devbox
Guff_9hys
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Podman签署和分发容器镜像_registry 404 镜像

作者:Guff_9hys | 2024-08-22 14:16:21

registry 404 镜像

Podman签署和分发容器镜像

签署容器镜像的动机是只信任专门的镜像提供者以减轻中间人 (MITM) 攻击或对容器注册表的攻击。签署镜像的一种方法是使用 GNU Privacy Guard ( GPG ) 密钥。这种技术通常与任何符合 OCI 的容器注册表兼容,例如:Quay.io。值得一提的是,OpenShift 集成容器注册表开箱即用地支持这种签名机制,这使得单独的签名存储变得不必要。

从技术角度来看,我们可以利用 Podman 对镜像进行签名,然后再将其推送到远程注册表。之后,所有运行 Podman 的系统都必须配置为从远程服务器检索签名,远程服务器可以是任何简单的 Web 服务器。这意味着在镜像拉取操作期间,每个未签名的镜像都将被拒绝。

在使用 Podman 和 GPG 对容器镜像进行签名时,通常需要考虑四个主要事项:

  1. 我们需要签名机器上的有效 GPG 私钥和每个系统上的相应公钥,这将拉取镜像
  2. Web 服务器必须在可以访问签名存储的地方运行
  3. 必须在任何 /etc/containers/registries.d/*.yaml文件中配置 Web 服务器
  4. 每个镜像拉取系统都必须配置为包含强制策略配置policy.conf

生成GPG密钥

//生成GPG密钥
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection?							#默认回车
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)		#默认回车
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)					#默认回车
Key does not expire at all
Is this correct? (y/N) y				#按y该密钥不会过期

GnuPG needs to construct a user ID to identify your key.

Real name: guguniao						#用户id
Email address: yf1121@163.com			#邮箱
Comment: xxxx							#描述
You selected this USER-ID:
    "guguniao (xxxx) <yf1121@163.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o		#按O提交
//第一个方框是设置给密钥设置密码,第二个是确认密码。
                                 ┌──────────────────────────────────────────────────────┐
                                 │ Please enter the passphrase to                       │
                                 │ protect your new key                                 │
                                 │                                                      │
                                 │ Passphrase: ********________________________________ │
                                 │                                                      │
                                 │       <OK>                              <Cancel>     │
                                 └──────────────────────────────────────────────────────┘

                                 ┌──────────────────────────────────────────────────────┐
                                 │ Please re-enter this passphrase                      │
                                 │                                                      │
                                 │ Passphrase: ********________________________________ │
                                 │                                                      │
                                 │       <OK>                              <Cancel>     │
                                 └──────────────────────────────────────────────────────┘
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 75A8BC88C9C0AC53 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/6308282BF98C9D14D7F9F85875A8BC88C9C0AC53.rev'
public and secret key created and signed.

pub   rsa2048 2022-08-15 [SC]
      6308282BF98C9D14D7F9F85875A8BC88C9C0AC53
uid                      guguniao (xxxx) <yf1121@163.com>
sub   rsa2048 2022-08-15 [E]

//查看已有的密钥
[root@localhost ~]# gpg --list-keys yf1121@163.com
pub   rsa2048 2022-08-15 [SC]
      6308282BF98C9D14D7F9F85875A8BC88C9C0AC53
uid           [ultimate] guguniao (xxxx) <yf1121@163.com>
sub   rsa2048 2022-08-15 [E]

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79

部署私有仓库

有两种方案:

  • 在另一台主机部署harbor私有仓库

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Guff_9hys/article/detail/1016682
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。