diff --git a/api/client/trust.go b/api/client/trust.go index 8e3635da3c..b07cb79dc2 100644 --- a/api/client/trust.go +++ b/api/client/trust.go @@ -37,7 +37,7 @@ var untrusted bool func addTrustedFlags(fs *flag.FlagSet, verify bool) { var trusted bool - if e := os.Getenv("DOCKER_TRUST"); e != "" { + if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" { if t, err := strconv.ParseBool(e); t || err != nil { // treat any other value as true trusted = true @@ -47,7 +47,7 @@ func addTrustedFlags(fs *flag.FlagSet, verify bool) { if verify { message = "Skip image verification" } - fs.BoolVar(&untrusted, []string{"-untrusted"}, !trusted, message) + fs.BoolVar(&untrusted, []string{"-disable-content-trust"}, !trusted, message) } func isTrusted() bool { @@ -79,7 +79,7 @@ func (cli *DockerCli) certificateDirectory(server string) (string, error) { } func trustServer(index *registry.IndexInfo) string { - if s := os.Getenv("DOCKER_TRUST_SERVER"); s != "" { + if s := os.Getenv("DOCKER_CONTENT_TRUST_SERVER"); s != "" { if !strings.HasPrefix(s, "https://") { return "https://" + s } @@ -178,9 +178,9 @@ func convertTarget(t client.Target) (target, error) { func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever { baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out) env := map[string]string{ - "root": os.Getenv("DOCKER_TRUST_ROOT_PASSPHRASE"), - "targets": os.Getenv("DOCKER_TRUST_TARGET_PASSPHRASE"), - "snapshot": os.Getenv("DOCKER_TRUST_SNAPSHOT_PASSPHRASE"), + "root": os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"), + "targets": os.Getenv("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE"), + "snapshot": os.Getenv("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE"), } return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) { if v := env[alias]; v != "" { diff --git a/docs/reference/commandline/cli.md b/docs/reference/commandline/cli.md index b15dc1585d..e9503c108c 100644 --- a/docs/reference/commandline/cli.md +++ b/docs/reference/commandline/cli.md @@ -49,8 +49,8 @@ by the `docker` command line: unsuitable for Docker. * `DOCKER_RAMDISK` If set this will disable 'pivot_root'. * `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote. -* `DOCKER_TRUST` When set Docker uses notary to sign and verify images. - Equates to `--untrusted=false` for build, create, pull, push, run. +* `DOCKER_CONTENT_TRUST` When set Docker uses notary to sign and verify images. + Equates to `--disable-content-trust=false` for build, create, pull, push, run. * `DOCKER_TMPDIR` Location for temporary Docker files. Because Docker is developed using 'Go', you can also use any environment diff --git a/docs/reference/commandline/create.md b/docs/reference/commandline/create.md index 3ba09e769f..8c093f18eb 100644 --- a/docs/reference/commandline/create.md +++ b/docs/reference/commandline/create.md @@ -17,57 +17,57 @@ Creates a new container. Create a new container - -a, --attach=[] Attach to STDIN, STDOUT or STDERR - --add-host=[] Add a custom host-to-IP mapping (host:ip) - --blkio-weight=0 Block IO weight (relative weight) - -c, --cpu-shares=0 CPU shares (relative weight) - --cap-add=[] Add Linux capabilities - --cap-drop=[] Drop Linux capabilities - --cgroup-parent="" Optional parent cgroup for the container - --cidfile="" Write the container ID to the file - --cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period - --cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota - --cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1) - --cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1) - --device=[] Add a host device to the container - --dns=[] Set custom DNS servers - --dns-search=[] Set custom DNS search domains - -e, --env=[] Set environment variables - --entrypoint="" Overwrite the default ENTRYPOINT of the image - --env-file=[] Read in a file of environment variables - --expose=[] Expose a port or a range of ports - -h, --hostname="" Container host name - --help=false Print usage - -i, --interactive=false Keep STDIN open even if not attached - --ipc="" IPC namespace to use - -l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value) - --label-file=[] Read in a line delimited file of labels - --link=[] Add link to another container - --log-driver="" Logging driver for container - --log-opt=[] Log driver specific options - --lxc-conf=[] Add custom lxc options - -m, --memory="" Memory limit - --mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33) - --memory-swap="" Total