Compose
About versions and upgrading (Compose)
ASP.NET Core + SQL Server on Linux (Compose)
CLI environment variables (Compose)
Command-line completion (Compose)
Compose(组成)
Compose command-line reference(组合命令行参考)
Control startup order (Compose)
Django and PostgreSQL (Compose)
Docker stacks and distributed application bundles (Compose)
docker-compose build(docker-compose构建)
docker-compose bundle
docker-compose config
docker-compose create
docker-compose down
docker-compose events
docker-compose exec
docker-compose help
docker-compose images
docker-compose kill
docker-compose logs
docker-compose pause
docker-compose port
docker-compose ps
docker-compose pull
docker-compose push
docker-compose restart
docker-compose rm
docker-compose run
docker-compose scale
docker-compose start
docker-compose stop
docker-compose top
docker-compose unpause
docker-compose up
Environment file (Compose)
Environment variables in Compose
Extend services in Compose
Frequently asked questions (Compose)
Getting started (Compose)
Install Compose
Link environment variables (deprecated) (Compose)
Networking in Compose
Overview of Docker Compose
Overview of docker-compose CLI
Quickstart: Compose and WordPress
Rails and PostgreSQL (Compose)
Sample apps with Compose
Using Compose in production
Using Compose with Swarm
Engine
.NET Core application (Engine)
About images, containers, and storage drivers (Engine)
Add nodes to the swarm (Engine)
Apply custom metadata (Engine)
Apply rolling updates (Engine)
apt-cacher-ng
Best practices for writing Dockerfiles (Engine)
Binaries (Engine)
Bind container ports to the host (Engine)
Breaking changes (Engine)
Build your own bridge (Engine)
Configure container DNS (Engine)
Configure container DNS in user-defined networks (Engine)
CouchDB (Engine)
Create a base image (Engine)
Create a swarm (Engine)
Customize the docker0 bridge (Engine)
Debian (Engine)
Default bridge network
Delete the service (Engine)
Deploy a service (Engine)
Deploy services to a swarm (Engine)
Deprecated Engine features
Docker container networking (Engine)
Docker overview (Engine)
Docker run reference (Engine)
Dockerfile reference (Engine)
Dockerize an application
Drain a node (Engine)
Engine
FAQ (Engine)
Fedora (Engine)
Get started (Engine)
Get started with macvlan network driver (Engine)
Get started with multi-host networking (Engine)
How nodes work (Engine)
How services work (Engine)
Image management (Engine)
Inspect the service (Engine)
Install Docker (Engine)
IPv6 with Docker (Engine)
Join nodes to a swarm (Engine)
Legacy container links (Engine)
Lock your swarm (Engine)
Manage nodes in a swarm (Engine)
Manage sensitive data with Docker secrets (Engine)
Manage swarm security with PKI (Engine)
Manage swarm service networks (Engine)
Migrate to Engine 1.10
Optional Linux post-installation steps (Engine)
Overview (Engine)
PostgreSQL (Engine)
Raft consensus in swarm mode (Engine)
Riak (Engine)
Run Docker Engine in swarm mode
Scale the service (Engine)
SDKs (Engine)
Select a storage driver (Engine)
Set up for the tutorial (Engine)
SSHd (Engine)
Storage driver overview (Engine)
Store service configuration data (Engine)
Swarm administration guide (Engine)
Swarm mode key concepts (Engine)
Swarm mode overlay network security model (Engine)
Swarm mode overview (Engine)
Understand container communication (Engine)
Use multi-stage builds (Engine)
Use swarm mode routing mesh (Engine)
