docker-notary
文章目录
tl;dr;
有关如何部署 Notary 服务器的详细文档,请参阅运行Notary服务以获取更多信息。在尝试与Notary服务器交互之前,确保 Docker 或 Notary 客户端信任 Notary 服务器的证书。
# 使用goharbor v2.0.0 搭建docker仓库和notary服务器
# 私有仓库地址 192.168.2.100:8888
# notary服务地址 192.168.2.100:4443
$ ls -l /etc/docker/certs.d/192.168.2.100\:8888/
-rw-r--r-- 1 root root 1306 Jun 26 15:14 ca.crt
curl -sfSLk -o /usr/local/bin/notary https://github.com/theupdateframework/notary/releases/download/v0.6.1/notary-Linux-amd64
chmod +x /usr/local/bin/notary
$ docker trust key generate marco --dir ~/.docker/trust
Generating key for marco...
Enter passphrase for new marco key with ID fc3cf49:
Repeat passphrase for new marco key with ID fc3cf49:
Successfully generated and loaded private key. Corresponding public key available: /home/jeff/.docker/trust/marco.pub
$ tree ~/.docker/
/home/jeff/.docker/
├── config.json
└── trust
├── marco.pub
└── private
└── fc3cf49404af4c093cd23d676286962a6d803d59c4b9a3da4631cf7bb90771d1.key
2 directories, 3 files
$ notary -d ~/.docker/trust/ key list
ROLE GUN KEY ID LOCATION
---- --- ------ --------
marco fc3cf49404af4c093cd23d676286962a6d803d59c4b9a3da4631cf7bb90771d1 /home/jeff/.docker/trust/private
################################### my cmd try 1 #####################
docker trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine
Adding signer "marco" to 192.168.2.100:8888/library/alpine...
Error: error contacting notary server: x509: certificate signed by unknown authority
Failed to add signer to: 192.168.2.100:8888/library/alpine
################################### my cmd try 2 #####################
docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine
Adding signer "marco" to 192.168.2.100:8888/library/alpine...
DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:8888
DEBU[0000] Error pinging notary server "https://192.168.2.100:8888/v2/": Get https://192.168.2.100:8888/v2/: x509: certificate signed by unknown authority
DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist
Error: error contacting notary server: x509: certificate signed by unknown authority
Failed to add signer to: 192.168.2.100:8888/library/alpine
mkdir -p /home/jeff/.docker/tls/192.168.2.100:8888
## 拷贝ca.ert 到 /home/jeff/.docker/tls/192.168.2.100:8888 目录
################################### my cmd try 3 #####################
docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine
Adding signer "marco" to 192.168.2.100:8888/library/alpine...
DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:8888
DEBU[0000] crt: /home/jeff/.docker/tls/192.168.2.100:8888/ca.crt
DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist
DEBU[0000] received HTTP status 404 when requesting root.
Initializing signed repository for 192.168.2.100:8888/library/alpine...
DEBU[0000] generated ECDSA key with keyID: 8331cc43f1e1f9647eebb00e8d6227f8eb5f0e1d85c692fb0d994ece7c5b4bce
DEBU[0000] generated new ecdsa key for role: root and keyID: 8331cc43f1e1f9647eebb00e8d6227f8eb5f0e1d85c692fb0d994ece7c5b4bce
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 8331cc4:
Repeat passphrase for new root key with ID 8331cc4:
DEBU[0014] generated ECDSA key with keyID: 317d9f4deeaa26e877b4f570a01f969dbe733d74c7edd955f3747e21948fcd0b
DEBU[0014] generated new ecdsa key for role: targets and keyID: 317d9f4deeaa26e877b4f570a01f969dbe733d74c7edd955f3747e21948fcd0b
Enter passphrase for new repository key with ID 317d9f4:
Repeat passphrase for new repository key with ID 317d9f4:
Error: trust data missing for remote repository 192.168.2.100:8888/library/alpine or remote repository not found: timestamp key trust data unavailable. Has a notary repository been initialized?
