Verzeichnis suchen
Compose About versions and upgrading (Compose) ASP.NET Core + SQL Server on Linux (Compose) CLI environment variables (Compose) Command-line completion (Compose) Compose(组成) Compose command-line reference(组合命令行参考) Control startup order (Compose) Django and PostgreSQL (Compose) Docker stacks and distributed application bundles (Compose) docker-compose build(docker-compose构建) docker-compose bundle docker-compose config docker-compose create docker-compose down docker-compose events docker-compose exec docker-compose help docker-compose images docker-compose kill docker-compose logs docker-compose pause docker-compose port docker-compose ps docker-compose pull docker-compose push docker-compose restart docker-compose rm docker-compose run docker-compose scale docker-compose start docker-compose stop docker-compose top docker-compose unpause docker-compose up Environment file (Compose) Environment variables in Compose Extend services in Compose Frequently asked questions (Compose) Getting started (Compose) Install Compose Link environment variables (deprecated) (Compose) Networking in Compose Overview of Docker Compose Overview of docker-compose CLI Quickstart: Compose and WordPress Rails and PostgreSQL (Compose) Sample apps with Compose Using Compose in production Using Compose with Swarm Engine .NET Core application (Engine) About images, containers, and storage drivers (Engine) Add nodes to the swarm (Engine) Apply custom metadata (Engine) Apply rolling updates (Engine) apt-cacher-ng Best practices for writing Dockerfiles (Engine) Binaries (Engine) Bind container ports to the host (Engine) Breaking changes (Engine) Build your own bridge (Engine) Configure container DNS (Engine) Configure container DNS in user-defined networks (Engine) CouchDB (Engine) Create a base image (Engine) Create a swarm (Engine) Customize the docker0 bridge (Engine) Debian (Engine) Default bridge network Delete the service (Engine) Deploy a service (Engine) Deploy services to a swarm (Engine) Deprecated Engine features Docker container networking (Engine) Docker overview (Engine) Docker run reference (Engine) Dockerfile reference (Engine) Dockerize an application Drain a node (Engine) Engine FAQ (Engine) Fedora (Engine) Get started (Engine) Get started with macvlan network driver (Engine) Get started with multi-host networking (Engine) How nodes work (Engine) How services work (Engine) Image management (Engine) Inspect the service (Engine) Install Docker (Engine) IPv6 with Docker (Engine) Join nodes to a swarm (Engine) Legacy container links (Engine) Lock your swarm (Engine) Manage nodes in a swarm (Engine) Manage sensitive data with Docker secrets (Engine) Manage swarm security with PKI (Engine) Manage swarm service networks (Engine) Migrate to Engine 1.10 Optional Linux post-installation steps (Engine) Overview (Engine) PostgreSQL (Engine) Raft consensus in swarm mode (Engine) Riak (Engine) Run Docker Engine in swarm mode Scale the service (Engine) SDKs (Engine) Select a storage driver (Engine) Set up for the tutorial (Engine) SSHd (Engine) Storage driver overview (Engine) Store service configuration data (Engine) Swarm administration guide (Engine) Swarm mode key concepts (Engine) Swarm mode overlay network security model (Engine) Swarm mode overview (Engine) Understand container communication (Engine) Use multi-stage builds (Engine) Use swarm mode routing mesh (Engine) Use the AUFS storage driver (Engine) Use the Btrfs storage driver (Engine) Use the Device mapper storage driver (Engine) Use the OverlayFS storage driver (Engine) Use the VFS storage driver (Engine) Use the ZFS storage driver (Engine) Engine: Admin Guide Amazon CloudWatch logs logging driver (Engine) Bind mounts (Engine) Collect Docker metrics with Prometheus (Engine) Configuring and running Docker (Engine) Configuring logging drivers (Engine) Control and configure Docker with systemd (Engine) ETW logging driver (Engine) Fluentd logging driver (Engine) Format command and log output (Engine) Google Cloud logging driver (Engine) Graylog Extended Format (GELF) logging driver (Engine) Journald logging driver (Engine) JSON File logging driver (Engine) Keep containers alive during daemon downtime (Engine) Limit a container's resources (Engine) Link via an ambassador container (Engine) Log tags for logging driver (Engine) Logentries logging driver (Engine) PowerShell DSC usage (Engine) Prune unused Docker objects (Engine) Run multiple services in a container (Engine) Runtime metrics (Engine) Splunk logging driver (Engine) Start containers automatically (Engine) Storage overview (Engine) Syslog logging driver (Engine) tmpfs mounts Troubleshoot volume problems (Engine) Use a logging driver plugin (Engine) Using Ansible (Engine) Using Chef (Engine) Using Puppet (Engine) View a container's logs (Engine) Volumes (Engine) Engine: CLI Daemon CLI reference (dockerd) (Engine) docker docker attach docker build docker checkpoint docker checkpoint create docker checkpoint ls docker checkpoint rm docker commit docker config docker config create docker config inspect docker config ls