由于缺少熵，如何在Docker容器内使用GnuPG? [英] How to use GnuPG inside Docker containers, as it is missing entropy?

问题描述

我需要将apt存储库码头化.其中的软件包需要签名，目前由 aptly publish snapshot -distribution="stable" -gpg-key="<key id>" my-snapshot

I need to dockerize an apt repository. The packages in it need to be signed, which is currently done by aptly publish snapshot -distribution="stable" -gpg-key="<key id>" my-snapshot

在此之前，需要使用gpg --gen-key创建密钥.

Before that a key needs to be created using gpg --gen-key.

但是这样，私钥将被创建在docker镜像中，这似乎不是一个好习惯.此外，id甚至不起作用.运行gpg --gen-key --batch <gpg.in卡住:

But this way the private key will be crated inside the docker image, which doesn't seem to be a good practice. Besides, id doesn't even work; running gpg --gen-key --batch <gpg.in gets stuck:

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

我不知道是否有可能在docker容器内生成gpg密钥，即使可以，也不是一个好主意.

I don't know if it's even possible to generate a gpg key inside a docker container, and even if it is, it may not be a good idea.

是否可以通过外部密钥对回购的内容进行签名?

Is there a way to sign the contents of the repo by an external key?

推荐答案

缺少熵

Docker不会不提供虚拟的/dev/[u]random设备.如果容器中没有足够的熵，则主机上没有足够的熵.

Missing Entropy

Docker does not provide a virtual /dev/[u]random devices. If you haven't got enough entropy in the container, you haven't got enough entropy on the host.

检查/proc/sys/kernel/random/entropy_avail的内容，它们在Docker主机和容器上应该几乎相同(如果数量略有不同，则更改非常频繁，否则请重新检查几次).

Check the contents of /proc/sys/kernel/random/entropy_avail, they should be pretty much the same on both the Docker host and container (if the number is slightly different, it just changes very frequently, otherwise recheck a few times).

可能的原因:

• 例如由于boot2docker或自构建的虚拟机，在虚拟机中运行docker主机.只需确保在虚拟机内部获得更多的熵，对于开发人员来说，havegd是一个非常简单的解决方案，但可能不适用于生产.
• 另一个容器/应用程序正在耗尽所有熵.意识到其中一个并中断/终止它，或者产生更多的熵.
• 您通常没有足够的熵.做一些工作(鼠标/键盘移动，(硬盘)磁盘I/O).

• Running the docker host in a virtual machine, for example because of boot2docker or a self-constructed virtual machine. Just make sure to get more entropy inside your virtual machine, havegd is a very easy solution for a developer machine, but might not be appropriate for production.
• Another container/application is using up all entropy. Realize which one and interrupt/terminate it, or generate more entropy.
• You're generally not having enough entropy. Do some work (mouse/keyboard movements, (hard) disk I/O).

无论如何，在实际计算机上生成密钥，然后仅将(私有)子密钥移动到服务器可能更合理.这样，您就可以不时地交换子密钥(以防万一它被泄露了).阅读什么是良好的通用GnuPG密钥设置?，以介绍设置OpenPGP密钥时要考虑的不同事项.

Anyway, it might be more reasonable to generate a key on a real machine, and only move a (private) subkey to the server. This way, you can exchange the subkey every now and then (and in case it was compromised). Read What is a good general purpose GnuPG key setup? for an introduction to different things to consider while setting up OpenPGP keys.

在构建Docker映像时，使用COPY将文件放入计算机，然后在Dockerfile中使用gpg --import.之后，它的使用方式与使用gpg --gen-key在容器内生成它的方式完全相同.

While building the Docker image, use COPY to get the file into the machine, and then gpg --import it in the Dockerfile. Afterwards, it is available exactly the same way it would've been if you generated it inside the container using gpg --gen-key.

这篇关于由于缺少熵，如何在Docker容器内使用GnuPG?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！