memory (memory + swap), '-1' to disable swap - --memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. - --name="" Assign a name to the container - --net="bridge" Set the Network mode for the container - --oom-kill-disable=false Whether to disable OOM Killer for the container or not - -P, --publish-all=false Publish all exposed ports to random ports - -p, --publish=[] Publish a container's port(s) to the host - --pid="" PID namespace to use - --privileged=false Give extended privileges to this container - --read-only=false Mount the container's root filesystem as read only - --restart="no" Restart policy (no, on-failure[:max-retry], always) - --security-opt=[] Security options - -t, --tty=false Allocate a pseudo-TTY - --untrusted=true Skip image verification - -u, --user="" Username or UID - --ulimit=[] Ulimit options - --uts="" UTS namespace to use - -v, --volume=[] Bind mount a volume - --volumes-from=[] Mount volumes from the specified container(s) - -w, --workdir="" Working directory inside the container + -a, --attach=[] Attach to STDIN, STDOUT or STDERR + --add-host=[] Add a custom host-to-IP mapping (host:ip) + --blkio-weight=0 Block IO weight (relative weight) + -c, --cpu-shares=0 CPU shares (relative weight) + --cap-add=[] Add Linux capabilities + --cap-drop=[] Drop Linux capabilities + --cgroup-parent="" Optional parent cgroup for the container + --cidfile="" Write the container ID to the file + --cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period + --cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota + --cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1) + --cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1) + --device=[] Add a host device to the container + --dns=[] Set custom DNS servers + --dns-search=[] Set custom DNS search domains + -e, --env=[] Set environment variables + --entrypoint="" Overwrite the default ENTRYPOINT of the image + --env-file=[] Read in a file of environment variables + --expose=[] Expose a port or a range of ports + -h, --hostname="" Container host name + --help=false Print usage + -i, --interactive=false Keep STDIN open even if not attached + --ipc="" IPC namespace to use + -l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value) + --label-file=[] Read in a line delimited file of labels + --link=[] Add link to another container + --log-driver="" Logging driver for container + --log-opt=[] Log driver specific options + --lxc-conf=[] Add custom lxc options + -m, --memory="" Memory limit + --mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33) + --memory-swap="" Total memory (memory + swap), '-1' to disable swap + --memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. + --name="" Assign a name to the container + --net="bridge" Set the Network mode for the container + --oom-kill-disable=false Whether to disable OOM Killer for the container or not + -P, --publish-all=false Publish all exposed ports to random ports + -p, --publish=[] Publish a container's port(s) to the host + --pid="" PID namespace to use + --privileged=false Give extended privileges to this container + --read-only=false Mount the container's root filesystem as read only + --restart="no" Restart policy (no, on-failure[:max-retry], always) + --security-opt=[] Security options + -t, --tty=false Allocate a pseudo-TTY + --disable-content-trust=true Skip image verification + -u, --user="" Username or UID + --ulimit=[] Ulimit options + --uts="" UTS namespace to use + -v, --volume=[] Bind mount a volume + --volumes-from=[] Mount volumes from the specified container(s) + -w, --workdir="" Working directory inside the container The `docker create` command creates a writeable container layer over the specified image and prepares it for running the specified command. The diff --git a/docs/reference/commandline/pull.md b/docs/reference/commandline/pull.md index ac119db792..53b0d4cb50 100644 --- a/docs/reference/commandline/pull.md +++ b/docs/reference/commandline/pull.md @@ -15,8 +15,8 @@ weight=1 Pull an image or a repository from the registry - -a, --all-tags=false Download all tagged images in the repository - --untrusted=true Skip image verification + -a, --all-tags=false Download all tagged images in the repository + --disable-content-trust=true Skip image verification Most of your images will be created on top of a base image from the [Docker Hub](https://hub.docker.com) registry. diff --git a/docs/reference/commandline/push.md b/docs/reference/commandline/push.md