docker config rm docker container docker container attach docker container commit docker container cp docker container create docker container diff docker container exec docker container export docker container inspect docker container kill docker container logs docker container ls docker container pause docker container port docker container prune docker container rename docker container restart docker container rm docker container run docker container start docker container stats docker container stop docker container top docker container unpause docker container update docker container wait docker cp docker create docker deploy docker diff docker events docker exec docker export docker history docker image docker image build docker image history docker image import docker image inspect docker image load docker image ls docker image prune docker image pull docker image push docker image rm docker image save docker image tag docker images docker import docker info docker inspect docker kill docker load docker login docker logout docker logs docker network docker network connect docker network create docker network disconnect docker network inspect docker network ls docker network prune docker network rm docker node docker node demote docker node inspect docker node ls docker node promote docker node ps docker node rm docker node update docker pause docker plugin docker plugin create docker plugin disable docker plugin enable docker plugin inspect docker plugin install docker plugin ls docker plugin push docker plugin rm docker plugin set docker plugin upgrade docker port docker ps docker pull docker push docker rename docker restart docker rm docker rmi docker run docker save docker search docker secret docker secret create docker secret inspect docker secret ls docker secret rm docker service docker service create docker service inspect docker service logs docker service ls docker service ps docker service rm docker service scale docker service update docker stack docker stack deploy docker stack ls docker stack ps docker stack rm docker stack services docker start docker stats docker stop docker swarm docker swarm ca docker swarm init docker swarm join docker swarm join-token docker swarm leave docker swarm unlock docker swarm unlock-key docker swarm update docker system docker system df docker system events docker system info docker system prune docker tag docker top docker unpause docker update docker version docker volume docker volume create docker volume inspect docker volume ls docker volume prune docker volume rm docker wait Use the Docker command line (Engine) Engine: Extend Access authorization plugin (Engine) Docker log driver plugins Docker network driver plugins (Engine) Extending Engine with plugins Managed plugin system (Engine) Plugin configuration (Engine) Plugins API (Engine) Volume plugins (Engine) Engine: Security AppArmor security profiles for Docker (Engine) Automation with content trust (Engine) Content trust in Docker (Engine) Delegations for content trust (Engine) Deploying Notary (Engine) Docker security (Engine) Docker security non-events (Engine) Isolate containers with a user namespace (Engine) Manage keys for content trust (Engine) Play in a content trust sandbox (Engine) Protect the Docker daemon socket (Engine) Seccomp security profiles for Docker (Engine) Secure Engine Use trusted images Using certificates for repository client verification (Engine) Engine: Tutorials Engine tutorials Network containers (Engine) Get Started Part 1: Orientation Part 2: Containers Part 3: Services Part 4: Swarms Part 5: Stacks Part 6: Deploy your app Machine Amazon Web Services (Machine) Digital Ocean (Machine) docker-machine active docker-machine config docker-machine create docker-machine env docker-machine help docker-machine inspect docker-machine ip docker-machine kill docker-machine ls docker-machine provision docker-machine regenerate-certs docker-machine restart docker-machine rm docker-machine scp docker-machine ssh docker-machine start docker-machine status docker-machine stop docker-machine upgrade docker-machine url Driver options and operating system defaults (Machine) Drivers overview (Machine) Exoscale (Machine) Generic (Machine) Get started with a local VM (Machine) Google Compute Engine (Machine) IBM Softlayer (Machine) Install Machine Machine Machine CLI overview Machine command-line completion Machine concepts and help Machine overview Microsoft Azure (Machine) Microsoft Hyper-V (Machine) Migrate from Boot2Docker to Machine OpenStack (Machine) Oracle VirtualBox (Machine) Provision AWS EC2 instances (Machine) Provision Digital Ocean Droplets (Machine) Provision hosts in the cloud (Machine) Rackspace (Machine) VMware Fusion (Machine) VMware vCloud Air (Machine) VMware vSphere (Machine) Notary Client configuration (Notary) Common Server and signer configurations (Notary) Getting started with Notary Notary changelog Notary configuration files Running a Notary service Server configuration (Notary) Signer configuration (Notary) Understand the service architecture (Notary) Use the Notary client
Figuren

