我正在虚拟机中实现Notary。要获得参考,我在主机A 上有一个docker注册表,我想在主机B 上部署Notary Server,Signer和CLI,以便将推送图像发送到注册表并签名来自不同的机器。但是,当我尝试使用角色目标在公证人B的主机B上签名图像时,会出现问题。出现以下错误消息:
[root@HostB ~]# docker push my.registry:443/galera-leader-proxy:v1.0.0
The push refers to a repository [my.registry:443/galera-leader-proxy]
5f70bf18a086: Layer already exists
1de59669c563: Layer already exists
17dd9fb03617: Layer already exists
26093688fdcb: Layer already exists
e08be57f5919: Layer already exists
v1.0.0: digest: sha256:6e48967416ea76ba2825511da7b05107a41f585629009d18ccbf30a1e1ce0e5a size: 2179
Signing and pushing trust metadata
ERRO[0000] couldn't add target to targets: could not find necessary signing keys, at least one of these keys must be available: b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f
Failed to sign "my.registry:443/galera-leader-proxy":v1.0.0 - could not find necessary signing keys, at least one of these keys must be available: b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f
Error: could not find signing keys for remote repository my.registry:443/galera-leader-proxy, or could not decrypt signing key: could not find necessary signing keys, at least one of these keys must be available: b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f
Docker镜像被推送到注册表,但在签名时,我收到的错误消息是找不到" 键"签署。但是,如果我看到公证人的钥匙,那么无法找到的钥匙是否可用。然后我不知道为什么会发生这种情况或我配置得很糟糕:
[root@HostB ~]# dockernotary key list
ROLE GUN KEY ID LOCATION
---- --- ------ --------
root 7b8139837e3bf8b013f69bf0750d46ba0f70a6a6d9640eadcb592ae8a5ae2c0d /home/gmaurelia/.docker/trust/private
snapshot ...43/galera-leader-proxy 92cf3f72d573cab7b6045f72fe224a4ccf786e9ddd29c89b3a542b610061c763 /home/gmaurelia/.docker/trust/private
targets ...43/galera-leader-proxy b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f /home/gmaurelia/.docker/trust/private
PD: alias dockernotary="notary -c
/home/gmaurelia/.docker/trust/config.json -d
/home/gmaurelia/.docker/trust/ -s https://notary-server:4443"
我甚至无法签署角色:目标或目标/发布
答案 0 :(得分:0)
对于多个主机上的公证人,您需要在第一台主机上执行委派步骤。这是multi-step process documented by docker,涉及以下内容:
在主机B上生成TLS密钥对(以下包括自签名步骤,您也可以由受信任的CA签名):
openssl genrsa -out delegation.key 2048
openssl req -new -sha256 -key delegation.key -out delegation.csr
openssl x509 -req -sha256 -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt
将crt文件从主机B复制到主机A,并在主机A上添加带有公证命令的新证书委派。然后将该更改发布到服务器(以下假设docker.io是您的服务器):
notary delegation add docker.io/<username>/<imagename> targets/releases delegation.crt --all-paths
notary publish docker.io/<username>/<imagename>
在主持人B上导入新的TLS密钥以供公证人使用:
notary key import delegation.key --role user
现在您应该能够在主机B上生成签名。
对于公证人,您应该注意保护和备份在主机A上生成的根证书。这通常称为脱机证书。如果您不关心两台主机的安全性(您完全信任它们),则只需复制两者之间的$HOME/.docker/trust文件夹即可。
答案 1 :(得分:0)
我遇到的问题是在我使用docker之前,我应用了命令: notary init my.registry:443 / collection 所以公证人使用不同的密钥生成了一个集合,这样我就不能在任何角色甚至目标下推送任何图像的泊坞窗。
一旦我以正确的方式做到了,我将你提到的步骤应用于我,问题就解决了。公证配置如下:
命令:tree $ HOME / .docker / trust /
.docker/trust
├── certs
│ ├── delegation.crt
│ └── proof
│ ├── delegation.crt
│ ├── delegation.csr
│ └── delegation.key
├── config.json
├── private
│ ├── root_keys
│ │ └── 4e46a197de40621094f86e0cea4aa892d7c3cfb1b3400c64f6d7d82e4b97a470.key
│ └── tuf_keys
│ ├── 3269a0858ca91001c543435d0242e747bd08e68b52533f1b42028388ed02c7e6.key
│ └── my.registry:443
│ └── galera-leader-proxy
│ └──
| 873ba8267df2be149fba2230441961812159c35537b18c133247239f4bafa989.key
├── root-ca.crt
├── tls
│ └── my.registry:443
│ └── root-ca.crt
└── tuf
└── my.registry:443
└── galera-leader-proxy
├── changelist
└── metadata
├── root.json
├── snapshot.json
├── targets
│ ├── kube1.json
│ └── releases.json
├── targets.json
└── timestamp.json
另一方面,为了正确配置客户端,我定义了以下别名:
alias dockernotary="notary -c $HOME/.docker/trust/config.json -d $HOME/.docker/trust/ -s https://notary-server:4443"
Saludos。