diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/podman-image-trust.1.md | 81 | ||||
| -rw-r--r-- | docs/podman-image.1.md | 1 | ||||
| -rw-r--r-- | docs/tutorials/podman_tutorial.md | 6 |
3 files changed, 88 insertions, 0 deletions
diff --git a/docs/podman-image-trust.1.md b/docs/podman-image-trust.1.md new file mode 100644 index 000000000..24209698c --- /dev/null +++ b/docs/podman-image-trust.1.md @@ -0,0 +1,81 @@ +% podman-image-trust "1" + +# NAME +podman\-trust - Manage container image trust policy + + +# SYNOPSIS +**podman image trust set|show** +[**-h**|**--help**] +[**-j**|**--json**] +[**--raw**] +[**-f**|**--pubkeysfile** KEY1 [**f**|**--pubkeysfile** KEY2,...]] +[**-t**|**--type** signedBy|accept|reject] +REGISTRY[/REPOSITORY] + +# DESCRIPTION +Manages the trust policy of the host system. Trust policy describes +a registry scope (registry and/or repository) that must be signed by public keys. Trust +is defined in **/etc/containers/policy.json**. Trust is enforced when a user attempts to pull +an image from a registry. + +Trust scope is evaluated by most specific to least specific. In other words, policy may +be defined for an entire registry, but refined for a particular repository in that +registry. See below for examples. + +Trust **type** provides a way to whitelist ("accept") or blacklist +("reject") registries. + +Trust may be updated using the command **podman image trust set** for an existing trust scope. + +# OPTIONS +**-h** **--help** + Print usage statement. + +**-f** **--pubkeysfile** + A path to an exported public key on the local system. Key paths + will be referenced in policy.json. Any path may be used but path + **/etc/pki/containers** is recommended. Option may be used multiple times to + require an image be sigend by multiple keys. One of **--pubkeys** or + **--pubkeysfile** is required for **signedBy** type. + +**-t** **--type** + The trust type for this policy entry. Accepted values: + **signedBy** (default): Require signatures with corresponding list of + public keys + **accept**: do not require any signatures for this + registry scope + **reject**: do not accept images for this registry scope + +# show OPTIONS + +**--raw** + Output trust policy file as raw JSON + +**-j** **--json** + Output trust as JSON for machine parsing + +# EXAMPLES + +Accept all unsigned images from a registry + + podman image trust set --type accept docker.io + +Modify default trust policy + + podman image trust set -t reject default + +Display system trust policy + + podman image trust show + +Display trust policy file + + podman image trust show --raw + +Display trust as JSON + + podman image trust show --json + +# HISTORY +December 2018, originally compiled by Qi Wang (qiwan at redhat dot com) diff --git a/docs/podman-image.1.md b/docs/podman-image.1.md index 8b812af11..8aa7cee64 100644 --- a/docs/podman-image.1.md +++ b/docs/podman-image.1.md @@ -26,6 +26,7 @@ The image command allows you to manage images | rm | [podman-rm(1)](podman-rmi.1.md) | Removes one or more locally stored images. | | save | [podman-save(1)](podman-save.1.md) | Save an image to docker-archive or oci. | | tag | [podman-tag(1)](podman-tag.1.md) | Add an additional name to a local image. | +| trust | [podman-image-trust(1)](podman-image-trust.1.md) | Manage container image trust policy. ## SEE ALSO podman diff --git a/docs/tutorials/podman_tutorial.md b/docs/tutorials/podman_tutorial.md index 659973b28..f8332c820 100644 --- a/docs/tutorials/podman_tutorial.md +++ b/docs/tutorials/podman_tutorial.md @@ -84,6 +84,12 @@ cd $GOPATH/src/github.com/containernetworking/plugins sudo mkdir -p /usr/libexec/cni sudo cp bin/* /usr/libexec/cni ``` +#### Installing CNI config +Add a most basic network config +```console +mkdir -p /etc/cni/net.d +curl -qsSL https://raw.githubusercontent.com/containers/libpod/master/cni/87-podman-bridge.conflist | tee /etc/cni/net.d/99-loopback.conf +``` #### Installing runc ```console git clone https://github.com/opencontainers/runc.git $GOPATH/src/github.com/opencontainers/runc |