snapshot key trust data unavailable. Has a notary repository been initialized? #762
Comments
|
@cyli @riyazdf @endophage Quick help should be helpful |
|
So, looking at this page https://github.com/docker/docker/blob/master/api/client/trust.go But one thing to note - > whenever I run the repository (private sandbox for testing this docker content trust), it gives be lot of errors on the console I run it (screenshot attached). Container runs but gets some errors like the one in screenshot. Will it have anything to do with this error? Is this error because of non proper initialization of notary server or sandboxregistry?
|
|
hi @mkonakan: could you try adding |
|
@riyazdf Thanks for the quick response. Seems issue is with 404 HTTP status?
|
|
Additionally, which version of notary client, server, and signer are you running? |
|
It seems to be 404-ing when getting a snapshot key specifically, which is Could you also please attach the compose logs? Specifically the server and On Wednesday, June 1, 2016, mkonakan notifications@github.com wrote:
|
|
@riyazdf @cyli It seems to be getting the latest notary from link in this command - "git clone -b trust-sandbox https://github.com/docker/notary.git", also distribution project from link in -"$ git clone https://github.com/docker/distribution.git" |
|
@mkonakan oh oops sorry I missed the -b in the instructions. It's telling That should be getting you the latest version that should support it. On Wednesday, June 1, 2016, mkonakan notifications@github.com wrote:
|
|
@cyli It says fatal: repository 'trust-sandbox' does not exist when I try it without -b. with -b , it clones. |
|
Er sorry, I wasn't clear - I meant without that branch argument entirely. On Wednesday, June 1, 2016, mkonakan notifications@github.com wrote:
|
|
No. your fine. Its my mistake. I never worked with git as I am not a developer. So, do not know it. I tried what you said and then now, some other error started popping in - attached |
|
@cyli I updated my base machine hosts file based on the container names now. Is there something I am missing? Also, I am not sure server and signer containers are getting destroyed frequently. I am not doing any changes to them. Known bug? Edit: Signer and server containers are getting destroyed after my pull attempt.
|
|
@mkonakan Apologies for the slow response, I am still trying to replicate. The best way to ensure the containers are destroyed are to You also shouldn't need the container names in your |
|
@cyli that IP is my DNS address and it is doing an DNS lookup for notaryserver address but not sure why it is getting failed. I am not sure the necessity for issuing docker-compose down, I said that containers are getting destroyed by themselves when I am issuing that pull command and I am not sure why they are getting destroyed. |
|
@mkonakan So I've come across a couple issues so far with the doc:
If you've already addressed these and are still getting the error, please let me know. I'm still continuing on, but am on very slow hotel wifi, so it's slow going :) |
Yes, still this issue |
|
@mkonakan Hmm... is it possible you've encountered the same issue as #753? What happens if you |
|
|
@mkonakan Thanks lots for trying content trust, and reporting these issues with the docs! Will definitely make that update. :) |
|
@cyli I was just checking through this again. In later steps, there are also many things to be changed so that it would not confuse the people who are trying this.
Making these changes should be helpful for people who are trying to work with this latest version of docker content trust. |
|
@mkonakan Thank you for all the suggestions! I will add those to the change. |
|
@cyli I was also wondering the necessity for step 7 in "testing malicious images" in that section. I do not think it is needed there as we can check even without that that verification was failed. Is there anything I am missing? |
|
@mkonakan It's to prove that it will not download the image, and it will not be there when you do |
|
@mkonakan Out of curiosity, do you have more than 2 DNS servers configured on the host? (I am trying to figure out why the |
|
@cyli Haha, I was actually thinking the reason for docker rmi in other angles...Dint think too simple :P I do have only one DNS server. In my opinion the reason for error being that the Go resolver not looking at hosts file to figure out the address of notaryserver from hosts file and trying to resolve on its own... I did not dig on it too much after this reasoning. |
|
@cyli Did you do any changes to the tutorial on website? I have done the changes mentioned above, it worked pretty well for sometime and then it started giving me errors like attached. Also, the server and signer containers are getting killed automatically - not sure why. In between the docker ps commands in screenshot I made a compose up command to bring the containers. Kindly help!