本页面介绍了如何设置和使用沙盒进行信任实验。沙箱允许您在本地配置和尝试信任操作,而不会影响生产映像。

在通过这个沙盒之前,您应该仔细阅读信任概述。

先决条件

这些说明假定您正在Linux或macOS中运行。您可以在本地机器或虚拟机上运行此沙箱。您需要拥有在本地机器或虚拟机上运行docker命令的权限。

此沙箱需要您安装两个Docker工具:Docker Engine> = 1.10.0和Docker Compose> = 1.6.0。要安装Docker引擎,请从支持的平台列表中进行选择。要安装Docker Compose,请参阅此处的详细说明。

最后,您需要在本地系统或VM上安装一个文本编辑器。

沙箱里有什么?

如果您只是使用信任开箱即用,则只需要您的Docker Engine客户端并访问Docker Hub。沙盒模拟生产信任环境,并设置这些附加组件。

容器

描述

trustsandbox

具有最新版Docker Engine和一些预配置证书的容器。这是您的沙箱,您可以使用docker客户端来测试信任操作。

注册服务器

本地注册表服务。

公证服务器

这项服务完成所有重要的管理信任

这意味着您将运行您自己的内容信任(公证)服务器和注册表。如果您只使用Docker Hub工作,则不需要这些组件。它们为您而构建在Docker Hub中。但是,对于沙箱,您可以构建自己的整个模拟生产环境。

trustsandbox容器中,您与本地注册表交互而不是Docker Hub。这意味着您的日常图像存储库不被使用,他们受到保护

当你在使用沙盒时,你也会创建root和仓库密钥。沙箱被配置为存储trustsandbox容器内的所有密钥和文件。由于您在沙盒中创建的键仅用于播放,因此销毁容器也会破坏它们。

通过在trustsandbox容器中使用docker-in-docker图像,您不会使用任何您推送和拖动的图像来毁坏您的真正docker守护进程缓存。这些图像将存储在附加到此容器的匿名卷中,并且可以在销毁容器后销毁。

建造沙箱

在本节中,您将使用Docker Compose来指定如何设置trustsandbox容器,公证服务器和注册服务器并将其链接在一起。

1. 创建一个新的trustsandbox目录并进行更改。$ mkdir trustsandbox $ cd trustsandbox

2. 用你最喜欢的编辑器创建一个文件docker-compose.yml。例如,使用vim:

