在初始化DTR存储库时,是否有办法绕过交互式公证提示输入DTR用户名和密码

时间:2019-04-10 02:20:19

标签: image docker automation signing notary

我正在尝试通过Jenkins管道使图像签名非交互地工作。 版本:

Docker client: 17.06.2-ce
Docker engine: docker-ee-17.06.2.ee.19-3.el7.x86_64.rpm
Notary client: 0.4.3
  • 我遵循的步骤(在Jenkins奴隶上): 创建新目录:
~/image_signing
~/.notary
~/.docker/trust/private/root_keys
  • 将DTR CA证书复制到〜/ image_signing / dtr_ca.pem
  • 使用DTR的URL创建〜/ .notary / config.json 
{
                           "trust_dir" : "~/.docker/trust",
                           "remote_server": {
                           "url": "https://dtr.server.org.com"
                           }
                      }

•将预先创建的根密钥下载到〜/ .docker / trust / private / root_keys /

•在〜/ image_signing /

下下载Docker和公证客户端二进制文件

•设置环境:

export DOCKER_CONTENT_TRUST=1
export UCP_USER=”myucpuser”
export UCP_PASSWORD=”myucppassword”
export NOTARY_AUTH=`echo "${UCP_USER}:${UCP_PASSWORD}" | base64 -w 0`
export UCP_FQDN=ucp.server.org.com
export root_key=mypresetrootkey.key
export NOTARY_ROOT_PASSPHRASE="mysecretpassphrase"
export NOTARY_TARGETS_PASSPHRASE="mysecretpassphrase"
export NOTARY_SNAPSHOT_PASSPHRASE="mysecretpassphrase"
export NOTARY_ROOT_PASSPHRASE="mysecretpassphrase"
export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="mysecretpassphrase"
export DTR_FQDN=dtr.server.org.com
  • 获取UCP身份验证令牌并下载UCP客户端软件包
  • 解压缩包
  • 通过采购env.sh设置环境

  • docker登录-用户名“ $ UCP_USER”-密码“ $ UCP_PASSWORD”

  • 使用对https:// $ DTR_FQDN / api / v0 / repositories / myorg的API调用在DTR上创建新的存储库

  • 使用我的自定义根密钥初始化存储库: 公证人--server https://dtr.server.org.com --trustDir〜/ .docker / trust --tlscacert〜/ image_signing / dtr_ca.pem \                              初始化--publish --rootkey〜/ .docker / trust / private / root_keys / $ root_key \                              dtr.server.org.com/ myorg / $ repo_name

在初始化存储库的这个阶段,我通过公证二进制文件两次提示输入DTR用户和密码。 

DEBU[0000] Using the following trust directory: /home/xxxxx/.docker/trust
DEBU[0000] Trusting 2 certs
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] key with same ID f52c64d6e3ce8c4bb66928e30138c08e44e1f8828e35465e993d2f8dfdde6221 and role root already exists
Root key found, using: f52c64d6e3ce8c4bb66928e30138c08e44e1f8828e35465e993d2f8dfdde6221
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] generated ECDSA key with keyID: 44dee6cbd1af4b63a214dba4debb7ea039a27c812c4bf6fd764dc434b387af2f
DEBU[0000] generated new ecdsa key for role: targets and keyID: 44dee6cbd1af4b63a214dba4debb7ea039a27c812c4bf6fd764dc434b387af2f
DEBU[0000] generated ECDSA key with keyID: 672e5dc464708619c611c1477483712cdced88d84cce858b0ca4b61f33a4d69d
DEBU[0000] generated new ecdsa key for role: snapshot and keyID: 672e5dc464708619c611c1477483712cdced88d84cce858b0ca4b61f33a4d69d
Enter username:

通过设置环境,我可以绕过PASSPHRASES的提示,但似乎无法绕过DTR用户和密码的发布提示,而这是发布对DTR的更改所必需的。我如何通过或预设这些参数,以便使流程完全自动化?

Env:

export DOCKER_CONTENT_TRUST=1
export UCP_USER=”myucpuser”
export UCP_PASSWORD=”myucppassword”
export NOTARY_AUTH=`echo "${UCP_USER}:${UCP_PASSWORD}" | base64 -w 0`
export UCP_FQDN=ucp.server.org.com
export root_key=mypresetrootkey.key
export NOTARY_ROOT_PASSPHRASE="mysecretpassphrase"
export NOTARY_TARGETS_PASSPHRASE="mysecretpassphrase"
export NOTARY_SNAPSHOT_PASSPHRASE="mysecretpassphrase"
export NOTARY_ROOT_PASSPHRASE="mysecretpassphrase"
export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="mysecretpassphrase"
export DTR_FQDN=dtr.server.org.com

notary --server https://dtr.server.org.com --trustDir ~/.docker/trust --tlscacert ~/image_signing/dtr_ca.pem \
                                 init --publish --rootkey ~/.docker/trust/private/root_keys/$root_key \
                                 dtr.server.org.com/ myorg/$repo_name

我尝试通过文本文件(full_notary_cmd 

DEBU[0000] Using the following trust directory: /home/l117689/.docker/trust
DEBU[0000] Trusting 2 certs
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] key with same ID f52c64d6e3ce8c4bb66928e30138c08e44e1f8828e35465e993d2f8dfdde6221 and role root already exists
Root key found, using: f52c64d6e3ce8c4bb66928e30138c08e44e1f8828e35465e993d2f8dfdde6221
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] generated ECDSA key with keyID: 160875f5628f3880b51d763ed5d1d729855e49cbbaeef5f6b50c31d4b565d0a6
DEBU[0000] generated new ecdsa key for role: targets and keyID: 160875f5628f3880b51d763ed5d1d729855e49cbbaeef5f6b50c31d4b565d0a6
DEBU[0000] generated ECDSA key with keyID: 02c28ad8a7d22206c97a14d327ca19853201fc6a10530463b5f66f66a5b5ea91
DEBU[0000] generated new ecdsa key for role: snapshot and keyID: 02c28ad8a7d22206c97a14d327ca19853201fc6a10530463b5f66f66a5b5ea91

* fatal: you are not authorized to perform this operation: server returned 401.

0 个答案:

没有答案
相关问题
最新问题