|
|
@innocentme1 No, no change to https://docs.docker.com/engine/security/trust/trust_sandbox/ moby/moby#23195 was just merged today, if that's what you're referring to, but that change is not reflected at https://docs.docker.com/engine/security/trust/trust_sandbox/ yet. If you are following the old instructions, everything should still work as before. I'm not sure what's causing the new network issues. :| Could you try giving the new instructions a shot, and see if that helps? |
|
@cyli it shows no route to host when containers are dead (as expected) and connection refused when container is up. |
|
Are containers continuing to kill themselves with the new On Monday, June 13, 2016, Innocentme notifications@github.com wrote:
|
|
@innocentme1 By removing the pipe to You may have to rebuild ( |
|
I did rebuild - let me give a try again @cyli I am also parallelly trying the new instructions (Yeah, I have to make this setup live ASAP as its highly critical for us here) and It gives me the following error. I am running compose version 1.7.1 which crosses the minimum requirement mentioned by u the instructions. error: |
|
@innocentme1 There should not be any indentation in front of your "volumes" and "networks" declaration - they should be on the same indentation level as services, which should be none. |
Just to be clear, also, the new instructions are for sandbox testing - if you want to get a live signing server up, you probably want a real DB with persistent data. In which case, you probably still want the compose file in the notary repo. |
|
@cyli I rebuilt again and now below are the logs. This seems to be opening tcp on 10.5.74.105 on 3306. this IP is internal virtual IP seems to be load balancer. I am not sure why it is dialing to it on 3306 ( 3306 is port we opened for mysql? ) dial tcp 10.5.74.105:3306: getsockopt: connection refused Also, yeah I knew that they are for sandbox testing. I am currently evaluating docker content trust itself and I am supposed to provide my report in 2-3 days time after which we might end up using this in our docker environment where we will set up our own notary. |
|
@innocentme1 Yep, 3306 is indeed the mysql port. So if you do |
|
@cyli Ahhh....yes...! |
|
:| I think you're hitting the same weird DNS bug as #753. Which I've been asking around about, but no one else seems to be able to replicate (let me see if I can come up with a very simple test case that fails in the same way). In the meantime though, I think you might have to add the |
|
I didn't notice much of a difference in my setup, but since docker-in-docker writes images to a docker volume, it might depend on your volume driver.
Yep, I remember - is the mysql address on your network new? Not sure why it worked before and just started failing recently.
I'm not sure when the next doc build for docker/docker is - I can submit a PR to the existing docs, but I'm not sure when they're rebuilt. I would also like to track down the
could you file a bug with docker/docker with your exact docker client/server details and ubuntu setup? They might have better ideas about what questions to ask to figure out what's causing this. I've been looking for issues which might match, but I haven't found any yet (I probably just don't know what I'm looking for) |
|
I am not sure about that address being added newly. I tried this last night at home too but still same issue. Sure. I will do verify that and file to docker/docker sometime this weekend? I have some important tasks to work on as the setup is up and running now. Also, I did do the changes in the compose files and rebuilt them. It works perfectly now :) so adding this GODEBUG to run command is not helping but adding it in compose file and making changes is working good. |
|
@innocentme1 Whenever you have free time, thanks so much for your patience and perserverance . :) |
|
@cyli thanks.
P.S: This TUF and entire Notary architecture is kind of really taking quite some time to understand. Any specific resource you would suggest for me to take a look at for in-depth understanding of moving this Notary to production environment and also rotating keys etc.
|
|
@innocentme1 the TUF specification is a good place to start to understand how Notary is attempting to do things. There are some nitty gritty implementation differences and we currently only support a non-configurable threshold of 1. We've also implemented a custom prioritization for traversing delegations (which the spec specifically leaves open for users to do) in docker, but the notary CLI will do a pre-order depth first search of the delegation tree for a given target. You are correct that you just need to replace the keys and certs in /fixtures. |
|
@endophage: I did go through it and took quite some time to understand everything. It is fine in my head now but the way Docker implemented it via Notary is little confusing to me now. I will try to figure that out. Also. I am yet to research the delegations part. Thats on my next to-do list. Your reply answered my second question but not the first one. Can you throw some light on it too? |
|
I'll do my best to answer your key rotation question. The client and server do not syncronize keys. The client holds some private keys (always root and targets, sometimes snapshot) and the server holds the others (always timestamp, sometimes snapshot). Currently we only support the rotation of keys held by the client (we have started work on rotating keys held by the server), and the transfer of snapshot signing responsibility between the server and client (if the client owns the snapshot key it can be rotated, if the server owns the snapshot key, currently it cannot be rotated). When you rotate a key held on the client, a new keypair is generated, the existing public key is removed from the appropriate role in root.json, and the newly generated public key is assigned to that role in root.json. If it is the special case of the root key being rotated, the old root role is saved in root.json as |
|
@endophage sounds good as of now. Will let u know as I move on. Also, Incase if I am using docker hub instead of registries for storing my signed images. do I need to add any env variable like "export DOCKER_CONTENT_TRUST_SERVER=https://notaryserver:4443" which we do for registries? I tried without and with giving "notary.docker.io" but it gives me an error like "Error establishing connection to notary repository: failed to create private key store in directory:" Am I missing something? |
|
If you are using the |
|
@endophage I did already input that flag even in docker CLI and it still gives me error. Below for reference mkonakan@ubuntu: Edit: I am able to telnet to notary.docker.io on 443. |
|
That looks more like there's a permissions problem with your ~/.docker directory. Could you post the output of |
|
It is indeed a permission issue. Rectified. Sorry. What confused me is the statement : "Error establishing connection to notary repository" before the failed to create..... Why would it fail establishing connection because of permissions? :/ I think little more clear statement should be good. |
|
Yeah, I think that |
|
hmm. I am little confused on rotating keys part. I just pushed a signed repository to my docker hub and then I am trying to rotate the keys. The command "notary key list" says - " no signing keys found" even I have all the keys in my ./docker/trust....folder. Attached is just a reference - it also has target keys etc. Only if I am able to list them, I can get the GUN and then rotate them right?
|
|
Try Notary is an independent project from Docker and by default puts all data in the ~/.notary directory. It's necessary to point it at the ~/.docker/trust directory to see docker related trust data. |
|
@endophage Sorry for delayed response and thanks for helping me all the time.
This also means that the key is not rotated because I tested it as below notary -d ~/.docker/trust/ key rotate docker.io/mkonakan/wordpress targets --server-managed=false * fatal: client is offline
|
|
@innocentme1 Can you try running the notary command with a |
|
@cyli Hey, below are messages of our interest ERRO[0000] could not reach https://notary-server:4443: Get https://notary-server:4443/v2/: dial tcp: lookup notary-server on 127.0.1.1:53: no such host Surprised. Do I need to change this host address somewer? add some config file or something? |
|
@innocentme1 Are you using the trustsandbox (new instructions) setup? (e.g. are you executing the notary commands from within the trustsandbox container? If so, I think we linked that one as notaryserver, not notary-server. |
|
@cyli figured out the issue. Thanks! I am running on my base machine and I passed the trust server address with -s flag and it works fine now! |
I am trying to test the docker content feature with the help of instructions at https://docs.docker.com/engine/security/trust/trust_sandbox/. (When I tried last time , everything worked well) So, I made almost everything work but stumbling upon a new issue now. I ran the container linked with notary server etc. (exactly as per the instructions on the above given link). When I am trying to push the image it is giving me the error of - "
Error: trust data missing for remote repository sandboxregistry:5000/test/trusttest or remote repository not found: snapshot key trust data unavailable. Has a notary repository been initialized?"
My notary server is initialized - Screenshot attached. Can someone help me in solving this issue?
I did not do any changes in the notary and it is exactly as per the instructions on the website. I saw this post - https://forums.docker.com/t/cant-get-notary-content-trust-delegation-to-work/9029/9 but I still could not resolve it.
The text was updated successfully, but these errors were encountered: