Docker 17 中文开发手册
目录搜索
ComposeAbout versions and upgrading (Compose)ASP.NET Core + SQL Server on Linux (Compose)CLI environment variables (Compose)Command-line completion (Compose)Compose(组成)Compose command-line reference(组合命令行参考)Control startup order (Compose)Django and PostgreSQL (Compose)Docker stacks and distributed application bundles (Compose)docker-compose build(docker-compose构建)docker-compose bundledocker-compose configdocker-compose createdocker-compose downdocker-compose eventsdocker-compose execdocker-compose helpdocker-compose imagesdocker-compose killdocker-compose logsdocker-compose pausedocker-compose portdocker-compose psdocker-compose pulldocker-compose pushdocker-compose restartdocker-compose rmdocker-compose rundocker-compose scaledocker-compose startdocker-compose stopdocker-compose topdocker-compose unpausedocker-compose upEnvironment file (Compose)Environment variables in ComposeExtend services in ComposeFrequently asked questions (Compose)Getting started (Compose)Install ComposeLink environment variables (deprecated) (Compose)Networking in ComposeOverview of Docker ComposeOverview of docker-compose CLIQuickstart: Compose and WordPressRails and PostgreSQL (Compose)Sample apps with ComposeUsing Compose in productionUsing Compose with SwarmEngine.NET Core application (Engine)About images, containers, and storage drivers (Engine)Add nodes to the swarm (Engine)Apply custom metadata (Engine)Apply rolling updates (Engine)apt-cacher-ngBest practices for writing Dockerfiles (Engine)Binaries (Engine)Bind container ports to the host (Engine)Breaking changes (Engine)Build your own bridge (Engine)Configure container DNS (Engine)Configure container DNS in user-defined networks (Engine)CouchDB (Engine)Create a base image (Engine)Create a swarm (Engine)Customize the docker0 bridge (Engine)Debian (Engine)Default bridge networkDelete the service (Engine)Deploy a service (Engine)Deploy services to a swarm (Engine)Deprecated Engine featuresDocker container networking (Engine)Docker overview (Engine)Docker run reference (Engine)Dockerfile reference (Engine)Dockerize an applicationDrain a node (Engine)EngineFAQ (Engine)Fedora (Engine)Get started (Engine)Get started with macvlan network driver (Engine)Get started with multi-host networking (Engine)How nodes work (Engine)How services work (Engine)Image management (Engine)Inspect the service (Engine)Install Docker (Engine)IPv6 with Docker (Engine)Join nodes to a swarm (Engine)Legacy container links (Engine)Lock your swarm (Engine)Manage nodes in a swarm (Engine)Manage sensitive data with Docker secrets (Engine)Manage swarm security with PKI (Engine)Manage swarm service networks (Engine)Migrate to Engine 1.10Optional Linux post-installation steps (Engine)Overview (Engine)PostgreSQL (Engine)Raft consensus in swarm mode (Engine)Riak (Engine)Run Docker Engine in swarm modeScale the service (Engine)SDKs (Engine)Select a storage driver (Engine)Set up for the tutorial (Engine)SSHd (Engine)Storage driver overview (Engine)Store service configuration data (Engine)Swarm administration guide (Engine)Swarm mode key concepts (Engine)Swarm mode overlay network security model (Engine)Swarm mode overview (Engine)Understand container communication (Engine)Use multi-stage builds (Engine)Use swarm mode routing mesh (Engine)Use the AUFS storage driver (Engine)Use the Btrfs storage driver (Engine)Use the Device mapper storage driver (Engine)Use the OverlayFS storage driver (Engine)Use the VFS storage driver (Engine)Use the ZFS storage driver (Engine)Engine: Admin GuideAmazon CloudWatch logs logging driver (Engine)Bind mounts (Engine)Collect Docker metrics with Prometheus (Engine)Configuring and running Docker (Engine)Configuring logging drivers (Engine)Control and configure Docker with systemd (Engine)ETW logging driver (Engine)Fluentd logging driver (Engine)Format command and log output (Engine)Google Cloud logging driver (Engine)Graylog Extended Format (GELF) logging driver (Engine)Journald logging driver (Engine)JSON File logging driver (Engine)Keep containers alive during daemon downtime (Engine)Limit a container's resources (Engine)Link via an ambassador container (Engine)Log tags for logging driver (Engine)Logentries logging driver (Engine)PowerShell DSC usage (Engine)Prune unused Docker objects (Engine)Run multiple services in a container (Engine)Runtime metrics (Engine)Splunk logging driver (Engine)Start containers automatically (Engine)Storage overview (Engine)Syslog logging driver (Engine)tmpfs mountsTroubleshoot volume problems (Engine)Use a logging driver plugin (Engine)Using Ansible (Engine)Using Chef (Engine)Using Puppet (Engine)View a container's logs (Engine)Volumes (Engine)Engine: CLIDaemon CLI reference (dockerd) (Engine)dockerdocker attachdocker builddocker checkpointdocker checkpoint createdocker checkpoint lsdocker checkpoint rmdocker commitdocker configdocker config createdocker config inspectdocker config lsdocker config rmdocker containerdocker container attachdocker container commitdocker container cpdocker container createdocker container diffdocker container execdocker container exportdocker container inspectdocker container killdocker container logsdocker container lsdocker container pausedocker container portdocker container prunedocker container renamedocker container restartdocker container rmdocker container rundocker container startdocker container statsdocker container stopdocker container topdocker container unpausedocker container updatedocker container waitdocker cpdocker createdocker deploydocker diffdocker eventsdocker execdocker exportdocker historydocker imagedocker image builddocker image historydocker image importdocker image inspectdocker image loaddocker image lsdocker image prunedocker image pulldocker image pushdocker image rmdocker image savedocker image tagdocker imagesdocker importdocker infodocker inspectdocker killdocker loaddocker logindocker logoutdocker logsdocker networkdocker network connectdocker network createdocker network disconnectdocker network inspectdocker network lsdocker network prunedocker network rmdocker nodedocker node demotedocker node inspectdocker node lsdocker node promotedocker node psdocker node rmdocker node updatedocker pausedocker plugindocker plugin createdocker plugin disabledocker plugin enabledocker plugin inspectdocker plugin installdocker plugin lsdocker plugin pushdocker plugin rmdocker plugin setdocker plugin upgradedocker portdocker psdocker pulldocker pushdocker renamedocker restartdocker rmdocker rmidocker rundocker savedocker searchdocker secretdocker secret createdocker secret inspectdocker secret lsdocker secret rmdocker servicedocker service createdocker service inspectdocker service logsdocker service lsdocker service psdocker service rmdocker service scaledocker service updatedocker stackdocker stack deploydocker stack lsdocker stack psdocker stack rmdocker stack servicesdocker startdocker statsdocker stopdocker swarmdocker swarm cadocker swarm initdocker swarm joindocker swarm join-tokendocker swarm leavedocker swarm unlockdocker swarm unlock-keydocker swarm updatedocker systemdocker system dfdocker system eventsdocker system infodocker system prunedocker tagdocker topdocker unpausedocker updatedocker versiondocker volumedocker volume createdocker volume inspectdocker volume lsdocker volume prunedocker volume rmdocker waitUse the Docker command line (Engine)Engine: ExtendAccess authorization plugin (Engine)Docker log driver pluginsDocker network driver plugins (Engine)Extending Engine with pluginsManaged plugin system (Engine)Plugin configuration (Engine)Plugins API (Engine)Volume plugins (Engine)Engine: SecurityAppArmor security profiles for Docker (Engine)Automation with content trust (Engine)Content trust in Docker (Engine)Delegations for content trust (Engine)Deploying Notary (Engine)Docker security (Engine)Docker security non-events (Engine)Isolate containers with a user namespace (Engine)Manage keys for content trust (Engine)Play in a content trust sandbox (Engine)Protect the Docker daemon socket (Engine)Seccomp security profiles for Docker (Engine)Secure EngineUse trusted imagesUsing certificates for repository client verification (Engine)Engine: TutorialsEngine tutorialsNetwork containers (Engine)Get StartedPart 1: OrientationPart 2: ContainersPart 3: ServicesPart 4: SwarmsPart 5: StacksPart 6: Deploy your appMachineAmazon Web Services (Machine)Digital Ocean (Machine)docker-machine activedocker-machine configdocker-machine createdocker-machine envdocker-machine helpdocker-machine inspectdocker-machine ipdocker-machine killdocker-machine lsdocker-machine provisiondocker-machine regenerate-certsdocker-machine restartdocker-machine rmdocker-machine scpdocker-machine sshdocker-machine startdocker-machine statusdocker-machine stopdocker-machine upgradedocker-machine urlDriver options and operating system defaults (Machine)Drivers overview (Machine)Exoscale (Machine)Generic (Machine)Get started with a local VM (Machine)Google Compute Engine (Machine)IBM Softlayer (Machine)Install MachineMachineMachine CLI overviewMachine command-line completionMachine concepts and helpMachine overviewMicrosoft Azure (Machine)Microsoft Hyper-V (Machine)Migrate from Boot2Docker to MachineOpenStack (Machine)Oracle VirtualBox (Machine)Provision AWS EC2 instances (Machine)Provision Digital Ocean Droplets (Machine)Provision hosts in the cloud (Machine)Rackspace (Machine)VMware Fusion (Machine)VMware vCloud Air (Machine)VMware vSphere (Machine)NotaryClient configuration (Notary)Common Server and signer configurations (Notary)Getting started with NotaryNotary changelogNotary configuration filesRunning a Notary serviceServer configuration (Notary)Signer configuration (Notary)Understand the service architecture (Notary)Use the Notary client

©
本文档使用 php.cn手册 发布

文字

本文档介绍公证人 CLI 的基本用法,作为支持 Docker  Content Trust的工具。对于更高级的使用情况,您必须运行自己的公证服务,并且应该读取公证客户端用于高级用户文档的用法。

什么是公证

公证是用于发布和管理可信集合内容的工具。发布商可以对收藏进行数字签名,消费者可以验证内容的完整性和来源。此功能基于简单的密钥管理和签名界面来创建签名集合并配置可信发布者。

通过公证,任何人都可以提供对任意数据集合的信任。使用更新框架(TUF)作为基础安全框架,公证负责创建,管理和分发必要的操作,以确保内容的完整性和新鲜度。

安装公证

您可以从 GitHub 的 Notary 存储库版本页面下载针对64位 Linux 或 macOS 的预编译公证库二进制文件。Windows 并未得到正式支持,但如果您是开发人员和 Windows 用户,我们将非常感谢您就问题提供的任何见解。

了解公证名称

公证处使用全球唯一名称(GUN)来识别信托收藏。要使公证以多租户方式运行,您必须在通过公证客户端与 Docker Hub 交互时使用此格式。为公证客户端指定 Docker 镜像名称时,GUN 格式为:

  • 对于官方图像(可通过“官方存储库”名称识别),Docker Hub 上显示的图像名称,前缀为docker.io/library/。例如,如果你通常输入docker pull ubuntu你必须输入notary {cmd} docker.io/library/ubuntu

  • 对于所有其他图像,Docker Hub 上显示的图像名称前缀为docker.io

Docker Engine 客户端为您处理这些名称扩展,因此不要更改您在 Engine 客户端或 API 中使用的名称。只有通过公证客户端与相同的 Docker Hub 存储库进行交互时,才需要这样做。

检查 Docker Hub 存储库

最基本的操作是将可用的签名标签列入存储库。隔离使用的公证客户端不知道信任存储库的位置。因此,您必须提供-s(或长格式--server)标志来告诉客户端应该与哪个存储库服务器进行通信。

官方的Docker Hub公证服务器位于https://notary.docker.io。如果您想使用您自己的公证服务器,则必须使用与客户端相同或更新的公证版本来实现功能兼容性(例如:客户端版本0.2,服务器/签署者版本> = 0.2)。此外,公证处还会将您自己的签名密钥和先前下载的信任元数据的缓存存储在随-d标志一起提供的目录中。与Docker Hub存储库进行交互时,您必须指示客户端使用关联的信任目录,默认情况下,该目录.docker/trust位于调用用户的主目录内(未能使用此目录可能会在向您的信任数据发布更新时导致错误):

$ notary -s https://notary.docker.io -d ~/.docker/trust list docker.io/library/alpine
   NAME                                 DIGEST                                SIZE (BYTES)    ROLE------------------------------------------------------------------------------------------------------  2.6      e9cec9aec697d8b9d450edd32860ecd363f2f3174c8338beb5f809422d182c63   1374           targets  2.7      9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   1374           targets  3.1      e876b57b2444813cd474523b9c74aacacc238230b288a22bccece9caf2862197   1374           targets  3.2      4a8c62881c6237b4c1434125661cddf09434d37c6ef26bf26bfaef0b8c5e2f05   1374           targets  3.3      2d4f890b7eddb390285e3afea9be98a078c2acd2fb311da8c9048e3d1e4864d3   1374           targets
  edge     878c1b1d668830f01c2b1622ebf1656e32ce830850775d26a387b2f11f541239   1374           targets
  latest   24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56   1377           targets

输出显示了可用标记的名称,与该标记关联的图像清单的十六进制编码的 sha256 摘要,清单的大小以及将此标记签署到存储库中的公证角色。“目标”角色是简单存储库中最常见的角色。当存储库拥有(或期望)拥有协作者时,您可以根据管理员选择如何组织他们的协作者的方式,将其他“委派”角色列为签名者。

当你运行一个docker pull命令时,Docker 引擎使用一个集成的公证库(与公证人 CLI 相同)来请求将标签映射到你感兴趣的一个标签的 sha256 摘要中(或者如果你通过--all标志,客户端会使用列表操作高效地检索所有映射)。验证了信任数据上的签名后,客户端将指示引擎执行“按摘要拉取”。在此拉动过程中,引擎使用 sha256 校验和作为内容地址来请求并验证 Docker 注册表中的图像清单。

删除标签

公证人在其运行的主机上生成并存储签名密钥。这意味着 Docker Hub 不能从信任数据中删除标签,必须使用公证客户端删除它们。你可以用notary remove命令来做到这一点。同样,您必须指示它与正确的公证服务器通话(注意,既不是您,也不是作者有权从官方的高山资料库删除标签,下面的输出仅用于演示):

$ notary -s https://notary.docker.io -d ~/.docker/trust remove docker.io/library/alpine 2.6Removal of 2.6 from docker.io/library/alpine staged for next publish.

在前面的示例中,输出消息指示仅删除已分阶段。执行任何写入操作时,它们被分段到一个更改列表中。该列表在下一次notary publish为该存储库运行时应用于最新版本的信任存储库。

您可以通过运行notary status修改后的存储库来查看未完成的更改。该status子命令是脱机操作,因此,不需要-s标志,但它将忽略的标志,如果提供的。未能为-d标志提供正确的值可能会显示错误的(可能是空的)更改列表:

$ notary -d ~/.docker/trust status docker.io/library/alpine
Unpublished changes for docker.io/library/alpine:action    scope     type        path----------------------------------------------------delete    targets   target      2.6$ notary -s https://notary.docker.io publish docker.io/library/alpine

配置客户端

冗长而繁琐的是,总是必须手动为大多数命令提供-s-d标志。创建预配置的 Notary 命令版本的简单方法是通过别名。将以下内容添加到您的.bashrc或同等设备:

alias dockernotary="notary -s https://notary.docker.io -d ~/.docker/trust"

更高级的配置方法和附加选项可以在配置文档中找到并运行notary --help

上一篇:下一篇: