目录搜索
ComposeAbout versions and upgrading (Compose)ASP.NET Core + SQL Server on Linux (Compose)CLI environment variables (Compose)Command-line completion (Compose)Compose(组成)Compose command-line reference(组合命令行参考)Control startup order (Compose)Django and PostgreSQL (Compose)Docker stacks and distributed application bundles (Compose)docker-compose build(docker-compose构建)docker-compose bundledocker-compose configdocker-compose createdocker-compose downdocker-compose eventsdocker-compose execdocker-compose helpdocker-compose imagesdocker-compose killdocker-compose logsdocker-compose pausedocker-compose portdocker-compose psdocker-compose pulldocker-compose pushdocker-compose restartdocker-compose rmdocker-compose rundocker-compose scaledocker-compose startdocker-compose stopdocker-compose topdocker-compose unpausedocker-compose upEnvironment file (Compose)Environment variables in ComposeExtend services in ComposeFrequently asked questions (Compose)Getting started (Compose)Install ComposeLink environment variables (deprecated) (Compose)Networking in ComposeOverview of Docker ComposeOverview of docker-compose CLIQuickstart: Compose and WordPressRails and PostgreSQL (Compose)Sample apps with ComposeUsing Compose in productionUsing Compose with SwarmEngine.NET Core application (Engine)About images, containers, and storage drivers (Engine)Add nodes to the swarm (Engine)Apply custom metadata (Engine)Apply rolling updates (Engine)apt-cacher-ngBest practices for writing Dockerfiles (Engine)Binaries (Engine)Bind container ports to the host (Engine)Breaking changes (Engine)Build your own bridge (Engine)Configure container DNS (Engine)Configure container DNS in user-defined networks (Engine)CouchDB (Engine)Create a base image (Engine)Create a swarm (Engine)Customize the docker0 bridge (Engine)Debian (Engine)Default bridge networkDelete the service (Engine)Deploy a service (Engine)Deploy services to a swarm (Engine)Deprecated Engine featuresDocker container networking (Engine)Docker overview (Engine)Docker run reference (Engine)Dockerfile reference (Engine)Dockerize an applicationDrain a node (Engine)EngineFAQ (Engine)Fedora (Engine)Get started (Engine)Get started with macvlan network driver (Engine)Get started with multi-host networking (Engine)How nodes work (Engine)How services work (Engine)Image management (Engine)Inspect the service (Engine)Install Docker (Engine)IPv6 with Docker (Engine)Join nodes to a swarm (Engine)Legacy container links (Engine)Lock your swarm (Engine)Manage nodes in a swarm (Engine)Manage sensitive data with Docker secrets (Engine)Manage swarm security with PKI (Engine)Manage swarm service networks (Engine)Migrate to Engine 1.10Optional Linux post-installation steps (Engine)Overview (Engine)PostgreSQL (Engine)Raft consensus in swarm mode (Engine)Riak (Engine)Run Docker Engine in swarm modeScale the service (Engine)SDKs (Engine)Select a storage driver (Engine)Set up for the tutorial (Engine)SSHd (Engine)Storage driver overview (Engine)Store service configuration data (Engine)Swarm administration guide (Engine)Swarm mode key concepts (Engine)Swarm mode overlay network security model (Engine)Swarm mode overview (Engine)Understand container communication (Engine)Use multi-stage builds (Engine)Use swarm mode routing mesh (Engine)Use the AUFS storage driver (Engine)Use the Btrfs storage driver (Engine)Use the Device mapper storage driver (Engine)Use the OverlayFS storage driver (Engine)Use the VFS storage driver (Engine)Use the ZFS storage driver (Engine)Engine: Admin GuideAmazon CloudWatch logs logging driver (Engine)Bind mounts (Engine)Collect Docker metrics with Prometheus (Engine)Configuring and running Docker (Engine)Configuring logging drivers (Engine)Control and configure Docker with systemd (Engine)ETW logging driver (Engine)Fluentd logging driver (Engine)Format command and log output (Engine)Google Cloud logging driver (Engine)Graylog Extended Format (GELF) logging driver (Engine)Journald logging driver (Engine)JSON File logging driver (Engine)Keep containers alive during daemon downtime (Engine)Limit a container's resources (Engine)Link via an ambassador container (Engine)Log tags for logging driver (Engine)Logentries logging driver (Engine)PowerShell DSC usage (Engine)Prune unused Docker objects (Engine)Run multiple services in a container (Engine)Runtime metrics (Engine)Splunk logging driver (Engine)Start containers automatically (Engine)Storage overview (Engine)Syslog logging driver (Engine)tmpfs mountsTroubleshoot volume problems (Engine)Use a logging driver plugin (Engine)Using Ansible (Engine)Using Chef (Engine)Using Puppet (Engine)View a container's logs (Engine)Volumes (Engine)Engine: CLIDaemon CLI reference (dockerd) (Engine)dockerdocker attachdocker builddocker checkpointdocker checkpoint createdocker checkpoint lsdocker checkpoint rmdocker commitdocker configdocker config createdocker config inspectdocker config lsdocker config rmdocker containerdocker container attachdocker container commitdocker container cpdocker container createdocker container diffdocker container execdocker container exportdocker container inspectdocker container killdocker container logsdocker container lsdocker container pausedocker container portdocker container prunedocker container renamedocker container restartdocker container rmdocker container rundocker container startdocker container statsdocker container stopdocker container topdocker container unpausedocker container updatedocker container waitdocker cpdocker createdocker deploydocker diffdocker eventsdocker execdocker exportdocker historydocker imagedocker image builddocker image historydocker image importdocker image inspectdocker image loaddocker image lsdocker image prunedocker image pulldocker image pushdocker image rmdocker image savedocker image tagdocker imagesdocker importdocker infodocker inspectdocker killdocker loaddocker logindocker logoutdocker logsdocker networkdocker network connectdocker network createdocker network disconnectdocker network inspectdocker network lsdocker network prunedocker network rmdocker nodedocker node demotedocker node inspectdocker node lsdocker node promotedocker node psdocker node rmdocker node updatedocker pausedocker plugindocker plugin createdocker plugin disabledocker plugin enabledocker plugin inspectdocker plugin installdocker plugin lsdocker plugin pushdocker plugin rmdocker plugin setdocker plugin upgradedocker portdocker psdocker pulldocker pushdocker renamedocker restartdocker rmdocker rmidocker rundocker savedocker searchdocker secretdocker secret createdocker secret inspectdocker secret lsdocker secret rmdocker servicedocker service createdocker service inspectdocker service logsdocker service lsdocker service psdocker service rmdocker service scaledocker service updatedocker stackdocker stack deploydocker stack lsdocker stack psdocker stack rmdocker stack servicesdocker startdocker statsdocker stopdocker swarmdocker swarm cadocker swarm initdocker swarm joindocker swarm join-tokendocker swarm leavedocker swarm unlockdocker swarm unlock-keydocker swarm updatedocker systemdocker system dfdocker system eventsdocker system infodocker system prunedocker tagdocker topdocker unpausedocker updatedocker versiondocker volumedocker volume createdocker volume inspectdocker volume lsdocker volume prunedocker volume rmdocker waitUse the Docker command line (Engine)Engine: ExtendAccess authorization plugin (Engine)Docker log driver pluginsDocker network driver plugins (Engine)Extending Engine with pluginsManaged plugin system (Engine)Plugin configuration (Engine)Plugins API (Engine)Volume plugins (Engine)Engine: SecurityAppArmor security profiles for Docker (Engine)Automation with content trust (Engine)Content trust in Docker (Engine)Delegations for content trust (Engine)Deploying Notary (Engine)Docker security (Engine)Docker security non-events (Engine)Isolate containers with a user namespace (Engine)Manage keys for content trust (Engine)Play in a content trust sandbox (Engine)Protect the Docker daemon socket (Engine)Seccomp security profiles for Docker (Engine)Secure EngineUse trusted imagesUsing certificates for repository client verification (Engine)Engine: TutorialsEngine tutorialsNetwork containers (Engine)Get StartedPart 1: OrientationPart 2: ContainersPart 3: ServicesPart 4: SwarmsPart 5: StacksPart 6: Deploy your appMachineAmazon Web Services (Machine)Digital Ocean (Machine)docker-machine activedocker-machine configdocker-machine createdocker-machine envdocker-machine helpdocker-machine inspectdocker-machine ipdocker-machine killdocker-machine lsdocker-machine provisiondocker-machine regenerate-certsdocker-machine restartdocker-machine rmdocker-machine scpdocker-machine sshdocker-machine startdocker-machine statusdocker-machine stopdocker-machine upgradedocker-machine urlDriver options and operating system defaults (Machine)Drivers overview (Machine)Exoscale (Machine)Generic (Machine)Get started with a local VM (Machine)Google Compute Engine (Machine)IBM Softlayer (Machine)Install MachineMachineMachine CLI overviewMachine command-line completionMachine concepts and helpMachine overviewMicrosoft Azure (Machine)Microsoft Hyper-V (Machine)Migrate from Boot2Docker to MachineOpenStack (Machine)Oracle VirtualBox (Machine)Provision AWS EC2 instances (Machine)Provision Digital Ocean Droplets (Machine)Provision hosts in the cloud (Machine)Rackspace (Machine)VMware Fusion (Machine)VMware vCloud Air (Machine)VMware vSphere (Machine)NotaryClient configuration (Notary)Common Server and signer configurations (Notary)Getting started with NotaryNotary changelogNotary configuration filesRunning a Notary serviceServer configuration (Notary)Signer configuration (Notary)Understand the service architecture (Notary)Use the Notary client
文字

本页面介绍了如何设置和使用沙盒进行信任实验。沙箱允许您在本地配置和尝试信任操作,而不会影响生产映像。

在通过这个沙盒之前,您应该仔细阅读信任概述。

先决条件

这些说明假定您正在Linux或macOS中运行。您可以在本地机器或虚拟机上运行此沙箱。您需要拥有在本地机器或虚拟机上运行docker命令的权限。

此沙箱需要您安装两个Docker工具:Docker Engine> = 1.10.0和Docker Compose> = 1.6.0。要安装Docker引擎,请从支持的平台列表中进行选择。要安装Docker Compose,请参阅此处的详细说明。

最后,您需要在本地系统或VM上安装一个文本编辑器。

沙箱里有什么?

如果您只是使用信任开箱即用,则只需要您的Docker Engine客户端并访问Docker Hub。沙盒模拟生产信任环境,并设置这些附加组件。

容器

描述

trustsandbox

具有最新版Docker Engine和一些预配置证书的容器。这是您的沙箱,您可以使用docker客户端来测试信任操作。

注册服务器

本地注册表服务。

公证服务器

这项服务完成所有重要的管理信任

这意味着您将运行您自己的内容信任(公证)服务器和注册表。如果您只使用Docker Hub工作,则不需要这些组件。它们为您而构建在Docker Hub中。但是,对于沙箱,您可以构建自己的整个模拟生产环境。

trustsandbox容器中,您与本地注册表交互而不是Docker Hub。这意味着您的日常图像存储库不被使用,他们受到保护

当你在使用沙盒时,你也会创建root和仓库密钥。沙箱被配置为存储trustsandbox容器内的所有密钥和文件。由于您在沙盒中创建的键仅用于播放,因此销毁容器也会破坏它们。

通过在trustsandbox容器中使用docker-in-docker图像,您不会使用任何您推送和拖动的图像来毁坏您的真正docker守护进程缓存。这些图像将存储在附加到此容器的匿名卷中,并且可以在销毁容器后销毁。

建造沙箱

在本节中,您将使用Docker Compose来指定如何设置trustsandbox容器,公证服务器和注册服务器并将其链接在一起。

1. 创建一个新的trustsandbox目录并进行更改。$ mkdir trustsandbox $ cd trustsandbox

2. 用你最喜欢的编辑器创建一个文件docker-compose.yml。例如,使用vim:

