--privileged=false Give extended privileges to this container
--read-only=false Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always)
--security-opt=[] Security options
-t, --tty=false Allocate a pseudo-TTY
--disable-content-trust=true Skip image verification
-u, --user="" Username or UID
--ulimit=[] Ulimit options
--uts="" UTS namespace to use
-v, --volume=[] Bind mount a volume
--volumes-from=[] Mount volumes from the specified container(s)
-w, --workdir="" Working directory inside the container
The `docker create` command creates a writeable container layer over the
specified image and prepares it for running the specified command. The

4
docs/reference/commandline/pull.md
View file

@ -15,8 +15,8 @@ weight=1
Pull an image or a repository from the registry
-a, --all-tags=false Download all tagged images in the repository
--untrusted=true Skip image verification
-a, --all-tags=false Download all tagged images in the repository
--disable-content-trust=true Skip image verification
Most of your images will be created on top of a base image from the
[Docker Hub](https://hub.docker.com) registry.

2
docs/reference/commandline/push.md
View file

@ -15,7 +15,7 @@ weight=1
Push an image or a repository to the registry
--untrusted=true Skip image signing
--disable-content-trust=true Skip image signing
Use `docker push` to share your images to the [Docker Hub](https://hub.docker.com)
registry or to a self-hosted one.

110
docs/reference/commandline/run.md
View file

@ -15,61 +15,61 @@ weight=1
Run a command in a new container
-a, --attach=[] Attach to STDIN, STDOUT or STDERR
--add-host=[] Add a custom host-to-IP mapping (host:ip)
--blkio-weight=0 Block IO weight (relative weight)
-c, --cpu-shares=0 CPU shares (relative weight)
--cap-add=[] Add Linux capabilities
--cap-drop=[] Drop Linux capabilities
--cgroup-parent="" Optional parent cgroup for the container
--cidfile="" Write the container ID to the file
--cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota
--cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
-d, --detach=false Run container in background and print container ID
--device=[] Add a host device to the container
--dns=[] Set custom DNS servers
--dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables
--entrypoint="" Overwrite the default ENTRYPOINT of the image
--env-file=[] Read in a file of environment variables
--expose=[] Expose a port or a range of ports
--group-add=[] Add additional groups to run as
-h, --hostname="" Container host name
--help=false Print usage
-i, --interactive=false Keep STDIN open even if not attached
--ipc="" IPC namespace to use
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
--label-file=[] Read in a file of labels (EOL delimited)
--link=[] Add link to another container
--log-driver="" Logging driver for container
--log-opt=[] Log driver specific options
--lxc-conf=[] Add custom lxc options
-m, --memory="" Memory limit
--mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33)
--memory-swap="" Total memory (memory + swap), '-1' to disable swap
--memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
--name="" Assign a name to the container
--net="bridge" Set the Network mode for the container
--oom-kill-disable=false Whether to disable OOM Killer for the container or not
-P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use
--privileged=false Give extended privileges to this container
--read-only=false Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always)
--rm=false Automatically remove the container when it exits
--security-opt=[] Security Options
--sig-proxy=true Proxy received signals to the process
-t, --tty=false Allocate a pseudo-TTY
-u, --user="" Username or UID (format: <name|uid>[:<group|gid>])
--ulimit=[] Ulimit options
--untrusted=true Skip image verification
--uts="" UTS namespace to use
-v, --volume=[] Bind mount a volume
--volumes-from=[] Mount volumes from the specified container(s)
-w, --workdir="" Working directory inside the container
-a, --attach=[] Attach to STDIN, STDOUT or STDERR
--add-host=[] Add a custom host-to-IP mapping (host:ip)
--blkio-weight=0 Block IO weight (relative weight)
-c, --cpu-shares=0 CPU shares (relative weight)
--cap-add=[] Add Linux capabilities
--cap-drop=[] Drop Linux capabilities
--cgroup-parent="" Optional parent cgroup for the container
--cidfile="" Write the container ID to the file
--cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota
--cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1)
-d, --detach=false Run container in background and print container ID
--device=[] Add a host device to the container
--dns=[] Set custom DNS servers
--dns-search=[] Set custom DNS search domains
-e, --env=[] Set environment variables
--entrypoint="" Overwrite the default ENTRYPOINT of the image
--env-file=[] Read in a file of environment variables
--expose=[] Expose a port or a range of ports
--group-add=[] Add additional groups to run as
-h, --hostname="" Container host name
--help=false Print usage
-i, --interactive=false Keep STDIN open even if not attached
--ipc="" IPC namespace to use
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
--label-file=[] Read in a file of labels (EOL delimited)
--link=[] Add link to another container
--log-driver="" Logging driver for container
--log-opt=[] Log driver specific options
--lxc-conf=[] Add custom lxc options
-m, --memory="" Memory limit
--mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33)
--memory-swap="" Total memory (memory + swap), '-1' to disable swap
--memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
--name="" Assign a name to the container
--net="bridge" Set the Network mode for the container
--oom-kill-disable=false Whether to disable OOM Killer for the container or not
-P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use
--privileged=false Give extended privileges to this container
--read-only=false Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always)
--rm=false Automatically remove the container when it exits
--security-opt=[] Security Options
--sig-proxy=true Proxy received signals to the process
-t, --tty=false Allocate a pseudo-TTY
-u, --user="" Username or UID (format: <name|uid>[:<group|gid>])
--ulimit=[] Ulimit options
--disable-content-trust=true Skip image verification
--uts="" UTS namespace to use
-v, --volume=[] Bind mount a volume
--volumes-from=[] Mount volumes from the specified container(s)
-w, --workdir="" Working directory inside the container
The `docker run` command first `creates` a writeable container layer over the
specified image, and then `starts` it using the specified command. That is,

6
integration-cli/docker_cli_create_test.go
View file

@ -294,7 +294,7 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
dockerCmd(c, "rmi", repoName)
// Try untrusted create to ensure we pushed the tag to the registry
createCmd = exec.Command(dockerBinary, "create", "--untrusted=true", repoName)
createCmd = exec.Command(dockerBinary, "create", "--disable-content-trust=true", repoName)
s.trustedCmd(createCmd)
out, _, err = runCommandWithOutput(createCmd)
if err != nil {
@ -302,7 +302,7 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {
}
if !strings.Contains(string(out), "Status: Downloaded") {
c.Fatalf("Missing expected output on trusted create with --untrusted:\n%s", out)
c.Fatalf("Missing expected output on trusted create with --disable-content-trust:\n%s", out)
}
}
@ -366,7 +366,7 @@ func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {
runAtDifferentDate(elevenYearsFromNow, func() {
// Try create
createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName)
createCmd := exec.Command(dockerBinary, "create", "--disable-content-trust", repoName)
s.trustedCmd(createCmd)
out, _, err := runCommandWithOutput(createCmd)
if err != nil {

2
integration-cli/docker_cli_help_test.go
View file

@ -132,7 +132,7 @@ func (s *DockerSuite) TestHelpTextVerify(c *check.C) {
// Check each line for lots of stuff
lines := strings.Split(out, "\n")
for _, line := range lines {
if len(line) > 80 {
if len(line) > 90 {
c.Fatalf("Help for %q is too long(%d chars):\n%s", cmd,
len(line), line)
}

6
integration-cli/docker_cli_pull_test.go
View file

@ -174,7 +174,7 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
dockerCmd(c, "rmi", repoName)
// Try untrusted pull to ensure we pushed the tag to the registry
pullCmd = exec.Command(dockerBinary, "pull", "--untrusted=true", repoName)
pullCmd = exec.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName)
s.trustedCmd(pullCmd)
out, _, err = runCommandWithOutput(pullCmd)
if err != nil {
@ -182,7 +182,7 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {
}
if !strings.Contains(string(out), "Status: Downloaded") {
c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
c.Fatalf("Missing expected output on trusted pull with --disable-content-trust:\n%s", out)
}
}
@ -246,7 +246,7 @@ func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {
runAtDifferentDate(elevenYearsFromNow, func() {
// Try pull
pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName)
pullCmd := exec.Command(dockerBinary, "pull", "--disable-content-trust", repoName)
s.trustedCmd(pullCmd)
out, _, err := runCommandWithOutput(pullCmd)
if err != nil {

8
integration-cli/docker_cli_push_test.go
View file

@ -182,15 +182,15 @@ func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C)
// tag the image and upload it to the private registry
dockerCmd(c, "tag", "busybox", repoName)
pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName)
pushCmd := exec.Command(dockerBinary, "push", "--disable-content-trust", repoName)
s.trustedCmdWithServer(pushCmd, "example/")
out, _, err := runCommandWithOutput(pushCmd)
if err != nil {
c.Fatalf("trusted push with no server and --untrusted failed: %s\n%s", err, out)
c.Fatalf("trusted push with no server and --disable-content-trust failed: %s\n%s", err, out)
}
if strings.Contains(string(out), "Error establishing connection to notary repository") {
c.Fatalf("Missing expected output on trusted push with --untrusted:\n%s", out)
c.Fatalf("Missing expected output on trusted push with --disable-content-trust:\n%s", out)
}
}
@ -252,7 +252,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) {
}
if !strings.Contains(string(out), "Status: Downloaded") {
c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out)
c.Fatalf("Missing expected output on trusted pull with --disable-content-trust:\n%s", out)
}
}

6
integration-cli/docker_cli_run_test.go
View file

@ -2566,7 +2566,7 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
dockerCmd(c, "rmi", repoName)
// Try untrusted run to ensure we pushed the tag to the registry
runCmd = exec.Command(dockerBinary, "run", "--untrusted=true", repoName)
runCmd = exec.Command(dockerBinary, "run", "--disable-content-trust=true", repoName)
s.trustedCmd(runCmd)
out, _, err = runCommandWithOutput(runCmd)
if err != nil {
@ -2574,7 +2574,7 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {
}
if !strings.Contains(string(out), "Status: Downloaded") {
c.Fatalf("Missing expected output on trusted run with --untrusted:\n%s", out)
c.Fatalf("Missing expected output on trusted run with --disable-content-trust:\n%s", out)
}
}
@ -2620,7 +2620,7 @@ func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {
runAtDifferentDate(elevenYearsFromNow, func() {
// Try run
runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName)
runCmd := exec.Command(dockerBinary, "run", "--disable-content-trust", repoName)
s.trustedCmd(runCmd)
out, _, err := runCommandWithOutput(runCmd)
if err != nil {

10
integration-cli/trust_server.go
View file

@ -130,11 +130,11 @@ func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, sna
func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
env := []string{
"DOCKER_TRUST=1",
fmt.Sprintf("DOCKER_TRUST_SERVER=%s", server),
fmt.Sprintf("DOCKER_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
fmt.Sprintf("DOCKER_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
fmt.Sprintf("DOCKER_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
"DOCKER_CONTENT_TRUST=1",
fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server),
fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
fmt.Sprintf("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
fmt.Sprintf("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
}
cmd.Env = append(os.Environ(), env...)
}