index 221ee05301..7f88887dc9 100644 --- a/docs/reference/commandline/push.md +++ b/docs/reference/commandline/push.md @@ -15,7 +15,7 @@ weight=1 Push an image or a repository to the registry - --untrusted=true Skip image signing + --disable-content-trust=true Skip image signing Use `docker push` to share your images to the [Docker Hub](https://hub.docker.com) registry or to a self-hosted one. diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md index 955ba447e2..ab900d41b9 100644 --- a/docs/reference/commandline/run.md +++ b/docs/reference/commandline/run.md @@ -15,61 +15,61 @@ weight=1 Run a command in a new container - -a, --attach=[] Attach to STDIN, STDOUT or STDERR - --add-host=[] Add a custom host-to-IP mapping (host:ip) - --blkio-weight=0 Block IO weight (relative weight) - -c, --cpu-shares=0 CPU shares (relative weight) - --cap-add=[] Add Linux capabilities - --cap-drop=[] Drop Linux capabilities - --cgroup-parent="" Optional parent cgroup for the container - --cidfile="" Write the container ID to the file - --cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period - --cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota - --cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1) - --cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1) - -d, --detach=false Run container in background and print container ID - --device=[] Add a host device to the container - --dns=[] Set custom DNS servers - --dns-search=[] Set custom DNS search domains - -e, --env=[] Set environment variables - --entrypoint="" Overwrite the default ENTRYPOINT of the image - --env-file=[] Read in a file of environment variables - --expose=[] Expose a port or a range of ports - --group-add=[] Add additional groups to run as - -h, --hostname="" Container host name - --help=false Print usage - -i, --interactive=false Keep STDIN open even if not attached - --ipc="" IPC namespace to use - -l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value) - --label-file=[] Read in a file of labels (EOL delimited) - --link=[] Add link to another container - --log-driver="" Logging driver for container - --log-opt=[] Log driver specific options - --lxc-conf=[] Add custom lxc options - -m, --memory="" Memory limit - --mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33) - --memory-swap="" Total memory (memory + swap), '-1' to disable swap - --memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. - --name="" Assign a name to the container - --net="bridge" Set the Network mode for the container - --oom-kill-disable=false Whether to disable OOM Killer for the container or not - -P, --publish-all=false Publish all exposed ports to random ports - -p, --publish=[] Publish a container's port(s) to the host - --pid="" PID namespace to use - --privileged=false Give extended privileges to this container - --read-only=false Mount the container's root filesystem as read only - --restart="no" Restart policy (no, on-failure[:max-retry], always) - --rm=false Automatically remove the container when it exits - --security-opt=[] Security Options - --sig-proxy=true Proxy received signals to the process - -t, --tty=false Allocate a pseudo-TTY - -u, --user="" Username or UID (format: [:]) - --ulimit=[] Ulimit options - --untrusted=true Skip image verification - --uts="" UTS namespace to use - -v, --volume=[] Bind mount a volume - --volumes-from=[] Mount volumes from the specified container(s) - -w, --workdir="" Working directory inside the container + -a, --attach=[] Attach to STDIN, STDOUT or STDERR + --add-host=[] Add a custom host-to-IP mapping (host:ip) + --blkio-weight=0 Block IO weight (relative weight) + -c, --cpu-shares=0 CPU shares (relative weight) + --cap-add=[] Add Linux capabilities + --cap-drop=[] Drop Linux capabilities + --cgroup-parent="" Optional parent cgroup for the container + --cidfile="" Write the container ID to the file + --cpu-period=0 Limit CPU CFS (Completely Fair Scheduler) period + --cpu-quota=0 Limit CPU CFS (Completely Fair Scheduler) quota + --cpuset-cpus="" CPUs in which to allow execution (0-3, 0,1) + --cpuset-mems="" Memory nodes (MEMs) in which to allow execution (0-3, 0,1) + -d, --detach=false Run container in background and print container ID + --device=[] Add a host device to the container + --dns=[] Set custom DNS servers + --dns-search=[] Set custom DNS search domains + -e, --env=[] Set environment variables + --entrypoint="" Overwrite the default ENTRYPOINT of the