Use the AUFS storage driver (Engine)
Use the Btrfs storage driver (Engine)
Use the Device mapper storage driver (Engine)
Use the OverlayFS storage driver (Engine)
Use the VFS storage driver (Engine)
Use the ZFS storage driver (Engine)
Engine: Admin Guide
Amazon CloudWatch logs logging driver (Engine)
Bind mounts (Engine)
Collect Docker metrics with Prometheus (Engine)
Configuring and running Docker (Engine)
Configuring logging drivers (Engine)
Control and configure Docker with systemd (Engine)
ETW logging driver (Engine)
Fluentd logging driver (Engine)
Format command and log output (Engine)
Google Cloud logging driver (Engine)
Graylog Extended Format (GELF) logging driver (Engine)
Journald logging driver (Engine)
JSON File logging driver (Engine)
Keep containers alive during daemon downtime (Engine)
Limit a container's resources (Engine)
Link via an ambassador container (Engine)
Log tags for logging driver (Engine)
Logentries logging driver (Engine)
PowerShell DSC usage (Engine)
Prune unused Docker objects (Engine)
Run multiple services in a container (Engine)
Runtime metrics (Engine)
Splunk logging driver (Engine)
Start containers automatically (Engine)
Storage overview (Engine)
Syslog logging driver (Engine)
tmpfs mounts
Troubleshoot volume problems (Engine)
Use a logging driver plugin (Engine)
Using Ansible (Engine)
Using Chef (Engine)
Using Puppet (Engine)
View a container's logs (Engine)
Volumes (Engine)
Engine: CLI
Daemon CLI reference (dockerd) (Engine)
docker
docker attach
docker build
docker checkpoint
docker checkpoint create
docker checkpoint ls
docker checkpoint rm
docker commit
docker config
docker config create
docker config inspect
docker config ls
docker config rm
docker container
docker container attach
docker container commit
docker container cp
docker container create
docker container diff
docker container exec
docker container export
docker container inspect
docker container kill
docker container logs
docker container ls
docker container pause
docker container port
docker container prune
docker container rename
docker container restart
docker container rm
docker container run
docker container start
docker container stats
docker container stop
docker container top
docker container unpause
docker container update
docker container wait
docker cp
docker create
docker deploy
docker diff
docker events
docker exec
docker export
docker history
docker image
docker image build
docker image history
docker image import
docker image inspect
docker image load
docker image ls
docker image prune
docker image pull
docker image push
docker image rm
docker image save
docker image tag
docker images
docker import
docker info
docker inspect
docker kill
docker load
docker login
docker logout
docker logs
docker network
docker network connect
docker network create
docker network disconnect
docker network inspect
docker network ls
docker network prune
docker network rm
docker node
docker node demote
docker node inspect
docker node ls
docker node promote
docker node ps
docker node rm
docker node update
docker pause
docker plugin
docker plugin create
docker plugin disable
docker plugin enable
docker plugin inspect
docker plugin install
docker plugin ls
docker plugin push
docker plugin rm
docker plugin set
docker plugin upgrade
docker port
docker ps
docker pull
docker push
docker rename
docker restart
docker rm
docker rmi
docker run
docker save
docker search
docker secret
docker secret create
docker secret inspect
docker secret ls
docker secret rm
docker service
docker service create
docker service inspect
docker service logs
docker service ls
docker service ps
docker service rm
docker service scale
docker service update
docker stack
docker stack deploy
docker stack ls
docker stack ps
docker stack rm
docker stack services
docker start
docker stats
docker stop
docker swarm
docker swarm ca
docker swarm init
docker swarm join
docker swarm join-token
docker swarm leave
docker swarm unlock
docker swarm unlock-key
docker swarm update
docker system
docker system df
docker system events
docker system info
docker system prune
docker tag
docker top
docker unpause
docker update
docker version
docker volume
docker volume create
docker volume inspect
docker volume ls
docker volume prune
docker volume rm
docker wait
Use the Docker command line (Engine)
Engine: Extend
Access authorization plugin (Engine)
Docker log driver plugins
Docker network driver plugins (Engine)
Extending Engine with plugins
Managed plugin system (Engine)
Plugin configuration (Engine)
Plugins API (Engine)
Volume plugins (Engine)
Engine: Security
AppArmor security profiles for Docker (Engine)
Automation with content trust (Engine)
Content trust in Docker (Engine)
Delegations for content trust (Engine)
Deploying Notary (Engine)
Docker security (Engine)
Docker security non-events (Engine)
Isolate containers with a user namespace (Engine)
Manage keys for content trust (Engine)
Play in a content trust sandbox (Engine)
Protect the Docker daemon socket (Engine)
Seccomp security profiles for Docker (Engine)
Secure Engine
Use trusted images
Using certificates for repository client verification (Engine)
Engine: Tutorials
Engine tutorials
Network containers (Engine)
Get Started
Part 1: Orientation
Part 2: Containers
Part 3: Services
Part 4: Swarms
Part 5: Stacks
Part 6: Deploy your app
Machine
Amazon Web Services (Machine)
Digital Ocean (Machine)
docker-machine active
docker-machine config
docker-machine create
docker-machine env
docker-machine help
docker-machine inspect
docker-machine ip
docker-machine kill
docker-machine ls
docker-machine provision
docker-machine regenerate-certs
docker-machine restart
docker-machine rm
docker-machine scp
docker-machine ssh
docker-machine start
docker-machine status
docker-machine stop
docker-machine upgrade
docker-machine url
Driver options and operating system defaults (Machine)
Drivers overview (Machine)
Exoscale (Machine)
Generic (Machine)
Get started with a local VM (Machine)
Google Compute Engine (Machine)
IBM Softlayer (Machine)
Install Machine
Machine
Machine CLI overview
Machine command-line completion
Machine concepts and help
Machine overview
Microsoft Azure (Machine)
Microsoft Hyper-V (Machine)
Migrate from Boot2Docker to Machine
OpenStack (Machine)
Oracle VirtualBox (Machine)
Provision AWS EC2 instances (Machine)
Provision Digital Ocean Droplets (Machine)
Provision hosts in the cloud (Machine)
Rackspace (Machine)
VMware Fusion (Machine)
VMware vCloud Air (Machine)
VMware vSphere (Machine)
Notary
Client configuration (Notary)
Common Server and signer configurations (Notary)
Getting started with Notary
Notary changelog
Notary configuration files
Running a Notary service
Server configuration (Notary)
Signer configuration (Notary)
Understand the service architecture (Notary)
Use the Notary client
©
This document uses PHP Chinese website manual Release
characters
本文档介绍公证人 CLI 的基本用法,作为支持 Docker Content Trust的工具。对于更高级的使用情况,您必须运行自己的公证服务,并且应该读取公证客户端用于高级用户文档的用法。
什么是公证
公证是用于发布和管理可信集合内容的工具。发布商可以对收藏进行数字签名,消费者可以验证内容的完整性和来源。此功能基于简单的密钥管理和签名界面来创建签名集合并配置可信发布者。
通过公证,任何人都可以提供对任意数据集合的信任。使用更新框架(TUF)作为基础安全框架,公证负责创建,管理和分发必要的操作,以确保内容的完整性和新鲜度。
安装公证
您可以从 GitHub 的 Notary 存储库版本页面下载针对64位 Linux 或 macOS 的预编译公证库二进制文件。Windows 并未得到正式支持,但如果您是开发人员和 Windows 用户,我们将非常感谢您就问题提供的任何见解。
了解公证名称
公证处使用全球唯一名称(GUN)来识别信托收藏。要使公证以多租户方式运行,您必须在通过公证客户端与 Docker Hub 交互时使用此格式。为公证客户端指定 Docker 镜像名称时,GUN 格式为:
对于官方图像(可通过“官方存储库”名称识别),Docker Hub 上显示的图像名称,前缀为
docker.io/library/。例如,如果你通常输入docker pull ubuntu你必须输入notary {cmd} docker.io/library/ubuntu。
对于所有其他图像,Docker Hub 上显示的图像名称前缀为
docker.io。
Docker Engine 客户端为您处理这些名称扩展,因此不要更改您在 Engine 客户端或 API 中使用的名称。只有通过公证客户端与相同的 Docker Hub 存储库进行交互时,才需要这样做。
检查 Docker Hub 存储库
最基本的操作是将可用的签名标签列入存储库。隔离使用的公证客户端不知道信任存储库的位置。因此,您必须提供-s(或长格式--server)标志来告诉客户端应该与哪个存储库服务器进行通信。
官方的Docker Hub公证服务器位于https://notary.docker.io。如果您想使用您自己的公证服务器,则必须使用与客户端相同或更新的公证版本来实现功能兼容性(例如:客户端版本0.2,服务器/签署者版本> = 0.2)。此外,公证处还会将您自己的签名密钥和先前下载的信任元数据的缓存存储在随-d标志一起提供的目录中。与Docker Hub存储库进行交互时,您必须指示客户端使用关联的信任目录,默认情况下,该目录.docker/trust位于调用用户的主目录内(未能使用此目录可能会在向您的信任数据发布更新时导致错误):
$ notary -s https://notary.docker.io -d ~/.docker/trust list docker.io/library/alpine NAME DIGEST SIZE (BYTES) ROLE------------------------------------------------------------------------------------------------------ 2.6 e9cec9aec697d8b9d450edd32860ecd363f2f3174c8338beb5f809422d182c63 1374 targets 2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a 1374 targets 3.1 e876b57b2444813cd474523b9c74aacacc238230b288a22bccece9caf2862197 1374 targets 3.2 4a8c62881c6237b4c1434125661cddf09434d37c6ef26bf26bfaef0b8c5e2f05 1374 targets 3.3 2d4f890b7eddb390285e3afea9be98a078c2acd2fb311da8c9048e3d1e4864d3 1374 targets edge 878c1b1d668830f01c2b1622ebf1656e32ce830850775d26a387b2f11f541239 1374 targets latest 24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56 1377 targets
输出显示了可用标记的名称,与该标记关联的图像清单的十六进制编码的 sha256 摘要,清单的大小以及将此标记签署到存储库中的公证角色。“目标”角色是简单存储库中最常见的角色。当存储库拥有(或期望)拥有协作者时,您可以根据管理员选择如何组织他们的协作者的方式,将其他“委派”角色列为签名者。
当你运行一个docker pull命令时,Docker 引擎使用一个集成的公证库(与公证人 CLI 相同)来请求将标签映射到你感兴趣的一个标签的 sha256 摘要中(或者如果你通过--all标志,客户端会使用列表操作高效地检索所有映射)。验证了信任数据上的签名后,客户端将指示引擎执行“按摘要拉取”。在此拉动过程中,引擎使用 sha256 校验和作为内容地址来请求并验证 Docker 注册表中的图像清单。
删除标签
公证人在其运行的主机上生成并存储签名密钥。这意味着 Docker Hub 不能从信任数据中删除标签,必须使用公证客户端删除它们。你可以用notary remove命令来做到这一点。同样,您必须指示它与正确的公证服务器通话(注意,既不是您,也不是作者有权从官方的高山资料库删除标签,下面的输出仅用于演示):
$ notary -s https://notary.docker.io -d ~/.docker/trust remove docker.io/library/alpine 2.6Removal of 2.6 from docker.io/library/alpine staged for next publish.
在前面的示例中,输出消息指示仅删除已分阶段。执行任何写入操作时,它们被分段到一个更改列表中。该列表在下一次notary publish为该存储库运行时应用于最新版本的信任存储库。
您可以通过运行notary status修改后的存储库来查看未完成的更改。该status子命令是脱机操作,因此,不需要-s标志,但它将忽略的标志,如果提供的。未能为-d标志提供正确的值可能会显示错误的(可能是空的)更改列表:
$ notary -d ~/.docker/trust status docker.io/library/alpine Unpublished changes for docker.io/library/alpine:action scope type path----------------------------------------------------delete targets target 2.6$ notary -s https://notary.docker.io publish docker.io/library/alpine
配置客户端
冗长而繁琐的是,总是必须手动为大多数命令提供-s和-d标志。创建预配置的 Notary 命令版本的简单方法是通过别名。将以下内容添加到您的.bashrc或同等设备:
alias dockernotary="notary -s https://notary.docker.io -d ~/.docker/trust"
更高级的配置方法和附加选项可以在配置文档中找到并运行notary --help。