$ touch docker-compose.yml $ vim docker-compose.yml

3.  将以下内容添加到新文件中。version: "2"  services:    notaryserver:      image: dockersecurity/notary_autobuilds:server-v0.4.2      volumes:        - notarycerts:/go/src/github.com/docker/notary/fixtures      networks:        - sandbox      environment:        - NOTARY_SERVER_STORAGE_TYPE=memory        - NOTARY_SERVER_TRUST_SERVICE_TYPE=local    sandboxregistry:      image: registry:2.4.1      networks:        - sandbox      container_name: sandboxregistry    trustsandbox:      image: docker:dind      networks:        - sandbox      volumes:        - notarycerts:/notarycerts      privileged: true      container_name: trustsandbox      entrypoint: ""      command: |-          sh -c '              cp /notarycerts/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt &&              update-ca-certificates &&              dockerd-entrypoint.sh --insecure-registry sandboxregistry:5000'  volumes:    notarycerts:      external: false  networks:    sandbox:      external: false

4.  保存并关闭文件。

5.  在本地系统上运行容器。$ docker-compose up -d

第一次运行这个时,docker-in-docker,Notary服务器和注册表映像将首先从Docker Hub下载。在sandbox中播放现在所有东西都已设置好了,你可以进入你的trustsandbox容器并开始测试Docker内容信任。在你的主机上,在trustsandbox容器中获取一个shell 。$ docker exec -it trustsandbox sh /#测试一些信任操作现在,你将从trustsandbox容器中取出一些图像。

6.  下载docker图片以测试。

/ # docker pull docker/trusttest  docker pull docker/trusttest  Using default tag: latest  latest: Pulling from docker/trusttest   b3dbab3810fc: Pull complete  a9539b34a6ab: Pull complete  Digest: sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a  Status: Downloaded newer image for docker/trusttest:latest

7.  标记为推送到我们的沙盒注册表中:/#docker标记docker / trusttest sandboxregistry:5000 / test / trusttest:latest

8.  启用内容信任。

/ # export DOCKER_CONTENT_TRUST=1

9.  识别信任服务器。/#export DOCKER_CONTENT_TRUST_SERVER = https:// notaryserver:4443这一步只是必要的,因为沙盒正在使用它自己的服务器。通常,如果您使用的是Docker公共集线器,则此步骤不是必需的。

10.  测试图像。

/ # docker pull sandboxregistry:5000/test/trusttest  Using default tag: latest  Error: remote trust data does not exist for sandboxregistry:5000/test/trusttest: notaryserver:4443 does not have trust data for sandboxregistry:5000/test/trusttest

你看到一个错误,因为这个内容在尚未存在于notaryserver

11.  推送并签署可信映像。/ # docker push sandboxregistry:5000/test/trusttest:latest  The push refers to a repository sandboxregistry:5000/test/trusttest  5f70bf18a086: Pushed  c22f7bc058a9: Pushed  latest: digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 size: 734  Signing and pushing trust metadata  You are about to create a new root signing key passphrase.

此密码将用于保护签名系统中最敏感的密钥。请选择一个长而复杂的密码,并小心保持密码和密钥文件本身的安全和备份。强烈建议您使用密码管理器来生成密码并保持安全。将无法恢复此密钥。您可以在您的配置目录中找到该密钥。输入ID为27ec255的新根密钥的密码:为ID为27ec255的新根密钥重复密码:为ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥输入密码:为ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥重复密码:完成初始化“sandboxregistry:5000 / test / trusttest”已成功签署“sandboxregistry:5000 / test / trusttest”:latest

由于您第一次推送此存储库,因此docker会创建新的根和存储库密钥并要求您输入加密密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。对ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥重复密码:完成初始化“sandboxregistry:5000 / test / trusttest”成功签名为“sandboxregistry:5000 / test / trusttest”:latest由于您要将此存储库Docker首次创建新的根和存储库密钥,并要求您输入密码来加密密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。对ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥重复密码:完成初始化“sandboxregistry:5000 / test / trusttest”成功签名为“sandboxregistry:5000 / test / trusttest”:latest

