Suppose you want to configure your private on-premises Docker container registry in VMware Blockchain Orchestrator. In that case, you can download trusted VMware images from the repository and have the Docker container verify the notary server signatures.

Note:

If you do not want to use the default container registry with the trusted VMware images, complete the steps listed to customize a private on-premises Docker container registry.

Docker container registry secures access to your trusted images because the registry natively supports TLS and basic authentication. The notary server manages trusted images that are digitally signed with verification of integrity and origin of content.

Procedure

  1. (Optional) Enable Docker content trust for the notary server signature verification.
    export DOCKER_CONTENT_TRUST_SERVER="https://local.notary.<URL>.com"
    export DOCKER_CONTENT_TRUST=1
  2. Download the trusted images from the VMware repository for your private Docker container registry.
    docker login https://vmwaresaas.jfrog.io/vmwblockchain -u <username> -p <password>
    docker pull vmwaresaas.jfrog.io/vmwblockchain/agent:1.7.0.0.55
    docker pull vmwaresaas.jfrog.io/vmwblockchain/concord-core:1.7.0.0.55
    docker pull vmwaresaas.jfrog.io/vmwblockchain/operator:1.7.0.0.55
    docker pull vmwaresaas.jfrog.io/vmwblockchain/daml-execution-engine:1.7.0.0.55
    docker pull vmwaresaas.jfrog.io/vmwblockchain/daml-index-db:1.7.0.0.55
    docker pull vmwaresaas.jfrog.io/vmwblockchain/daml-ledger-api:1.7.0.0.55
    docker pull vmwaresaas.jfrog.io/vmwblockchain/fluentd:1.1
    docker pull vmwaresaas.jfrog.io/vmwblockchain/wavefront-proxy:10.12
    docker pull vmwaresaas.jfrog.io/vmwblockchain/jaeger-agent:1.22
    docker pull vmwaresaas.jfrog.io/vmwblockchain/telegraf:1.18.3
    docker pull vmwaresaas.jfrog.io/vmwblockchain/ethrpc:1.7.0.0.55
  3. (Optional) Unset the Docker content trust environment variables.
    unset DOCKER_CONTENT_TRUST
    unset DOCKER_CONTENT_TRUST_SERVER
  4. Tag the trusted images to associate with your local Docker container registry.
    docker tag vmwaresaas.jfrog.io/vmwblockchain/agent:1.7.0.0.55 <ip_address>:5000/vmwblockchain/agent:1.7.0.0.55 
  5. Push the trusted images to your local Docker container registry.

    If you are using the notary server verification, you can sign these trusted images using your notary server.

    For the first trusted images, push generates keys such as the root key and repository key. These keys are stored in the ~/.docker/trust/private directory.

    Note:

    Do not share these secure keys. You can use these keys to sign subsequent images or other tags for the same image.

Example

Sample output for pushing trusted images and signing images.

export DOCKER_CONTENT_TRUST_SERVER="https://local.notary.<URL>.com"
export DOCKER_CONTENT_TRUST=1

docker push 109.12.358.250:5000/vmwblockchain/agent:1.7.0.0.55
75b79e19929c: Pushed
4775b2f378bb: Pushed
883eafdbe580: Pushed
19d043c86cbc: Pushed
8823818c4748: Pushed
1.7.0.0.55.0: digest: <secure_key> size: 1357
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID dfa4655:
Repeat passphrase for new root key with ID dfa4655:
Enter passphrase for new repository key with ID af8d942:
Repeat passphrase for new repository key with ID af8d942:
Finished initializing "109.12.358.250:5000/vmwblockchain/agent:1.7.0.0.55"
Successfully signed 109.12.358.250:5000/vmwblockchain/agent:1.7.0.0.55

unset DOCKER_CONTENT_TRUST
unset DOCKER_CONTENT_TRUST_SERVER

What to do next

Set the Docker container registry and notary server parameters in the VMware Blockchain Orchestrator infrastructure descriptor file. See Configuring the Infrastructure Descriptor Parameters on vSphere.