Docker利用docker login指令來校驗使用者鏡像倉庫的登入憑證,實際并不是真正意義上的登入(Web Login),僅僅是一種登入憑證的試探校驗,如果使用者名密碼正确,Docker則會把使用者名、密碼 以及倉庫域名等資訊進行base64編碼儲存在Docker的配置檔案中,在Linux中檔案路徑是$HOME/.docker/config.json。
登入Docker官方鏡像倉庫
[[email protected] ~]# docker login -u lovemm -p mylovemm520WARNING! Using --password via the CLI is insecure. Use --password-stdin.WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
指定域名登入其它倉庫
[[email protected] ~]# docker login hub.test.company.comUsername: lovemmPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
檢視/root/.docker/config.json檔案(檔案中資料非真實資料)
[[email protected] ~]# cat .docker/config.json{ "auths": { "https://index.docker.io/v1/": { "auth": "zZW46a2luluZ2ZzZW4xMDI2Z2Za2" }, "hub.test.company.com": { "auth": "0xVWYWRtaW46zzOKhkaOeVpaGJ3bz0YUmhjbmt0VFds=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/18.09.2 (linux)" }}
使用者名密碼可直接通過如下指令解碼為明文
echo 'zZW46a2luluZ2ZzZW4xMDI2Z2Za2' | base64 --decode
從config.json資料結構可知,Docker針對每一個鏡像倉庫,隻會儲存最近一次有效的使用者名密碼,之後執行docker login $domain會直接使用config.json中對應域名的使用者名密碼進行登入。 當處理完畢之後,可以執行docker logout hub.test.company.com将指定倉庫的使用者登入憑證從config.json中删除。
[[email protected] ~]# docker logout Removing login credentials for https://index.docker.io/v1/
Docker直接将倉庫的使用者名密碼明文儲存在配置檔案中非常不安全,除非使用者每次在與鏡像倉庫互動完成之後手動執行docker logout删除,這種明文密碼很容易被他人竊取, Docker也考慮到這一點,針對不同的平台,其提供了不同的輔助工具将倉庫的登入憑證儲存到其他安全系數高的存儲中。
- D-Bus Secret Service
- Apple macOS keychain
- Microsoft Windows Credential Manager
- pass
以上輔助工具均可在docker github下載下傳,位址: https://github.com/docker/docker-credential-helpers/releases
docker在Linux平台上支援pass、secret service,其中pass依賴了gpg,下面在以CentOS系統為例,将Docker的Credential store切換到pass存儲,不再寫入config.json檔案中。
- 檢查gpg
[[email protected] ~]# gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
- 安裝pass
yum install -y pass
安裝完成之後通過如下指令驗證
[[email protected] ~]# pass version ============================================ = pass: the standard unix password manager = = = = v1.7.3 = = = = Jason A. Donenfeld = = [email protected] = = = = http://www.passwordstore.org/ = ============================================
執行pass的基本指令
[[email protected] ~]# pass Error: password store is empty. Try "pass init". [[email protected] ~] pass init Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
從上面的輸出資訊可知,pass init需要一個gpg-id,通過gpg生成一個key即可。
- gpg生成key
先檢視是否已有gpg key
[[email protected] ~]# gpg --list-keys
目前沒有生成任何key,下面通過指令生成一個key,生成key是一個互動過程,需要輸入key類型、長度、過期時間等相關資訊,請記住設定的操作密碼,類似Java中的keystore也有個密碼。
[[email protected] ~]# gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: kingfsen Email address: [email protected] Comment: You selected this USER-ID: "kingfsen " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. ┌─────────────────────────────────────────────────────┐ │ Enter passphrase │ │ │ │ │ │ Passphrase **************__________________________ │ │ │ │ │ └─────────────────────────────────────────────────────┘ ─────────────────────────────────────────────────────┐ │ Please re-enter this passphrase │ │ │ │ Passphrase **************__________________________ │ │ │ │ │ └─────────────────────────────────────────────────────┘
密碼輸入之後,很快就會生成key了。
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 5BAC1C87 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/5BAC1C87 2019-05-11 Key fingerprint = E3E2 B354 73DD D511 3059 E213 1A08 85F9 5BAC 1C87 uid kingfsen sub 4096R/69AA61E2 2019-05-11
注意:如果系統上沒有安裝rng-tools,gpg在生成key的最後這一步會卡住,無法進行操作了。
安裝rng-tools包
ubuntu
# apt-get install rng-tools # rng -r /dev/urandom
centos
# yum install -y rng-tools # rngd -r /dev/urandom
- pass初始化
檢視gpg已生成的key
