文章目录
说明:本文使用RHEL或CentOS自带的podman作为容器运行环境,不过这些命令也适合docker容器运行环境。
注册quay.io用户
- 在quay.io上注册用户。
- 设置quay的登录用户名和密码
$ QUAY_USERNAME=<YOURNAME>
$ QUAY_PASSWORD=<YOURNAME>
- 登录quay.io
$ podman login --username=${QUAY_USERNAME} --password=${QUAY_PASSWORD} quay.io
Login Succeeded!
限制只能使用有效签名的镜像
- 查看当前环境的可信镜像源,缺省接受所有Registry来源。
$ podman image trust show
default accept
insecureAcceptAnything
$ more /etc/containers/policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{
"type":"insecureAcceptAnything"}]
}
}
}
- 执行命令创建镜像签名用的秘钥。
$ gpg2 --quick-gen-key --yes ec2-user
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 9CD1BA6AFA45A51B marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FCC86EE462CCC768B1A4A76B9CD1BA6AFA45A51B.rev'
public and secret key created and signed.
pub rsa2048 2021-11-11 [SC] [expires: 2023-11-11]
FCC86EE462CCC768B1A4A76B9CD1BA6AFA45A51B
uid ec2-user
sub rsa2048 2021-11-11 [E]
$ mkdir /usr/tmp/keys
$ gpg2 --export ec2-user > /usr/tmp/keys/gpg-pubkey.gpg
- 创建quay.io.yaml 文件,并提供以下内容。
$ cat << EOF > /etc/containers/registries.d/quay.io.yaml
docker:
quay.io:
sigstore: file:///var/tmp/sigstore/quay.io
sigstore-staging: file:///var/tmp/sigstore/quay.io
EOF
- 从外部拉取镜像,然后重新打标签。
$ podman pull registry.fedoraproject.org/fedora:latest
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 791199e77b3d done
Copying config 1b52edb081 done
Writing manifest to image destination
Storing signatures
1b52edb0818147bea39780625ec01ab46944284acf16d8bcfa4055f8a854a9f5
$ podman tag registry.fedoraproject.org/fedora:latest quay.io/${QUAY_USERNAME}/fedora:latest
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.fedoraproject.org/fedora latest 1b52edb08181 7 days ago 159 MB
quay.io/dawnskyliu/fedora latest 1b52edb08181 7 days ago 159 MB
- 将镜像推送到quay.io,在推送前先对镜像签名(需要输入秘钥密码)。
$ podman push --sign-by ec2-user quay.io/${QUAY_USERNAME}/fedora:latest
Getting image source signatures
Copying blob cd62a89550d0 done
Copying config 1b52edb081 done
Writing manifest to image destination
Signing manifest
Storing signatures
$ tree /var/tmp/sigstore
/var/tmp/sigstore
└── quay.io
└── dawnskyliu
└── fedora@sha256=213743bd8d56bf76bf086627e6b533914cd8ea98c5561c2c8764723056ce5523
└── signature-1
- 设置可信的镜像库,然后验证有效性。
$ podman image trust show
default accept
insecureAcceptAnything
$ podman image trust set -t reject default
podman image trust show
default reject
insecureAcceptAnything
$ podman pull quay.io/${QUAY_USERNAME}/fedora:latest
Trying to pull quay.io/dawnskyliu/fedora:latest...
Running image docker://quay.io/dawnskyliu/fedora:latest is rejected by policy.
Error: Source image rejected: Running image docker://quay.io/dawnskyliu/fedora:latest is rejected by policy.
- 设置quay.io为可信镜像源,并使用公钥验证镜像有效性。
$ podman image trust set --type signedBy --pubkeysfile /usr/tmp/keys/gpg-pubkey.gpg quay.io
$ podman image trust show
default reject
quay.io signedBy ec2-user file:///var/tmp/sigstore/quay.io
insecureAcceptAnything
- 再次从quay.io获取镜像,确认可以正常获取到。
$ podman pull quay.io/${QUAY_USERNAME}/fedora:latest
Trying to pull quay.io/dawnskyliu/fedora:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob b43a615cc1f3 [--------------------------------------] 0.0b / 0.0b
Copying config 1b52edb081 done
Writing manifest to image destination
Storing signatures
1b52edb0818147bea39780625ec01ab46944284acf16d8bcfa4055f8a854a9f5
- 从registry.access.redhat.com镜像源获取镜像,确认被“rejected”,这是因为registry.access.redhat.com没有被信任。
$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
Running image docker://registry.access.redhat.com/ubi8/ubi:latest is rejected by policy.
Error: Source image rejected: Running image docker://registry.access.redhat.com/ubi8/ubi:latest is rejected by policy.
- 将registry.access.redhat.com设为可信镜像源。
$ podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com
$ podman image trust show
default reject
quay.io signedBy ec2-user file:///var/tmp/sigstore/quay.io
registry.access.redhat.com signedBy [email protected], [email protected] https://access.redhat.com/webassets/docker/content/sigstore
insecureAcceptAnything
- 再次从registry.access.redhat.com镜像源获取镜像,确认被“rejected”,这是因为拉取的镜像没有被签名。
$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
A signature was required, but no signature exists
Error: Source image rejected: A signature was required, but no signature exists
- 设置registry.access.redhat.com镜像源的验签公钥。
$ cat <<EOF > /etc/containers/registries.d/registry.access.redhat.com.yaml
docker:
registry.access.redhat.com:
sigstore: https://access.redhat.com/webassets/docker/content/sigstore
EOF
说明,其他 redhat 镜像源验签地址。
https://access.redhat.com/webassets/docker/content/sigstore
https://registry.redhat.io/containers/sigstore
- 最后确认可以从registry.access.redhat.com镜像源获取镜像了。
$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 63f9f4c31162 done
Copying blob ce3c6836540f done
Copying config cc06568478 done
Writing manifest to image destination
Storing signatures
cc0656847854310306093b3dc1a7d9e7fc06399da46853e0c921cd5ec1906bfd
其他
http://redhatgov.io/workshops/security_container_intro/lab07-signing/
容器入门(8) - 镜像签名
为OpenShift设置镜像验签