$ touch docker-compose.yml $ vim docker-compose.yml

3.  将以下内容添加到新文件中。version: "2"  services:    notaryserver:      image: dockersecurity/notary_autobuilds:server-v0.4.2      volumes:        - notarycerts:/go/src/github.com/docker/notary/fixtures      networks:        - sandbox      environment:        - NOTARY_SERVER_STORAGE_TYPE=memory        - NOTARY_SERVER_TRUST_SERVICE_TYPE=local    sandboxregistry:      image: registry:2.4.1      networks:        - sandbox      container_name: sandboxregistry    trustsandbox:      image: docker:dind      networks:        - sandbox      volumes:        - notarycerts:/notarycerts      privileged: true      container_name: trustsandbox      entrypoint: ""      command: |-          sh -c '              cp /notarycerts/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt &&              update-ca-certificates &&              dockerd-entrypoint.sh --insecure-registry sandboxregistry:5000'  volumes:    notarycerts:      external: false  networks:    sandbox:      external: false

4.  保存并关闭文件。

5.  在本地系统上运行容器。$ docker-compose up -d

第一次运行这个时,docker-in-docker,Notary服务器和注册表映像将首先从Docker Hub下载。在sandbox中播放现在所有东西都已设置好了,你可以进入你的trustsandbox容器并开始测试Docker内容信任。在你的主机上,在trustsandbox容器中获取一个shell 。$ docker exec -it trustsandbox sh /#测试一些信任操作现在,你将从trustsandbox容器中取出一些图像。

6.  下载docker图片以测试。

/ # docker pull docker/trusttest  docker pull docker/trusttest  Using default tag: latest  latest: Pulling from docker/trusttest   b3dbab3810fc: Pull complete  a9539b34a6ab: Pull complete  Digest: sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a  Status: Downloaded newer image for docker/trusttest:latest

7.  标记为推送到我们的沙盒注册表中:/#docker标记docker / trusttest sandboxregistry:5000 / test / trusttest:latest

8.  启用内容信任。

/ # export DOCKER_CONTENT_TRUST=1

9.  识别信任服务器。/#export DOCKER_CONTENT_TRUST_SERVER = https:// notaryserver:4443这一步只是必要的,因为沙盒正在使用它自己的服务器。通常,如果您使用的是Docker公共集线器,则此步骤不是必需的。

10.  测试图像。

/ # docker pull sandboxregistry:5000/test/trusttest  Using default tag: latest  Error: remote trust data does not exist for sandboxregistry:5000/test/trusttest: notaryserver:4443 does not have trust data for sandboxregistry:5000/test/trusttest

你看到一个错误,因为这个内容在尚未存在于notaryserver

11.  推送并签署可信映像。/ # docker push sandboxregistry:5000/test/trusttest:latest  The push refers to a repository sandboxregistry:5000/test/trusttest  5f70bf18a086: Pushed  c22f7bc058a9: Pushed  latest: digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 size: 734  Signing and pushing trust metadata  You are about to create a new root signing key passphrase.

此密码将用于保护签名系统中最敏感的密钥。请选择一个长而复杂的密码,并小心保持密码和密钥文件本身的安全和备份。强烈建议您使用密码管理器来生成密码并保持安全。将无法恢复此密钥。您可以在您的配置目录中找到该密钥。输入ID为27ec255的新根密钥的密码:为ID为27ec255的新根密钥重复密码:为ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥输入密码:为ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥重复密码:完成初始化“sandboxregistry:5000 / test / trusttest”已成功签署“sandboxregistry:5000 / test / trusttest”:latest

由于您第一次推送此存储库,因此docker会创建新的根和存储库密钥并要求您输入加密密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。对ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥重复密码:完成初始化“sandboxregistry:5000 / test / trusttest”成功签名为“sandboxregistry:5000 / test / trusttest”:latest由于您要将此存储库Docker首次创建新的根和存储库密钥,并要求您输入密码来加密密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。对ID为58233f9(sandboxregistry:5000 / test / trusttest)的新存储库密钥重复密码:完成初始化“sandboxregistry:5000 / test / trusttest”成功签名为“sandboxregistry:5000 / test / trusttest”:latest

由于您要将此存储库Docker首次创建新的根和存储库密钥,并要求您输入密码来加密密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。码头工人创建新的根和存储库密钥,并要求您输入用于加密它们的密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。码头工人创建新的根和存储库密钥,并要求您输入用于加密它们的密码。如果在此之后再次推送,它只会要求您输入存储库密码,以便它可以解密密钥并再次签名。

12.  试着拉你刚才推送的图片:

/ # docker pull sandboxregistry:5000/test/trusttest  Using default tag: latest  Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926: Pulling from test/trusttest  Digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  Status: Downloaded newer image for sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  Tagging sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 as sandboxregistry:5000/test/trusttest:latest

测试恶意图像

数据损坏时会发生什么情况,并且在启用信任时尝试将其拉出?在本节中,您将进入sandboxregistry并篡改一些数据。然后,你试着拉它。

  • 保持trustsandbox外壳和容器运行。

  • 从您的主机打开一个新的交互式终端,并在sandboxregistry容器中获得一个shell 。

$ docker exec -it sandboxregistry bash  root@65084fc6f047:/#

  • 列出test/trusttest您推送的映像的层次:

root@65084fc6f047:/# ls -l /var/lib/registry/docker/registry/v2/repositories/test/trusttest/_layers/sha256  total 12  drwxr-xr-x 2 root root 4096 Jun 10 17:26 a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4  drwxr-xr-x 2 root root 4096 Jun 10 17:26 aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042  drwxr-xr-x 2 root root 4096 Jun 10 17:26 cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd

  • 切换到其中一个图层的注册表存储(请注意,它位于不同的目录中):

root@65084fc6f047:/# cd /var/lib/registry/docker/registry/v2/blobs/sha256/aa/aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042

  • 将恶意数据添加到其中一个trusttest图层:root @ 65084fc6f047:/#echo“恶意数据”>数据

  • 回到你的trustsandbox终端。

  • 列出trusttest图像。/ # docker images | grep trusttest  REPOSITORY                            TAG                 IMAGE ID            CREATED             SIZE  docker/trusttest                      latest              cc7629d1331a        11 months ago       5.025 MB  sandboxregistry:5000/test/trusttest   latest              cc7629d1331a        11 months ago       5.025 MB  sandboxregistry:5000/test/trusttest   <none>              cc7629d1331a        11 months ago       5.025 MB

  • trusttest:latest从我们的本地缓存中删除图像。

/ # docker rmi -f cc7629d1331a  Untagged: docker/trusttest:latest  Untagged: sandboxregistry:5000/test/trusttest:latest  Untagged: sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926  Deleted: sha256:cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd  Deleted: sha256:2a1f6535dc6816ffadcdbe20590045e6cbf048d63fd4cc753a684c9bc01abeea  Deleted: sha256:c22f7bc058a9a8ffeb32989b5d3338787e73855bf224af7aa162823da015d44c

Docker不会重新下载它已经缓存的图像,但我们希望Docker尝试从注册表中下载被篡改的图像并拒绝它,因为它是无效的。

  • 再次拉动图像。这将从注册表中下载图像,因为我们没有缓存它。

/ # docker pull sandboxregistry:5000/test/trusttest  Using default tag: latest  Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:35d5bc26fd358da8320c137784fe590d8fcf9417263ef261653e8e1c7f15672e  sha256:35d5bc26fd358da8320c137784fe590d8fcf9417263ef261653e8e1c7f15672e: Pulling from test/trusttest   aac0c133338d: Retrying in 5 seconds  a3ed95caeb02: Download complete  error pulling image configuration: unexpected EOF

你会看到拉操作没有完成,因为信任系统无法验证图像。

沙盒中更多玩法

现在,您的本地系统上有一个完整的Docker内容信任沙箱,可以随时使用它并查看它的行为。如果您发现Docker存在任何安全问题,请随时通过security@docker.com向我们发送电子邮件。

清理你的沙箱

完成后,要清理所有已启动的服务和已创建的所有匿名卷,只需在创建Docker Compose文件的目录中运行以下命令:

    $ docker-compose down -v
上一篇:下一篇: