opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-02 02:26:52 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
podman/docs/podman-image-trust.1.md
Ed Santiago beb71323b1 man pages - consistency fixes 
podman-generate and -play had the wrong NAMEs.

podman-restart and -volume-prune the wrong SYNOPSIS.

All the rest are varying degrees of minor:

  - missing a space between the NAME and description
  - multi-line SYNOPSIS that could be collapsed into one
  - use of UPPER CASE in synopsis instead of *asterisks*
  - improper use of **double asterisks** for options
  - varlink and version were transposed in podman-1
  - fixed inconsistencies between the description in
    the man page and that in the parent manpage. These
    are too numerous for me to fix all.

Added: script that could be used in CI to prevent future
such inconsistencies. It cannot be enabled yet because
there are still 35+ inconsistencies in need of cleaning.

This will be difficult to review on github. I suggest
pulling the PR and running 'git log -1 -p | cdif | less'

'cdif' is a handy tool for colorizing individual diffs between
lines:

   http://kaz-utashiro.github.io/cdif/

There are other such tools; use your favorite. Comparing
without visual highlights may be painful.

I also encourage you to run hack/man-page-checker and suggest
more fixes for the problems it's finding.

Signed-off-by: Ed Santiago <santiago@redhat.com>
2019-03-20 14:37:59 -06:00

3.2 KiB
Raw Blame History

% podman-image-trust "1"

NAME

podman-image-trust - Manage container registry image trust policy

SYNOPSIS

podman image trust set|show [-h|--help] [-j|--json] [--raw] [-f|--pubkeysfile KEY1 [-f|--pubkeysfile KEY2,...]] [-t|--type signedBy|accept|reject] REGISTRY[/REPOSITORY]

DESCRIPTION

Manages which registries you trust as a source of container images based on its location. The location is determined by the transport and the registry host of the image. Using this container image docker://docker.io/library/busybox as an example, docker is the transport and docker.io is the registry host.

Trust is defined in /etc/containers/policy.json and is enforced when a user attempts to pull a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images.

The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be defined for an entire registry. Or it could be defined for a particular repository in that registry. Or it could be defined down to a specific signed image inside of the registry.

For example, the following list includes valid scope values that could be used in policy.json from most specific to the least specific:

docker.io/library/busybox:notlatest docker.io/library/busybox docker.io/library docker.io

If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used.

Trust type provides a way to:

Whitelist ("accept") or Blacklist ("reject") registries or Require signature (“signedBy”).

Trust may be updated using the command podman image trust set for an existing trust scope.

OPTIONS

-h --help Print usage statement.

-f --pubkeysfile A path to an exported public key on the local system. Key paths will be referenced in policy.json. Any path to a file may be used but locating the file in /etc/pki/containers is recommended. Options may be used multiple times to require an image be signed by multiple keys. The --pubkeysfile option is required for the signedBy type.

-t --type The trust type for this policy entry. Accepted values: signedBy (default): Require signatures with corresponding list of public keys accept: do not require any signatures for this registry scope reject: do not accept images for this registry scope

show OPTIONS

--raw Output trust policy file as raw JSON

-j --json Output trust as JSON for machine parsing

EXAMPLES

Accept all unsigned images from a registry

sudo podman image trust set --type accept docker.io

Modify default trust policy

sudo podman image trust set -t reject default

Display system trust policy

sudo podman image trust show

Display trust policy file

sudo podman image trust show --raw

Display trust as JSON

sudo podman image trust show --json

SEE ALSO

policy-json(5)

HISTORY

January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)