使用Podman 签名和分发容器镜像并推送到harbor仓库中
文章目录
一. 配置一台harbor的服务机
二 、准备另一台客服机
1. 创建一个GPG密钥对或选择一个本地可用的密钥对,要生成新的GPG密钥
[root@master ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: sgrunert@suse.com
Email address: sgrunert@suse.com
Comment: asdasd
You selected this USER-ID:
"sgrunert@suse.com (asdasd) <sgrunert@suse.com>"
//弹出一个页面输入想要的密码和确认密码
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key CAE7B174B357C910 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/FD0E6509DDED9EF83F3FFA62CAE7B174B357C910.rev'
public and secret key created and signed.
pub rsa2048 2022-08-15 [SC]
FD0E6509DDED9EF83F3FFA62CAE7B174B357C910
uid sgrunert@suse.com (asdasd) <sgrunert@suse.com>
sub rsa2048 2022-08-15 [E]
2.在本地机器上启动一个容器
[root@master ~]# podman run -d -p 5000:5000 docker.io/registry
3.为签名实验选择一个标准镜像:alpine
[root@master ~]# podman pull docker://docker.io/alpine:latest
root@master ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
4.重新标记镜像以将其指向harbor仓库
[root@master ~]# podman tag docker.io/library/alpine master.example.com/library/alpine
[root@master ~]# podman images alpine
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
master.example.com/library/alpine latest c059bfaa849c 8 months ago 5.87 MB
5.修改系统范围的镜像配置
[root@master ~]# vim /etc/containers/registries.d/default.yaml
default-docker:
# sigstore: file:///var/lib/containers/sigstore
sigstore: http://192.168,160.132:80
sigstore-staging: file:///var/lib/containers/sigstore
//sigstore:引用 Web 服务器进行签名读取
//sigstore-staging:引用文件路径以进行签名写入
6.推送并签署镜像
1.添加不安全的注册表
//注释docker的加速器配置,只保留以下内容
[root@master ~]# vim /etc/containers/registries.conf
[registries.insecure]
registries = ['master.example.com','192.168.160.132:80']
2.登入到harbor仓库进行上传
[root@master containers]# podman login -u admin -p Harbor12345 master.example.com
Login Succeeded!
[root@master ~]# podman push --tls-verify=false --sign-by sgrunert@suse.com master.example.com/library/alpine
//需要刚刚创建的密钥