由于您要将此存储库Docker首次创建新的根和存储库密钥,并要求您输入密码来加密密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。码头工人创建新的根和存储库密钥,并要求您输入用于加密它们的密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。码头工人创建新的根和存储库密钥,并要求您输入用于加密它们的密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。

12.  试着拉你刚才推送的图片:

/ # docker pull sandboxregistry:5000/test/trusttest  Using default tag: latest  Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926: Pulling from test/trusttest  Digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  Status: Downloaded newer image for sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  Tagging sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 as sandboxregistry:5000/test/trusttest:latest

测试恶意图像

数据损坏时会发生什么情况,并且在启用信任时尝试将其拉出?在本节中,您将进入sandboxregistry并篡改一些数据。然后,你试着拉它。

  • 保持trustsandbox外壳和容器运行。

  • 从您的主机打开一个新的交互式终端,并在sandboxregistry容器中获得一个shell 。

$ docker exec -it sandboxregistry bash  root@65084fc6f047:/#

  • 列出test/trusttest您推送的映像的层次:

root@65084fc6f047:/# ls -l /var/lib/registry/docker/registry/v2/repositories/test/trusttest/_layers/sha256  total 12  drwxr-xr-x 2 root root 4096 Jun 10 17:26 a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4  drwxr-xr-x 2 root root 4096 Jun 10 17:26 aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042  drwxr-xr-x 2 root root 4096 Jun 10 17:26 cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd

  • 切换到其中一个图层的注册表存储(请注意,它位于不同的目录中):

root@65084fc6f047:/# cd /var/lib/registry/docker/registry/v2/blobs/sha256/aa/aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042

  • 将恶意数据添加到其中一个trusttest图层:root @ 65084fc6f047:/#echo“恶意数据”>数据

  • 回到你的trustsandbox终端。

  • 列出trusttest图像。/ # docker images | grep trusttest  REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE  docker/trusttest                      latest              cc7629d1331a        11 months ago       5.025 MB  sandboxregistry:5000/test/trusttest   latest              cc7629d1331a        11 months ago       5.025 MB  sandboxregistry:5000/test/trusttest   <none>              cc7629d1331a        11 months ago       5.025 MB

  • trusttest:latest从我们的本地缓存中删除图像。

/ # docker rmi -f cc7629d1331a  Untagged: docker/trusttest:latest  Untagged: sandboxregistry:5000/test/trusttest:latest  Untagged: sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  Deleted: sha256:cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd  Deleted: sha256:2a1f6535dc6816ffadcdbe20590045e6cbf048d63fd4cc753a684c9bc01abeea  Deleted: sha256:c22f7bc058a9a8ffeb32989b5d3338787e73855bf224af7aa162823da015d44c

Docker不会重新下载它已经缓存的图像,但我们希望Docker尝试从注册表中下载被篡改的图像并拒绝它,因为它是无效的。

  • 再次拉动图像。这将从注册表中下载图像,因为我们没有缓存它。

/ # docker pull sandboxregistry:5000/test/trusttest  Using default tag: latest  Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:35d5bc26fd358da8320c137784fe590d8fcf9417263ef261653e8e1c7f15672e  sha256:35d5bc26fd358da8320c137784fe590d8fcf9417263ef261653e8e1c7f15672e: Pulling from test/trusttest   aac0c133338d: Retrying in 5 seconds  a3ed95caeb02: Download complete  error pulling image configuration: unexpected EOF

你会看到拉操作没有完成,因为信任系统无法验证图像。

沙盒中更多玩法

现在,您的本地系统上有一个完整的Docker内容信任沙箱,可以随时使用它并查看它的行为。如果您发现Docker存在任何安全问题,请随时通过security@docker.com向我们发送电子邮件。

清理你的沙箱

完成后,要清理所有已启动的服务和已创建的所有匿名卷,只需在创建Docker Compose文件的目录中运行以下命令:

    $ docker-compose down -v
Vorheriger Artikel: Nächster Artikel: