容器安全 - 限制docker/podman只能使用有效签名的镜像
2024-05-29 18:52:05
《OpenShift 4.x HOL教程汇总》
文章目录
- 注册quay.io用户
- 限制只能使用有效签名的镜像
- 其他
说明:本文使用RHEL或CentOS自带的podman作为容器运行环境,不过这些命令也适合docker容器运行环境。
注册quay.io用户
- 在quay.io上注册用户。
- 设置quay的登录用户名和密码
$ QUAY_USERNAME=<YOURNAME>
$ QUAY_PASSWORD=<YOURNAME>
- 登录quay.io
$ podman login --username=${QUAY_USERNAME} --password=${QUAY_PASSWORD} quay.io
Login Succeeded!
限制只能使用有效签名的镜像
- 查看当前环境的可信镜像源,缺省接受所有Registry来源。
$ podman image trust show
default accept insecureAcceptAnything
$ more /etc/containers/policy.json
{"default": [{"type": "insecureAcceptAnything"}],"transports":{"docker-daemon":{"": [{"type":"insecureAcceptAnything"}]}}
}
- 执行命令创建镜像签名用的秘钥。
$ gpg2 --quick-gen-key --yes ec2-user
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 9CD1BA6AFA45A51B marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FCC86EE462CCC768B1A4A76B9CD1BA6AFA45A51B.rev'
public and secret key created and signed.pub rsa2048 2021-11-11 [SC] [expires: 2023-11-11]FCC86EE462CCC768B1A4A76B9CD1BA6AFA45A51B
uid ec2-user
sub rsa2048 2021-11-11 [E]$ mkdir /usr/tmp/keys
$ gpg2 --export ec2-user > /usr/tmp/keys/gpg-pubkey.gpg
- 创建quay.io.yaml 文件,并提供以下内容。
$ cat << EOF > /etc/containers/registries.d/quay.io.yaml
docker:quay.io:sigstore: file:///var/tmp/sigstore/quay.iosigstore-staging: file:///var/tmp/sigstore/quay.io
EOF
- 从外部拉取镜像,然后重新打标签。
$ podman pull registry.fedoraproject.org/fedora:latest
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 791199e77b3d done
Copying config 1b52edb081 done
Writing manifest to image destination
Storing signatures
1b52edb0818147bea39780625ec01ab46944284acf16d8bcfa4055f8a854a9f5$ podman tag registry.fedoraproject.org/fedora:latest quay.io/${QUAY_USERNAME}/fedora:latest
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.fedoraproject.org/fedora latest 1b52edb08181 7 days ago 159 MB
quay.io/dawnskyliu/fedora latest 1b52edb08181 7 days ago 159 MB
- 将镜像推送到quay.io,在推送前先对镜像签名(需要输入秘钥密码)。
$ podman push --sign-by ec2-user quay.io/${QUAY_USERNAME}/fedora:latest
Getting image source signatures
Copying blob cd62a89550d0 done
Copying config 1b52edb081 done
Writing manifest to image destination
Signing manifest
Storing signatures$ tree /var/tmp/sigstore
/var/tmp/sigstore
└── quay.io└── dawnskyliu└── fedora@sha256=213743bd8d56bf76bf086627e6b533914cd8ea98c5561c2c8764723056ce5523└── signature-1
- 设置可信的镜像库,然后验证有效性。
$ podman image trust show
default accept insecureAcceptAnything
$ podman image trust set -t reject default
podman image trust show
default reject insecureAcceptAnything
$ podman pull quay.io/${QUAY_USERNAME}/fedora:latest
Trying to pull quay.io/dawnskyliu/fedora:latest...Running image docker://quay.io/dawnskyliu/fedora:latest is rejected by policy.
Error: Source image rejected: Running image docker://quay.io/dawnskyliu/fedora:latest is rejected by policy.
- 设置quay.io为可信镜像源,并使用公钥验证镜像有效性。
$ podman image trust set --type signedBy --pubkeysfile /usr/tmp/keys/gpg-pubkey.gpg quay.io
$ podman image trust show
default reject
quay.io signedBy ec2-user file:///var/tmp/sigstore/quay.ioinsecureAcceptAnything
- 再次从quay.io获取镜像,确认可以正常获取到。
$ podman pull quay.io/${QUAY_USERNAME}/fedora:latest
Trying to pull quay.io/dawnskyliu/fedora:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob b43a615cc1f3 [--------------------------------------] 0.0b / 0.0b
Copying config 1b52edb081 done
Writing manifest to image destination
Storing signatures
1b52edb0818147bea39780625ec01ab46944284acf16d8bcfa4055f8a854a9f5
- 从registry.access.redhat.com镜像源获取镜像,确认被“rejected”,这是因为registry.access.redhat.com没有被信任。
$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...Running image docker://registry.access.redhat.com/ubi8/ubi:latest is rejected by policy.
Error: Source image rejected: Running image docker://registry.access.redhat.com/ubi8/ubi:latest is rejected by policy.
