Docker Config Reference (docker trust / docker update / docker version)

Examples of the Docker Trust Command

The docker trust command manages content trust for Docker images, enabling secure operations such as signing, verifying, and inspecting image signatures. It enhances security by ensuring images are tamper-proof and originate from trusted sources, particularly in environments requiring compliance or protection against supply chain attacks. Below are 10 unique examples, each demonstrating a distinct subcommand or option combination.

docker trust sign myrepo/myimage:latest

This command signs the "myrepo/myimage:latest" image using a local key pair, attaching a cryptographic signature to verify its integrity and authorship. It requires prior key generation and delegation setup, ensuring that pushed images can be trusted by pullers enforcing content trust, thereby mitigating risks from malicious modifications during distribution.

docker trust inspect myrepo/myimage:latest

This command inspects the trust metadata for "myrepo/myimage:latest", displaying details such as signers, signatures, and administrative keys in JSON format. It allows verification of an image's trust status without pulling, supporting pre-deployment audits to confirm authenticity and compliance with organizational security policies.

docker trust revoke myrepo/myimage:latest

This command revokes all signatures from "myrepo/myimage:latest", removing trust metadata from the registry. It is used to invalidate compromised or outdated images, preventing their trusted usage and enforcing rotation in secure workflows, though it requires signer privileges.

docker trust key generate mykey

This command generates a new key pair named "mykey" for signing images, storing the private key locally and providing the public key for delegation. It initiates the trust setup process, essential for establishing signer identities in collaborative repositories to enable multi-user signing hierarchies.

docker trust signer add --key /path/to/pubkey.pem newsigner myrepo/myimage

This command adds a new signer "newsigner" to the "myrepo/myimage" repository using the provided public key. It delegates signing authority, allowing multiple contributors to sign images while maintaining a chain of trust, which is critical for team-based development with accountability.

docker trust signer remove oldsigner myrepo/myimage

This command removes the signer "oldsigner" from the "myrepo/myimage" repository, revoking their ability to add new signatures. It is employed to retire obsolete or compromised signers, preserving repository security by updating delegation metadata without affecting existing valid signatures.

docker trust inspect --pretty myrepo/myimage:latest

With the --pretty flag, this command inspects trust data for "myrepo/myimage:latest" in a human-readable format instead of JSON. It improves usability for manual reviews, presenting signer roles and signature counts clearly for quick trust assessments.

docker trust key load /path/to/privatekey.pem --name mykey

This command loads a private key from "/path/to/privatekey.pem" into Docker's key store under "mykey". It imports external keys for signing, facilitating key migration or recovery in secure environments where keys are managed separately.

docker trust view myrepo/myimage:latest

This command views the trust information for "myrepo/myimage:latest", similar to inspect but focused on signature details. It provides a concise summary for validation, useful in CI/CD pipelines to enforce trust before deployment.

docker trust --help

This command displays the help documentation for the docker trust command, including subcommands, options, and usage examples. It serves as a comprehensive reference for understanding trust management features, aiding users in implementing secure image practices.

Examples of the Docker Update Command

The docker update command modifies the configuration of one or more running containers without restarting them, adjusting parameters such as resource limits, restart policies, or labels. This allows dynamic tuning to respond to changing conditions, enhancing operational flexibility while minimizing downtime.

docker update --cpus 2 mycontainer

This command updates the running "mycontainer" to limit its CPU usage to 2 cores. It dynamically adjusts resource allocation, preventing overconsumption in shared environments and optimizing performance without interrupting the container's processes.

docker update --memory 512m dbcontainer

This command sets a memory limit of 512 MB for the running "dbcontainer". It enforces resource constraints to avoid out-of-memory errors, particularly useful in database workloads where memory spikes need containment while maintaining availability.

docker update --restart always webapp

This command updates the restart policy of "webapp" to "always", ensuring automatic restarts on failure or host reboot. It enhances resilience for web services, supporting high-availability requirements in production setups.

docker update --label-add env=prod container1 container2

This command adds the label "env=prod" to multiple running containers, "container1" and "container2". It enables metadata updates for organizational purposes, such as filtering or grouping, without affecting runtime behavior.

docker update --kernel-memory 100m worker

This command sets a kernel memory limit of 100 MB for the running "worker" container. It controls system-level memory usage, preventing kernel panics in resource-intensive tasks like processing queues.

docker update --restart on-failure:3 cachecontainer

This command updates "cachecontainer" to restart on failure up to 3 times. It implements a retry policy, balancing recovery attempts with failure tolerance for transient issues in caching services.

docker update --cpu-shares 512 apiservice

This command adjusts the CPU shares for "apiservice" to 512, influencing scheduling priority in contended environments. It fine-tunes performance for API endpoints, ensuring fair resource distribution.

docker update --label-rm oldlabel debugcontainer

This command removes the label "oldlabel" from the running "debugcontainer". It cleans up metadata, supporting reconfiguration or compliance adjustments without downtime.

docker update --memory-swap 1g mongocontainer

This command sets the memory swap limit to 1 GB for "mongocontainer". It controls swapping behavior in NoSQL databases, preventing excessive disk I/O while allowing burst memory usage.

docker update --help

This command displays the help documentation for the docker update command, listing available options and parameters. It provides guidance for advanced configuration changes, ensuring correct usage.

Examples of the Docker Version Command

The docker version command retrieves and displays detailed version information about the Docker client and server, including API version, operating system, architecture, and build details. It is crucial for compatibility checks, troubleshooting, and ensuring alignment between client and daemon in distributed setups.

docker version

This command outputs version details for both the Docker client and server, including platform-specific information like OS and architecture. It verifies installation integrity and compatibility, essential for diagnosing version-related issues.

docker version --format "{{.Server.Version}}"

Using the --format flag with a Go template, this command displays only the server version. It extracts specific data for scripting, such as automated checks in deployment pipelines.

docker version --format "{{json .}}"

This command formats the entire version output as JSON. It enables programmatic parsing for integration with monitoring tools or configuration management systems.

docker version --format "{{.Client.APIVersion}} {{.Server.APIVersion}}"

This command shows the API versions of both client and server. It ensures API compatibility, critical for feature availability in custom applications or plugins.

docker version --format "table {{.Client.Platform.Name}}\t{{.Server.Platform.Name}}"

This command formats output as a table with client and server platform names. It provides a readable comparison for multi-platform environments.

docker version --format "{{.Server.Os}}/{{.Server.Arch}}"

This command displays the server's OS and architecture. It aids in hardware-specific deployments, confirming runtime environments.

docker version --format "{{.Client.GoVersion}}"

This command extracts the Go version used for the Docker client. It is useful for developers ensuring compatibility with Go-based tools.

docker version --format "{{.Server.Experimental}}"

This command shows whether experimental features are enabled on the server. It verifies configuration for advanced or beta functionalities.

docker version --format "{{.Client.Commit}} {{.Server.Commit}}"

This command displays Git commit hashes for client and server builds. It supports precise versioning in custom or forked Docker installations.

docker version --help

This command displays help documentation for docker version, explaining options and formats. It serves as a reference for detailed usage.