如何验证Docker基本映像的真实性? [英] How to validate the authenticity of docker base images?
问题描述
我们如何确保Docker基本映像(例如ubuntu:latest)未损坏?那是如何检查Docker基本映像的真实性?
校验和验证
docker pull 使用Checksum验证其每一层的下载。
$ docker pull ubuntu:latest
最新:从库/ ubuntu $ b $中提取b 1be7f2b886e8:正在下载[=====> ] 4.865MB / 42.86MB
6fbc4a21b806:下载完整的
c71a6f8e1378:下载完整的
4be3072e5a37:验证校验和<<-验证校验和
06c6d2f59700:下载完整的
因此,您无需检查提取的图像在哪里损坏
Docker中的内容信任
内容信任提供了使用数字签名来处理从远程Docker注册表发送和接收的数据的功能。这些签名允许客户端验证特定图像标签的完整性和发布者。
启用内容信任后,在推送后会在客户端上进行签名,并在客户端上进行验证拉后的客户
$ export DOCKER_CONTENT_TRUST = 1;搬运工人拉Ubuntu的:最新
拉(1/1):Ubuntu的:最新@ SHA256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696
SHA256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696:从库中拉/ Ubuntu的
摘要:SHA256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696
状态:ubuntu @ sha256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696> b
标记ubuntu @ sha256:e27e9d7f7f28dcb9e9b2e254b7e7b3eb2e3b2e3b6e3b2e3b2e3b2e3b3e3b3b3b3e3b3b3b3bb3e6b3bb3e6e8b6b8e
$ b 详细了解 content_trust
How we can make sure that the docker base image for example ubuntu:latest are not corrupted?? That is how to check the authenticity of docker base images??
解决方案 Checksum verification
docker pull verifies download of its each layer using Checksum. It will detect corrupted download.
$ docker pull ubuntu:latest
latest: Pulling from library/ubuntu
1be7f2b886e8: Downloading [=====> ] 4.865MB/42.86MB
6fbc4a21b806: Download complete
c71a6f8e1378: Download complete
4be3072e5a37: Verifying Checksum <<-- It verifies Checksum
06c6d2f59700: Download complete
So, you do not need to check where your pulled image is corrupted or not
Content trust in Docker
Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags.
When you enable content trust, signing occurs on the client after push and verification happens on the client after pull
$ export DOCKER_CONTENT_TRUST=1; docker pull ubuntu:latest
Pull (1 of 1): ubuntu:latest@sha256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696
sha256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696: Pulling from library/ubuntu
Digest: sha256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696
Status: Image is up to date for ubuntu@sha256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696
Tagging ubuntu@sha256:e27e9d7f7f28d67aa9e2d7540bdc2b33254b452ee8e60f388875e5b7d9b2b696 as ubuntu:latest
Read more about content_trust
这篇关于如何验证Docker基本映像的真实性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
