目录 搜索
Compose About versions and upgrading (Compose) ASP.NET Core + SQL Server on Linux (Compose) CLI environment variables (Compose) Command-line completion (Compose) Compose(组成) Compose command-line reference(组合命令行参考) Control startup order (Compose) Django and PostgreSQL (Compose) Docker stacks and distributed application bundles (Compose) docker-compose build(docker-compose构建) docker-compose bundle docker-compose config docker-compose create docker-compose down docker-compose events docker-compose exec docker-compose help docker-compose images docker-compose kill docker-compose logs docker-compose pause docker-compose port docker-compose ps docker-compose pull docker-compose push docker-compose restart docker-compose rm docker-compose run docker-compose scale docker-compose start docker-compose stop docker-compose top docker-compose unpause docker-compose up Environment file (Compose) Environment variables in Compose Extend services in Compose Frequently asked questions (Compose) Getting started (Compose) Install Compose Link environment variables (deprecated) (Compose) Networking in Compose Overview of Docker Compose Overview of docker-compose CLI Quickstart: Compose and WordPress Rails and PostgreSQL (Compose) Sample apps with Compose Using Compose in production Using Compose with Swarm Engine .NET Core application (Engine) About images, containers, and storage drivers (Engine) Add nodes to the swarm (Engine) Apply custom metadata (Engine) Apply rolling updates (Engine) apt-cacher-ng Best practices for writing Dockerfiles (Engine) Binaries (Engine) Bind container ports to the host (Engine) Breaking changes (Engine) Build your own bridge (Engine) Configure container DNS (Engine) Configure container DNS in user-defined networks (Engine) CouchDB (Engine) Create a base image (Engine) Create a swarm (Engine) Customize the docker0 bridge (Engine) Debian (Engine) Default bridge network Delete the service (Engine) Deploy a service (Engine) Deploy services to a swarm (Engine) Deprecated Engine features Docker container networking (Engine) Docker overview (Engine) Docker run reference (Engine) Dockerfile reference (Engine) Dockerize an application Drain a node (Engine) Engine FAQ (Engine) Fedora (Engine) Get started (Engine) Get started with macvlan network driver (Engine) Get started with multi-host networking (Engine) How nodes work (Engine) How services work (Engine) Image management (Engine) Inspect the service (Engine) Install Docker (Engine) IPv6 with Docker (Engine) Join nodes to a swarm (Engine) Legacy container links (Engine) Lock your swarm (Engine) Manage nodes in a swarm (Engine) Manage sensitive data with Docker secrets (Engine) Manage swarm security with PKI (Engine) Manage swarm service networks (Engine) Migrate to Engine 1.10 Optional Linux post-installation steps (Engine) Overview (Engine) PostgreSQL (Engine) Raft consensus in swarm mode (Engine) Riak (Engine) Run Docker Engine in swarm mode Scale the service (Engine) SDKs (Engine) Select a storage driver (Engine) Set up for the tutorial (Engine) SSHd (Engine) Storage driver overview (Engine) Store service configuration data (Engine) Swarm administration guide (Engine) Swarm mode key concepts (Engine) Swarm mode overlay network security model (Engine) Swarm mode overview (Engine) Understand container communication (Engine) Use multi-stage builds (Engine) Use swarm mode routing mesh (Engine) Use the AUFS storage driver (Engine) Use the Btrfs storage driver (Engine) Use the Device mapper storage driver (Engine) Use the OverlayFS storage driver (Engine) Use the VFS storage driver (Engine) Use the ZFS storage driver (Engine) Engine: Admin Guide Amazon CloudWatch logs logging driver (Engine) Bind mounts (Engine) Collect Docker metrics with Prometheus (Engine) Configuring and running Docker (Engine) Configuring logging drivers (Engine) Control and configure Docker with systemd (Engine) ETW logging driver (Engine) Fluentd logging driver (Engine) Format command and log output (Engine) Google Cloud logging driver (Engine) Graylog Extended Format (GELF) logging driver (Engine) Journald logging driver (Engine) JSON File logging driver (Engine) Keep containers alive during daemon downtime (Engine) Limit a container's resources (Engine) Link via an ambassador container (Engine) Log tags for logging driver (Engine) Logentries logging driver (Engine) PowerShell DSC usage (Engine) Prune unused Docker objects (Engine) Run multiple services in a container (Engine) Runtime metrics (Engine) Splunk logging driver (Engine) Start containers automatically (Engine) Storage overview (Engine) Syslog logging driver (Engine) tmpfs mounts Troubleshoot volume problems (Engine) Use a logging driver plugin (Engine) Using Ansible (Engine) Using Chef (Engine) Using Puppet (Engine) View a container's logs (Engine) Volumes (Engine) Engine: CLI Daemon CLI reference (dockerd) (Engine) docker docker attach docker build docker checkpoint docker checkpoint create docker checkpoint ls docker checkpoint rm docker commit docker config docker config create docker config inspect docker config ls docker config rm docker container docker container attach docker container commit docker container cp docker container create docker container diff docker container exec docker container export docker container inspect docker container kill docker container logs docker container ls docker container pause docker container port docker container prune docker container rename docker container restart docker container rm docker container run docker container start docker container stats docker container stop docker container top docker container unpause docker container update docker container wait docker cp docker create docker deploy docker diff docker events docker exec docker export docker history docker image docker image build docker image history docker image import docker image inspect docker image load docker image ls docker image prune docker image pull docker image push docker image rm docker image save docker image tag docker images docker import docker info docker inspect docker kill docker load docker login docker logout docker logs docker network docker network connect docker network create docker network disconnect docker network inspect docker network ls docker network prune docker network rm docker node docker node demote docker node inspect docker node ls docker node promote docker node ps docker node rm docker node update docker pause docker plugin docker plugin create docker plugin disable docker plugin enable docker plugin inspect docker plugin install docker plugin ls docker plugin push docker plugin rm docker plugin set docker plugin upgrade docker port docker ps docker pull docker push docker rename docker restart docker rm docker rmi docker run docker save docker search docker secret docker secret create docker secret inspect docker secret ls docker secret rm docker service docker service create docker service inspect docker service logs docker service ls docker service ps docker service rm docker service scale docker service update docker stack docker stack deploy docker stack ls docker stack ps docker stack rm docker stack services docker start docker stats docker stop docker swarm docker swarm ca docker swarm init docker swarm join docker swarm join-token docker swarm leave docker swarm unlock docker swarm unlock-key docker swarm update docker system docker system df docker system events docker system info docker system prune docker tag docker top docker unpause docker update docker version docker volume docker volume create docker volume inspect docker volume ls docker volume prune docker volume rm docker wait Use the Docker command line (Engine) Engine: Extend Access authorization plugin (Engine) Docker log driver plugins Docker network driver plugins (Engine) Extending Engine with plugins Managed plugin system (Engine) Plugin configuration (Engine) Plugins API (Engine) Volume plugins (Engine) Engine: Security AppArmor security profiles for Docker (Engine) Automation with content trust (Engine) Content trust in Docker (Engine) Delegations for content trust (Engine) Deploying Notary (Engine) Docker security (Engine) Docker security non-events (Engine) Isolate containers with a user namespace (Engine) Manage keys for content trust (Engine) Play in a content trust sandbox (Engine) Protect the Docker daemon socket (Engine) Seccomp security profiles for Docker (Engine) Secure Engine Use trusted images Using certificates for repository client verification (Engine) Engine: Tutorials Engine tutorials Network containers (Engine) Get Started Part 1: Orientation Part 2: Containers Part 3: Services Part 4: Swarms Part 5: Stacks Part 6: Deploy your app Machine Amazon Web Services (Machine) Digital Ocean (Machine) docker-machine active docker-machine config docker-machine create docker-machine env docker-machine help docker-machine inspect docker-machine ip docker-machine kill docker-machine ls docker-machine provision docker-machine regenerate-certs docker-machine restart docker-machine rm docker-machine scp docker-machine ssh docker-machine start docker-machine status docker-machine stop docker-machine upgrade docker-machine url Driver options and operating system defaults (Machine) Drivers overview (Machine) Exoscale (Machine) Generic (Machine) Get started with a local VM (Machine) Google Compute Engine (Machine) IBM Softlayer (Machine) Install Machine Machine Machine CLI overview Machine command-line completion Machine concepts and help Machine overview Microsoft Azure (Machine) Microsoft Hyper-V (Machine) Migrate from Boot2Docker to Machine OpenStack (Machine) Oracle VirtualBox (Machine) Provision AWS EC2 instances (Machine) Provision Digital Ocean Droplets (Machine) Provision hosts in the cloud (Machine) Rackspace (Machine) VMware Fusion (Machine) VMware vCloud Air (Machine) VMware vSphere (Machine) Notary Client configuration (Notary) Common Server and signer configurations (Notary) Getting started with Notary Notary changelog Notary configuration files Running a Notary service Server configuration (Notary) Signer configuration (Notary) Understand the service architecture (Notary) Use the Notary client
文字

本文档介绍公证人 CLI 的基本用法,作为支持 Docker  Content Trust的工具。对于更高级的使用情况,您必须运行自己的公证服务,并且应该读取公证客户端用于高级用户文档的用法。

什么是公证

公证是用于发布和管理可信集合内容的工具。发布商可以对收藏进行数字签名,消费者可以验证内容的完整性和来源。此功能基于简单的密钥管理和签名界面来创建签名集合并配置可信发布者。

通过公证,任何人都可以提供对任意数据集合的信任。使用更新框架(TUF)作为基础安全框架,公证负责创建,管理和分发必要的操作,以确保内容的完整性和新鲜度。

安装公证

您可以从 GitHub 的 Notary 存储库版本页面下载针对64位 Linux 或 macOS 的预编译公证库二进制文件。Windows 并未得到正式支持,但如果您是开发人员和 Windows 用户,我们将非常感谢您就问题提供的任何见解。

了解公证名称

公证处使用全球唯一名称(GUN)来识别信托收藏。要使公证以多租户方式运行,您必须在通过公证客户端与 Docker Hub 交互时使用此格式。为公证客户端指定 Docker 镜像名称时,GUN 格式为:

  • 对于官方图像(可通过“官方存储库”名称识别),Docker Hub 上显示的图像名称,前缀为docker.io/library/。例如,如果你通常输入docker pull ubuntu你必须输入notary {cmd} docker.io/library/ubuntu

  • 对于所有其他图像,Docker Hub 上显示的图像名称前缀为docker.io

Docker Engine 客户端为您处理这些名称扩展,因此不要更改您在 Engine 客户端或 API 中使用的名称。只有通过公证客户端与相同的 Docker Hub 存储库进行交互时,才需要这样做。

检查 Docker Hub 存储库

最基本的操作是将可用的签名标签列入存储库。隔离使用的公证客户端不知道信任存储库的位置。因此,您必须提供-s(或长格式--server)标志来告诉客户端应该与哪个存储库服务器进行通信。

官方的Docker Hub公证服务器位于https://notary.docker.io。如果您想使用您自己的公证服务器,则必须使用与客户端相同或更新的公证版本来实现功能兼容性(例如:客户端版本0.2,服务器/签署者版本> = 0.2)。此外,公证处还会将您自己的签名密钥和先前下载的信任元数据的缓存存储在随-d标志一起提供的目录中。与Docker Hub存储库进行交互时,您必须指示客户端使用关联的信任目录,默认情况下,该目录.docker/trust位于调用用户的主目录内(未能使用此目录可能会在向您的信任数据发布更新时导致错误):

$ notary -s https://notary.docker.io -d ~/.docker/trust list docker.io/library/alpine
   NAME                                 DIGEST                                SIZE (BYTES)    ROLE------------------------------------------------------------------------------------------------------  2.6      e9cec9aec697d8b9d450edd32860ecd363f2f3174c8338beb5f809422d182c63   1374           targets  2.7      9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   1374           targets  3.1      e876b57b2444813cd474523b9c74aacacc238230b288a22bccece9caf2862197   1374           targets  3.2      4a8c62881c6237b4c1434125661cddf09434d37c6ef26bf26bfaef0b8c5e2f05   1374           targets  3.3      2d4f890b7eddb390285e3afea9be98a078c2acd2fb311da8c9048e3d1e4864d3   1374           targets
  edge     878c1b1d668830f01c2b1622ebf1656e32ce830850775d26a387b2f11f541239   1374           targets
  latest   24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56   1377           targets

输出显示了可用标记的名称,与该标记关联的图像清单的十六进制编码的 sha256 摘要,清单的大小以及将此标记签署到存储库中的公证角色。“目标”角色是简单存储库中最常见的角色。当存储库拥有(或期望)拥有协作者时,您可以根据管理员选择如何组织他们的协作者的方式,将其他“委派”角色列为签名者。

当你运行一个docker pull命令时,Docker 引擎使用一个集成的公证库(与公证人 CLI 相同)来请求将标签映射到你感兴趣的一个标签的 sha256 摘要中(或者如果你通过--all标志,客户端会使用列表操作高效地检索所有映射)。验证了信任数据上的签名后,客户端将指示引擎执行“按摘要拉取”。在此拉动过程中,引擎使用 sha256 校验和作为内容地址来请求并验证 Docker 注册表中的图像清单。

删除标签

公证人在其运行的主机上生成并存储签名密钥。这意味着 Docker Hub 不能从信任数据中删除标签,必须使用公证客户端删除它们。你可以用notary remove命令来做到这一点。同样,您必须指示它与正确的公证服务器通话(注意,既不是您,也不是作者有权从官方的高山资料库删除标签,下面的输出仅用于演示):

$ notary -s https://notary.docker.io -d ~/.docker/trust remove docker.io/library/alpine 2.6Removal of 2.6 from docker.io/library/alpine staged for next publish.

在前面的示例中,输出消息指示仅删除已分阶段。执行任何写入操作时,它们被分段到一个更改列表中。该列表在下一次notary publish为该存储库运行时应用于最新版本的信任存储库。

您可以通过运行notary status修改后的存储库来查看未完成的更改。该status子命令是脱机操作,因此,不需要-s标志,但它将忽略的标志,如果提供的。未能为-d标志提供正确的值可能会显示错误的(可能是空的)更改列表:

$ notary -d ~/.docker/trust status docker.io/library/alpine
Unpublished changes for docker.io/library/alpine:action    scope     type        path----------------------------------------------------delete    targets   target      2.6$ notary -s https://notary.docker.io publish docker.io/library/alpine

配置客户端

冗长而繁琐的是,总是必须手动为大多数命令提供-s-d标志。创建预配置的 Notary 命令版本的简单方法是通过别名。将以下内容添加到您的.bashrc或同等设备:

alias dockernotary="notary -s https://notary.docker.io -d ~/.docker/trust"

更高级的配置方法和附加选项可以在配置文档中找到并运行notary --help

上一篇: 下一篇: