Add info about image resolution with content trust#1065
Add info about image resolution with content trust#1065mdlinville merged 1 commit intodocker:vnext-enginefrom mdlinville:service_create_with_content_trust
Conversation
|
This LGTM - cc @aaronlehmann who added this fix. |
engine/swarm/services.md
Outdated
| or your registry. You can force the service to use a specific version of | ||
| the image in a few different ways, depending on your desired outcome. | ||
| or your registry, or using Notary if content trust is enabled. See the | ||
| [note about content trust](#image_resolution_with_trust).You can force the |
There was a problem hiding this comment.
I think the sentence about creating a service is becoming long, and mixes different concepts.
The original sentence was saying that if you omit a tag, it will be treated as <image>:latest. Instead of saying "the latest version", I'd change this to say "the latest tag", since :latest may not actually be the most recent version.
We also want to say that if content trust is enabled, Notary is used to authenticate the tags. This happens whether you specify a custom tag, or use the default of latest.
There's a missing period after the link to the note.
There was a problem hiding this comment.
Addressed the feedback by removing the links to the note, and just having the note at the bottom. I think it's more clear that way. Let me know what you think.
engine/swarm/services.md
Outdated
| - If you specify a tag, the manager resolves that tag to a digest, and directs | ||
| workers to uses that version. | ||
| - If you specify a tag, the manager resolves that tag to a digest. If you are | ||
| using [content trust](#image_resolution_with_trust), Notary verifies that the |
There was a problem hiding this comment.
Maybe we should say "the docker client" instead of "Notary"? Or "the docker client uses notary to verify..."? It both verifies that it is signed and also resolves the tag to a digest. The manager does not resolve the tag in this case (if content trust is enabled). This is mentioned in the note already, though, so not sure if that would be repetitive and/or we should just mention it here, rather than the note.
Also, wondering if we should link to https://docs.docker.com/engine/security/trust/content_trust/ when saying "signed" so users can look up more detail about how that works?
There was a problem hiding this comment.
Update: Ah right, sorry, that note goes with https://github.com/docker/docker.github.io/pull/1065/files#diff-77d91a1ccd7779ca36fd0f5a1cfd5353R127.
Hm... maybe that sentence can say something like: "When you create a service, if you don't specify a digest directly, the image's tag gets resolved to the specific digest it points to at the time of service creation..." ? Thus avoiding the manager vs client resolution in that sentence.
|
@cyli can you give this another look-over? I think I addressed your feedback. |
Add docker registry reference
4 participants
Proposed changes
Added info about how image resolution works when content trust is enabled
Unreleased project version (optional)
Engine 1.13
Fixes #1004