Failed to add signer to: 192.168.2.100:8888/library/alpine
################################### my cmd try 4 #####################
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://192.168.2.100:4443
docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine
################################### my cmd try 5 #####################
docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine
Adding signer "marco" to 192.168.2.100:8888/library/alpine...
DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:4443
DEBU[0000] crt: /home/jeff/.docker/tls/192.168.2.100:4443/ca.crt
DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist
DEBU[0000] received HTTP status 404 when requesting root.
Initializing signed repository for 192.168.2.100:8888/library/alpine...
Enter passphrase for root key with ID 8331cc4:
DEBU[0007] generated ECDSA key with keyID: c55b2635ebbdb0c732ebfb05cb0aa7e6fe4dcc1f3167f691b8dcd2070243ed72
DEBU[0007] generated new ecdsa key for role: targets and keyID: c55b2635ebbdb0c732ebfb05cb0aa7e6fe4dcc1f3167f691b8dcd2070243ed72
Enter passphrase for new repository key with ID c55b263:
Repeat passphrase for new repository key with ID c55b263:
unable to reach trust server at this time: 500.
Failed to add signer to: 192.168.2.100:8888/library/alpine
################################### my cmd try 6 #####################
docker -D trust signer add --key ~/.docker/trust/marco.pub marco 192.168.2.100:8888/library/alpine
Adding signer "marco" to 192.168.2.100:8888/library/alpine...
DEBU[0000] reading certificate directory: /home/jeff/.docker/tls/192.168.2.100:4443
DEBU[0000] crt: /home/jeff/.docker/tls/192.168.2.100:4443/ca.crt
DEBU[0000] Making dir path: /home/jeff/.docker/trust/tuf/192.168.2.100:8888/library/alpine/changelist
DEBU[0000] received HTTP status 404 when requesting root.
Initializing signed repository for 192.168.2.100:8888/library/alpine...
Enter passphrase for root key with ID 8331cc4:
DEBU[0003] generated ECDSA key with keyID: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a
DEBU[0003] generated new ecdsa key for role: targets and keyID: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a
Enter passphrase for new repository key with ID ac0a649:
Repeat passphrase for new repository key with ID ac0a649:
DEBU[0006] got remote timestamp ecdsa key with keyID: 222074c42c69af1d498315ab8e7d004071ed9b1f60c1ccbe41de463c4bab1713
DEBU[0007] got remote snapshot ecdsa key with keyID: 4fb033d12b4c93115595c49fe8bda3dcddccaa88e30bb8e783d76d828433fe04
DEBU[0007] generating new snapshot...
DEBU[0007] Saving changes to Trusted Collection.
DEBU[0007] signing root...
DEBU[0007] sign called with 1/1 required keys
DEBU[0007] sign called with 0/0 required keys
DEBU[0007] sign targets called for role targets
DEBU[0007] sign called with 1/1 required keys
DEBU[0007] sign called with 0/0 required keys
Successfully initialized "192.168.2.100:8888/library/alpine"
DEBU[0007] Adding delegation "targets/marco" with threshold 1, and 1 keys\n
DEBU[0007] Adding [] paths to delegation targets/marco\n
DEBU[0007] Adding delegation "targets/releases" with threshold 1, and 1 keys\n
DEBU[0007] Adding [] paths to delegation targets/releases\n
DEBU[0007] entered ValidateRoot with dns: 192.168.2.100:8888/library/alpine
DEBU[0007] found the following root keys: [60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0]
DEBU[0007] found 1 valid leaf certificates for 192.168.2.100:8888/library/alpine: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] found 1 leaf certs, of which 1 are valid leaf certs for 192.168.2.100:8888/library/alpine
DEBU[0007] checking root against trust_pinning config for 192.168.2.100:8888/library/alpine
DEBU[0007] checking trust-pinning for cert: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] role has key IDs: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] verifying signature for key ID: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] root validation succeeded for 192.168.2.100:8888/library/alpine
DEBU[0007] entered ValidateRoot with dns: 192.168.2.100:8888/library/alpine
DEBU[0007] found the following root keys: [60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0]
DEBU[0007] found 1 valid leaf certificates for 192.168.2.100:8888/library/alpine: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] found 1 leaf certs, of which 1 are valid leaf certs for 192.168.2.100:8888/library/alpine
DEBU[0007] checking root against trust_pinning config for 192.168.2.100:8888/library/alpine
DEBU[0007] checking trust-pinning for cert: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] role has key IDs: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] verifying signature for key ID: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] root validation succeeded for 192.168.2.100:8888/library/alpine
DEBU[0007] received HTTP status 404 when requesting root.