[[email protected] ~]# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 4096R/5BAC1C87 2019-05-11 uid kingfsen sub 4096R/69AA61E2 2019-05-11
執行指令初始化pass
[[email protected] ~]# pass init "5BAC1C87"Password store initialized for 5BAC1C87
執行pass insert指令驗證是否成功
[[email protected] ~]# pass init 5BAC1C87Password store initialized for 5BAC1C87You have new mail in /var/spool/mail/root[[email protected] ~]# pass insert Gmail/[email protected] password for Gmail/[email protected]: Retype password for Gmail/[email protected]: [[email protected] ~]# pass show Gmail/[email protected] ────────────────────────────────────────────────────────────────────────────────────┐│ Please enter the passphrase to unlock the secret key for the OpenPGP certificate: ││ "kingfsen " ││ 4096-bit RSA key, ID 69AA61E2, ││ created 2019-05-11 (main key ID 5BAC1C87). ││ ││ ││ Passphrase **************_________________________________________________________ ││ ││ │└────────────────────────────────────────────────────────────────────────────────────┘sun1026
pass已經可以用于管理敏感資訊了。
- 安裝Docker Credential輔助工具
[[email protected] ~]# wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz [[email protected] ~]# tar -xf docker-credential-pass-v0.6.0-amd64.tar.gz [[email protected] ~]# chmod +x docker-credential-pass[[email protected] ~]# mv docker-credential-pass /usr/local/bin/[[email protected] ~]# docker-credential-pass Usage: docker-credential-pass [[email protected] ~]# docker-credential-pass version0.6.0
- 修改Docker配置
清空.docker/config.json檔案内容,然後将下面配置寫入config.json檔案中,注意credsStore是各輔助安裝包名字的尾綴
{ "credsStore": "pass"}
config.json儲存之後,執行docker login操作試試。
[[email protected] ~]# docker login hub.test.company.com -u 2000014559Password: Error saving credentials: error storing credentials - err: exit status 1, out: `pass store is uninitialized`
報錯了,這是因為還沒有初始化docker password store,輔助工具并不會自動初始化,需要手動操作。
- 初始化docker password store
執行pass insert插入docker password store條目,密碼:pass is initialized
[[email protected] ~]# pass insert docker-credential-helpers/docker-pass-initialized-checkAn entry already exists for docker-credential-helpers/docker-pass-initialized-check. Overwrite it? [y/N] yEnter password for docker-credential-helpers/docker-pass-initialized-check: Retype password for docker-credential-helpers/docker-pass-initialized-check:
通過如下指令驗證是否初始化成功,請注意輸出結果,pass show執行的過程中無需輸入密碼。
[[email protected] ~]# pass show docker-credential-helpers/docker-pass-initialized-checkpass is initialized[[email protected] ~]# docker-credential-pass list{}
再次執行docker login登入鏡像倉庫,同時檢視$HOME/.docker/config.json檔案内容。
[[email protected] ~]# docker login hub.test.company.com -u 2000014559Password: Login SucceededYou have new mail in /var/spool/mail/root[[email protected] ~]# cat .docker/config.json{ "auths": { "hub.test.company.com": {} }, "HttpHeaders": { "User-Agent": "Docker-Client/18.09.2 (linux)" }, "credsStore": "pass"}
使用者名、密碼此時并未儲存在config.json中,而是儲存在加密檔案中了。
[[email protected] ~]# docker-credential-pass list{"hub.test.company.com":"2000014559"}[[email protected] ~]# passPassword Store├── docker-credential-helpers│ └── aHViLmtjrzXSe3l1bi5jb20=│ └── 2000014559└── Gmail └── [email protected]
aHViLmtjrzXSe3l1bi5jb20=就是倉庫域名的base64編碼值,檢視原始密碼資訊。
[[email protected] ~]# pass show docker-credential-helpers/aHViLmtjrzXSe3l1bi5jb20=/2000014559
儲存密碼檔案路徑
[[email protected] aHViLmtjrzXSe3l1bi5jb20=]# pwd/root/.password-store/docker-credential-helpers/aHViLmtjrzXSe3l1bi5jb20=[[email protected] aHViLmtjrzXSe3l1bi5jb20=]# ls2000014559.gpg
![docker image aarch64 x86_64_利用docker安裝中文版GitLab[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)