IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [docker-container-trust]

6 questions
3
votes
1 answer

How to list all of the known root keys in docker (Docker Content Trust)

How can I list all of the Docker Content Trust root keys on my system? I am setting up a CI process that will use the debian:stable-latest docker image to build my application's releases in ephemeral cloud instances. I want to make sure that every…
Michael Altfield
  • 826
  • 4
  • 19
2
votes
2 answers

Security of untrusted Docker containers

If I want to run untrusted code inside a Docker container, or an untrusted Docker container for that matter, how can I restrict it? I'd like to make sure it has no access to the host filesystem. Ideally I'd like it to have limited network access:…
SRobertJames
  • 245
  • 1
  • 7
2
votes
3 answers

How can I pass secrets to a compromised container without the attacker being able to see them?

The most common method of passing secrets to a docker container is through ENVs. The problem is: Imagine that your docker container is hosting a HTTP server that can have a security exploit (like any software), that will give almost command line…
PedroD
  • 121
  • 3
2
votes
1 answer

Securing docker containers on private LAN

I am using docker to run a few server apps on a raspberryPi with ports exposed to the open internet. If an attacker were to successfully infiltrate my docker containers, I would like to be certain that they cannot access other devices on my…
caps
  • 121
  • 2
0
votes
0 answers

Docker: How to download & verify a publisher's root key (out-of-band, distinct-domain cryptographic verification, WoT)

For a given publisher of docker images on Docker Hub (let's say debian), how do I download their root release/image signing key and verify its authenticity from multiple sources out-of-band from each-other? Though it doesn't appear to be covered in…
Michael Altfield
  • 826
  • 4
  • 19
0
votes
1 answer

How to pin public root key when downloading an image with docker pull (Docker Content Trust)?

How can I execute docker pull (with Docker Content Trust enabled) such that it fails if the image doesn't have a valid signature using the private key corresponding to (or subordinate to) the public key that I provide? I just discovered that, in…
Michael Altfield
  • 826
  • 4
  • 19