DEBU[0007] Loading trusted collection.
DEBU[0007] entered ValidateRoot with dns: 192.168.2.100:8888/library/alpine
DEBU[0007] found the following root keys: [60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0]
DEBU[0007] found 1 valid leaf certificates for 192.168.2.100:8888/library/alpine: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] found 1 leaf certs, of which 1 are valid leaf certs for 192.168.2.100:8888/library/alpine
DEBU[0007] checking root against trust_pinning config for 192.168.2.100:8888/library/alpine
DEBU[0007] checking trust-pinning for cert: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] role has key IDs: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] verifying signature for key ID: 60ff8cc90860e6c21619b30799b72e71866b0f192a8ef27f421a370421aa0ff0
DEBU[0007] root validation succeeded for 192.168.2.100:8888/library/alpine
DEBU[0007] targets role has key IDs: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a
DEBU[0007] verifying signature for key ID: ac0a64980a8b159a8e74d7635456ff403015d4111edd69cccb31cc8c2709372a
DEBU[0007] role targets/marco with no Paths will never be able to publish content until one or more are added
DEBU[0007] role targets/releases with no Paths will never be able to publish content until one or more are added
DEBU[0007] applied 4 change(s)
DEBU[0007] sign targets called for role targets
DEBU[0007] sign called with 1/1 required keys
DEBU[0007] sign called with 0/0 required keys
DEBU[0007] generating new snapshot...
DEBU[0007] signing snapshot...
DEBU[0007] sign called with 1/1 required keys
DEBU[0007] Client does not have the key to sign snapshot. Assuming that server should sign the snapshot.
Successfully added signer: marco to 192.168.2.100:8888/library/alpine
################################### my cmd try 7 #####################
export DOCKER_CONTENT_TRUST=0
docker pull docker.io/library/alpine:3.12
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://192.168.2.100:4443
docker tag alpine:3.12 192.168.2.100:8888/library/alpine:3.12-signed
docker push 192.168.2.100:8888/library/alpine:3.12-signed
################################### my cmd try 8 #####################
notary -s https://192.168.2.100:4443 -d ~/.docker/trust --tlscacert ~/.docker/tls/192.168.2.100:4443/ca.crt list 192.168.2.100:8888/library/alpine
NAME DIGEST SIZE (BYTES) ROLE
---- ------ ------------ ----
3.12-signed a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65 528 targets/marco
###################################
###################################
###################################
alias dockernotary="notary -c ~/.docker/trust/config.json -d ~/.docker/trust/ -s https://notary-server:4443"
# https://docs.docker.com/notary/reference/client-config/
cat ~/.docker/trust/config.json
{
"trust_dir" : "~/.docker/trust",
"remote_server": {
"url": "https://my-notary-server.my-private-registry.com",
"root_ca": "./fixtures/root-ca.crt",
"tls_client_cert": "./fixtures/secure.example.com.crt",
"tls_client_key": "./fixtures/secure.example.com.crt"
},
"trust_pinning": {
"certs": {
"docker.com/notary": ["49cf5c6404a35fa41d5a5aa2ce539dfee0d7a2176d0da488914a38603b1f4292"]
}
}
}
ref
- Delegations for content trust | Docker Documentation
- Content trust in Docker | Docker Documentation
- docker - Can't Signing and pushing trust metadata in Notary - Stack Overflow
- CNCF的最後一哩路:Notary - 輕鬆小品:PKS與K8S的點滴 - Medium
- Notary client configuration file | Docker Documentation
- Signing Docker images using Docker Content Trust
- Docker Content Trust Implementation Process
- Why not use GPG for images signinng?
- Docker Harbor
上次更新 2020-06-30
原始文档 查看本文 Markdown 版本 »