- 将registry.access.redhat.com设为可信镜像源。
$ podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com
$ podman image trust show
default reject
quay.io signedBy ec2-user file:///var/tmp/sigstore/quay.io
registry.access.redhat.com signedBy security@redhat.com, security@redhat.com https://access.redhat.com/webassets/docker/content/sigstoreinsecureAcceptAnything
- 再次从registry.access.redhat.com镜像源获取镜像,确认被“rejected”,这是因为拉取的镜像没有被签名。
$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...A signature was required, but no signature exists
Error: Source image rejected: A signature was required, but no signature exists
- 设置registry.access.redhat.com镜像源的验签公钥。
$ cat <<EOF > /etc/containers/registries.d/registry.access.redhat.com.yaml
docker:registry.access.redhat.com:sigstore: https://access.redhat.com/webassets/docker/content/sigstore
EOF
说明,其他 redhat 镜像源验签地址。
https://access.redhat.com/webassets/docker/content/sigstorehttps://registry.redhat.io/containers/sigstore
- 最后确认可以从registry.access.redhat.com镜像源获取镜像了。
$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 63f9f4c31162 done
Copying blob ce3c6836540f done
Copying config cc06568478 done
Writing manifest to image destination
Storing signatures
cc0656847854310306093b3dc1a7d9e7fc06399da46853e0c921cd5ec1906bfd
其他
http://redhatgov.io/workshops/security_container_intro/lab07-signing/
容器入门(8) - 镜像签名
为OpenShift设置镜像验签
容器安全 - 限制docker/podman只能使用有效签名的镜像相关推荐
- 学习笔记:云原生容器化技术——Docker
Docker学习笔记 前言 一.Docker概述 1.1 Docker为什么会出现? 1.2 Docker的历史 1.3 Docker为什么这么火爆? 1.4 虚拟机技术与容器化技术的区别 二.Doc ...
- Docker/Podman使用入门---从容器构建镜像 提交镜像到服务器UCloud dockerhub
文章目录 1.docker commit 提交镜像命令 2.将镜像提交到UCloud服务器 step1: 先在UCloud服务器上面,创建镜像仓库 step2: 登录UCloud镜像仓库 step3: ...
- Docker容器虚拟化技术---Docker运维管理(Docker Compose)4
Docker容器虚拟化技术-Docker运维管理(Docker Compose)4 Docker Compose 通过前面的讲解我们知道使用一个Dockerfile模板文件,可以很方便地定义一个单独的 ...
- Docker容器虚拟化技术---Docker高级实战(DockerFile)2
Docker容器虚拟化技术-Docker高级实战(DockerFile) DockerFile是一个文本格式的配置文件,用户可以使用DockerFile来快速创建自定义的镜像. 1. DockerFi ...
- Docker容器虚拟化技术---Docker安装和操作1
一.Docker安装 Docker在主流的操作系统和云平台上都可以使用,包括Linux操作 系统(如Ubuntu.Debian.CentOS.Redhat等).MacOS操作系统和 Windows操作 ...
- 虚拟化 VS 容器化(docker)
虚拟化 VS 容器化(docker) 以 Docker 为代表的容器技术一度被认为是虚拟化技术的替代品,然而这两种技术之间并不是不可调和的.作者分别列举了容器技术以及虚拟化技术的优缺点,并提出将两者结 ...
- Linux 容器化技术详解(虚拟化、容器化、Docker)
虚拟化是过去用来充分利用物理资源的最常用方法.早年间,我们可以用一台服务器运行一个操作系统,处理一个任务,带来的问题是资源利用率极其不足,计算机的潜能并不能完全发挥,而后多道批处理系统.分时系统相继出 ...
- 如何从Docker容器内部获取Docker主机的IP地址
本文翻译自:How to get the IP address of the docker host from inside a docker container As the title says. ...
- 开源的容器虚拟化平台Docker学习笔记,个人私藏分享,不谢!
一.Docker 简介 Docker 两个主要部件: Docker: 开源的容器虚拟化平台 Docker Hub: 用于分享.管理 Docker 容器的 Docker SaaS 平台 -- Docke ...
最新文章
- flower.php,flowerlist.php
- video.min.js php,使用flv.js与video.js做一个视频直播效果
- python的编程模式-Python 编程,应该养成哪些好的习惯?
- HTML5的明天,局部有小雨
- Wechat公众号授权登录接口
- C++自己实现一个String类
- RocketMQ 下载、安装与 单机启动
- java实现url转码、解码
- php v9搜索不到内容,關於如何解決PHPCMS V9內容搜索顯示不全問題解決方案
- 智慧城市综合管控平台
- 计算机本科科研什么项目,本科生做科研:大势所趋?
- pyqt5 选择打开文件夹与读取文件夹图片列表
- 解决Microsoft.NET Framework 3.5Service Pack1失败问题
- kettle8.3-win安装操作指南
- 谷歌浏览器调试时页面的刷新与强制刷新+清空缓存的操作
- 制作美联英语在线VIP页面----特色服务模块
- 常见的agv控制系统及功能有哪些?
- 程序员自我修炼:《匠艺整洁之道》读书总结
- 【解决】android设备有root权限,执行“adb disable-verity”命令报错“verity cannot be disabled/enabled - USER build”
- 基于Web标准的网页设计与制作知识整理