image + --env-file=[] Read in a file of environment variables + --expose=[] Expose a port or a range of ports + --group-add=[] Add additional groups to run as + -h, --hostname="" Container host name + --help=false Print usage + -i, --interactive=false Keep STDIN open even if not attached + --ipc="" IPC namespace to use + -l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value) + --label-file=[] Read in a file of labels (EOL delimited) + --link=[] Add link to another container + --log-driver="" Logging driver for container + --log-opt=[] Log driver specific options + --lxc-conf=[] Add custom lxc options + -m, --memory="" Memory limit + --mac-address="" Container MAC address (e.g. 92:d0:c6:0a:29:33) + --memory-swap="" Total memory (memory + swap), '-1' to disable swap + --memory-swappiness="" Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. + --name="" Assign a name to the container + --net="bridge" Set the Network mode for the container + --oom-kill-disable=false Whether to disable OOM Killer for the container or not + -P, --publish-all=false Publish all exposed ports to random ports + -p, --publish=[] Publish a container's port(s) to the host + --pid="" PID namespace to use + --privileged=false Give extended privileges to this container + --read-only=false Mount the container's root filesystem as read only + --restart="no" Restart policy (no, on-failure[:max-retry], always) + --rm=false Automatically remove the container when it exits + --security-opt=[] Security Options + --sig-proxy=true Proxy received signals to the process + -t, --tty=false Allocate a pseudo-TTY + -u, --user="" Username or UID (format: [:]) + --ulimit=[] Ulimit options + --disable-content-trust=true Skip image verification + --uts="" UTS namespace to use + -v, --volume=[] Bind mount a volume + --volumes-from=[] Mount volumes from the specified container(s) + -w, --workdir="" Working directory inside the container The `docker run` command first `creates` a writeable container layer over the specified image, and then `starts` it using the specified command. That is, diff --git a/integration-cli/docker_cli_create_test.go b/integration-cli/docker_cli_create_test.go index ec65a66d04..13b841e445 100644 --- a/integration-cli/docker_cli_create_test.go +++ b/integration-cli/docker_cli_create_test.go @@ -294,7 +294,7 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) { dockerCmd(c, "rmi", repoName) // Try untrusted create to ensure we pushed the tag to the registry - createCmd = exec.Command(dockerBinary, "create", "--untrusted=true", repoName) + createCmd = exec.Command(dockerBinary, "create", "--disable-content-trust=true", repoName) s.trustedCmd(createCmd) out, _, err = runCommandWithOutput(createCmd) if err != nil { @@ -302,7 +302,7 @@ func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) { } if !strings.Contains(string(out), "Status: Downloaded") { - c.Fatalf("Missing expected output on trusted create with --untrusted:\n%s", out) + c.Fatalf("Missing expected output on trusted create with --disable-content-trust:\n%s", out) } } @@ -366,7 +366,7 @@ func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) { runAtDifferentDate(elevenYearsFromNow, func() { // Try create - createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName) + createCmd := exec.Command(dockerBinary, "create", "--disable-content-trust", repoName) s.trustedCmd(createCmd) out, _, err := runCommandWithOutput(createCmd) if err != nil { diff --git a/integration-cli/docker_cli_help_test.go b/integration-cli/docker_cli_help_test.go index 789132834d..311308359a 100644 --- a/integration-cli/docker_cli_help_test.go +++ b/integration-cli/docker_cli_help_test.go @@ -132,7 +132,7 @@ func (s *DockerSuite) TestHelpTextVerify(c *check.C) { // Check each line for lots of stuff lines := strings.Split(out, "\n") for _, line := range lines { - if len(line) > 80 { + if len(line) > 90 { c.Fatalf("Help for %q is too long(%d chars):\n%s", cmd, len(line), line) } diff --git a/integration-cli/docker_cli_pull_test.go b/integration-cli/docker_cli_pull_test.go index e9e8c39831..3e9da73f37 100644 --- a/integration-cli/docker_cli_pull_test.go +++ b/integration-cli/docker_cli_pull_test.go @@ -174,7 +174,7 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) { dockerCmd(c, "rmi", repoName) // Try untrusted pull to ensure we pushed the tag to the registry - pullCmd = exec.Command(dockerBinary, "pull", "--untrusted=true", repoName) + pullCmd = exec.Command(dockerBinary, "pull", "--disable-content-trust=true", repoName) s.trustedCmd(pullCmd) out, _, err = runCommandWithOutput(pullCmd) if err != nil { @@ -182,7 +182,7 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) { } if !strings.Contains(string(out), "Status: Downloaded") { - c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out) + c.Fatalf("Missing expected output on trusted pull with --disable-content-trust:\n%s", out) } } @@ -246,7 +246,7 @@ func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) { runAtDifferentDate(elevenYearsFromNow, func() { // Try pull - pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName) + pullCmd := exec.Command(dockerBinary, "pull", "--disable-content-trust", repoName) s.trustedCmd(pullCmd) out, _, err := runCommandWithOutput(pullCmd) if err != nil { diff --git a/integration-cli/docker_cli_push_test.go b/integration-cli/docker_cli_push_test.go index f9483c2848..ee9570a27e 100644 --- a/integration-cli/docker_cli_push_test.go +++ b/integration-cli/docker_cli_push_test.go @@ -182,15 +182,15 @@ func (s *DockerTrustSuite) TestTrustedPushWithoutServerAndUntrusted(c *check.C) // tag the image and upload it to the private registry dockerCmd(c, "tag", "busybox", repoName) - pushCmd := exec.Command(dockerBinary, "push", "--untrusted", repoName) + pushCmd := exec.Command(dockerBinary, "push", "--disable-content-trust", repoName) s.trustedCmdWithServer(pushCmd, "example/") out, _, err := runCommandWithOutput(pushCmd) if err != nil { - c.Fatalf("trusted push with no server and --untrusted failed: %s\n%s", err, out) + c.Fatalf("trusted push with no server and --disable-content-trust failed: %s\n%s", err, out) } if strings.Contains(string(out), "Error establishing connection to notary repository") { - c.Fatalf("Missing expected output on trusted push with --untrusted:\n%s", out) + c.Fatalf("Missing expected output on trusted push with --disable-content-trust:\n%s", out) } } @@ -252,7 +252,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithExistingSignedTag(c *check.C) { } if !strings.Contains(string(out), "Status: Downloaded") { - c.Fatalf("Missing expected output on trusted pull with --untrusted:\n%s", out) + c.Fatalf("Missing expected output on trusted pull with --disable-content-trust:\n%s", out) } } diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 210788c3b4..d836399fd0 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2566,7 +2566,7 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) { dockerCmd(c, "rmi", repoName) // Try untrusted run to ensure we pushed the tag to the registry - runCmd = exec.Command(dockerBinary, "run", "--untrusted=true", repoName) + runCmd = exec.Command(dockerBinary, "run", "--disable-content-trust=true", repoName) s.trustedCmd(runCmd) out, _, err = runCommandWithOutput(runCmd) if err != nil { @@ -2574,7 +2574,7 @@ func (s *DockerTrustSuite) TestTrustedRun(c *check.C) { } if !strings.Contains(string(out), "Status: Downloaded") { - c.Fatalf("Missing expected output on trusted run with --untrusted:\n%s", out) + c.Fatalf("Missing expected output on trusted run with --disable-content-trust:\n%s", out) } } @@ -2620,7 +2620,7 @@ func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) { runAtDifferentDate(elevenYearsFromNow, func() { // Try run - runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName) + runCmd := exec.Command(dockerBinary, "run", "--disable-content-trust", repoName) s.trustedCmd(runCmd) out, _, err := runCommandWithOutput(runCmd) if err != nil { diff --git a/integration-cli/trust_server.go b/integration-cli/trust_server.go index d22e33291f..fbdb573f44 100644 --- a/integration-cli/trust_server.go +++ b/integration-cli/trust_server.go @@ -130,11 +130,11 @@ func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, sna func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) { env := []string{ - "DOCKER_TRUST=1", - fmt.Sprintf("DOCKER_TRUST_SERVER=%s", server), - fmt.Sprintf("DOCKER_TRUST_ROOT_PASSPHRASE=%s", rootPwd), - fmt.Sprintf("DOCKER_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd), - fmt.Sprintf("DOCKER_TRUST_TARGET_PASSPHRASE=%s", targetPwd), + "DOCKER_CONTENT_TRUST=1", + fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server), + fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd), + fmt.Sprintf("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd), + fmt.Sprintf("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE=%s", targetPwd), } cmd.Env = append(os.Environ(), env...) }