我正在虚拟机中实现Notary。要有参考,我在主机A上有一个docker注册表,我想在主机B上部署Notary Server,Signer和CLI,以便将推送映像送到注册表并从不同的机器上签名。但是,当我尝试使用角色目标在公证人B的主机B上签名图像时,会出现问题。出现以下错误消息:
[root@HostB ~]# docker push my.registry:443/galera-leader-proxy:v1.0.0
The push refers to a repository [my.registry:443/galera-leader-proxy]
5f70bf18a086: Layer already exists
1de59669c563: Layer already exists
17dd9fb03617: Layer already exists
26093688fdcb: Layer already exists
e08be57f5919: Layer already exists
v1.0.0: digest: sha256:6e48967416ea76ba2825511da7b05107a41f585629009d18ccbf30a1e1ce0e5a size: 2179
Signing and pushing trust metadata
ERRO[0000] couldn't add target to targets: could not find necessary signing keys, at least one of these keys must be available: b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f
Failed to sign "my.registry:443/galera-leader-proxy":v1.0.0 - could not find necessary signing keys, at least one of these keys must be available: b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f
Error: could not find signing keys for remote repository my.registry:443/galera-leader-proxy, or could not decrypt signing key: could not find necessary signing keys, at least one of these keys must be available: b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f
Docker镜像被推送到注册表,但在签名时我得到的错误消息没有找到要签名的“键”。但是,如果我看到公证人的钥匙,那么无法找到的钥匙是否可用。然后我不知道为什么会发生这种情况或者我配置得很糟糕:
[root@HostB ~]# dockernotary key list
ROLE GUN KEY ID LOCATION
---- --- ------ --------
root 7b8139837e3bf8b013f69bf0750d46ba0f70a6a6d9640eadcb592ae8a5ae2c0d /home/gmaurelia/.docker/trust/private
snapshot ...43/galera-leader-proxy 92cf3f72d573cab7b6045f72fe224a4ccf786e9ddd29c89b3a542b610061c763 /home/gmaurelia/.docker/trust/private
targets ...43/galera-leader-proxy b92334936cf0a0f0e3fb9dce459212537387847ee288ce27762fd54850f89e6f /home/gmaurelia/.docker/trust/private
PD: alias dockernotary="notary -c
/home/gmaurelia/.docker/trust/config.json -d
/home/gmaurelia/.docker/trust/ -s https://notary-server:4443"
我甚至不能在角色下签名:目标或目标/发布
对于多个主机上的公证人,您需要在第一台主机上执行委派步骤。这是一个涉及以下内容的multi-step process documented by docker:
openssl genrsa -out delegation.key 2048
openssl req -new -sha256 -key delegation.key -out delegation.csr
openssl x509 -req -sha256 -days 365 -in delegation.csr -signkey delegation.key -out delegation.crtnotary delegation add docker.io/<username>/<imagename> targets/releases delegation.crt --all-paths
notary publish docker.io/<username>/<imagename>notary key import delegation.key --role user现在,您应该能够在主机B上生成签名。
使用公证时,您应该注意保护和备份在主机A上生成的根证书。这通常称为脱机证书。如果你的两个主机的安全性不是一个问题(你完全信任它们),你可以简单地复制两者之间的$HOME/.docker/trust文件夹。
我遇到的问题是在我使用docker之前,我应用了命令:notary init my.registry:443 / collection所以公证人生成了一个带有不同键的集合,这样我就无法在任何角色下执行任何图像的推送泊坞甚至是目标。
一旦我以正确的方式做到了,我就将你提到的步骤应用到我身上,问题就解决了。公证配置如下:
命令:tree $ HOME / .docker / trust /
.docker/trust
├── certs
│ ├── delegation.crt
│ └── proof
│ ├── delegation.crt
│ ├── delegation.csr
│ └── delegation.key
├── config.json
├── private
│ ├── root_keys
│ │ └── 4e46a197de40621094f86e0cea4aa892d7c3cfb1b3400c64f6d7d82e4b97a470.key
│ └── tuf_keys
│ ├── 3269a0858ca91001c543435d0242e747bd08e68b52533f1b42028388ed02c7e6.key
│ └── my.registry:443
│ └── galera-leader-proxy
│ └──
| 873ba8267df2be149fba2230441961812159c35537b18c133247239f4bafa989.key
├── root-ca.crt
├── tls
│ └── my.registry:443
│ └── root-ca.crt
└── tuf
└── my.registry:443
└── galera-leader-proxy
├── changelist
└── metadata
├── root.json
├── snapshot.json
├── targets
│ ├── kube1.json
│ └── releases.json
├── targets.json
└── timestamp.json
另一方面,要正确配置客户端,我定义了以下别名:
alias dockernotary="notary -c $HOME/.docker/trust/config.json -d $HOME/.docker/trust/ -s https://notary-server:4443"
问候。