Verifying the CloudBees CI on traditional platforms Docker images

2 minute read

CloudBees supports running CloudBees CI on traditional platforms in Docker containers, subject to the following constraints:

  • The Docker image must be the image provided by CloudBees. CloudBees CI on traditional platforms includes the following Docker containers:

    • cloudbees/cloudbees-core-oc: Operations center

    • cloudbees/cloudbees-core-cm: Client controller

  • The Docker Engine used to run these containers must run on a Linux platform and must be a standalone Docker Engine provided by Docker, Inc. or by a Linux distribution provider (such as Red Hat or CentOS).

  • The Docker environment cannot be managed by a container orchestration tool or cluster manager such as Kubernetes, OpenShift, Docker Swarm, Mesos, or Amazon ECS.

The CloudBees CI Docker images are signed, so that you can verify their origin and authenticity. Verifying the origin and authenticity of public Docker images is an optional step in the installation process. It can help ensure that you are not the victim of a "man-in-the-middle" attack or other types of image tampering.

You should verify the signatures before you run the Docker images. If you have an internal Docker registry that pulls images to use internally, you can verify the images at that time.

In order to verify the CloudBees CI Docker images, you must download Cosign verification software. Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier.

Use Cosign to verify signed Docker images.

Type one of the following commands to verify the images:

Cosign responds with a message that indicates whether the images are validated as authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, you should contact CloudBees Support.