由于缺少熵,如何在Docker容器内使用GnuPG? [英] How to use GnuPG inside Docker containers, as it is missing entropy?
问题描述
我需要将apt存储库码头化.其中的软件包需要签名,目前由
aptly publish snapshot -distribution="stable" -gpg-key="<key id>" my-snapshot
I need to dockerize an apt repository. The packages in it need to be signed, which is currently done by
aptly publish snapshot -distribution="stable" -gpg-key="<key id>" my-snapshot
在此之前,需要使用gpg --gen-key
创建密钥.
Before that a key needs to be created using gpg --gen-key
.
但是这样,私钥将被创建在docker镜像中,这似乎不是一个好习惯.此外,id甚至不起作用.运行gpg --gen-key --batch <gpg.in
卡住:
But this way the private key will be crated inside the docker image, which doesn't seem to be a good practice. Besides, id doesn't even work; running gpg --gen-key --batch <gpg.in
gets stuck:
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)
我不知道是否有可能在docker容器内生成gpg密钥,即使可以,也不是一个好主意.
I don't know if it's even possible to generate a gpg key inside a docker container, and even if it is, it may not be a good idea.
是否可以通过外部密钥对回购的内容进行签名?
Is there a way to sign the contents of the repo by an external key?
推荐答案
缺少熵
Docker不会不提供虚拟的/dev/[u]random
设备.如果容器中没有足够的熵,则主机上没有足够的熵.
Missing Entropy
Docker does not provide a virtual /dev/[u]random
devices. If you haven't got enough entropy in the container, you haven't got enough entropy on the host.
检查/proc/sys/kernel/random/entropy_avail
的内容,它们在Docker主机和容器上应该几乎相同(如果数量略有不同,则更改非常频繁,否则请重新检查几次).
Check the contents of /proc/sys/kernel/random/entropy_avail
, they should be pretty much the same on both the Docker host and container (if the number is slightly different, it just changes very frequently, otherwise recheck a few times).
可能的原因:
- 例如由于
boot2docker
或自构建的虚拟机,在虚拟机中运行docker主机.只需确保在虚拟机内部获得更多的熵,对于开发人员来说,havegd
是一个非常简单的解决方案,但可能不适用于生产. - 另一个容器/应用程序正在耗尽所有熵.意识到其中一个并中断/终止它,或者产生更多的熵.
- 您通常没有足够的熵.做一些工作(鼠标/键盘移动,(硬盘)磁盘I/O).
- Running the docker host in a virtual machine, for example because of
boot2docker
or a self-constructed virtual machine. Just make sure to get more entropy inside your virtual machine,havegd
is a very easy solution for a developer machine, but might not be appropriate for production. - Another container/application is using up all entropy. Realize which one and interrupt/terminate it, or generate more entropy.
- You're generally not having enough entropy. Do some work (mouse/keyboard movements, (hard) disk I/O).
无论如何,在实际计算机上生成密钥,然后仅将(私有)子密钥移动到服务器可能更合理.这样,您就可以不时地交换子密钥(以防万一它被泄露了).阅读什么是良好的通用GnuPG密钥设置?,以介绍设置OpenPGP密钥时要考虑的不同事项.
Anyway, it might be more reasonable to generate a key on a real machine, and only move a (private) subkey to the server. This way, you can exchange the subkey every now and then (and in case it was compromised). Read What is a good general purpose GnuPG key setup? for an introduction to different things to consider while setting up OpenPGP keys.
在构建Docker映像时,使用COPY
将文件放入计算机,然后在Dockerfile中使用gpg --import
.之后,它的使用方式与使用gpg --gen-key
在容器内生成它的方式完全相同.
While building the Docker image, use COPY
to get the file into the machine, and then gpg --import
it in the Dockerfile. Afterwards, it is available exactly the same way it would've been if you generated it inside the container using gpg --gen-key
.
这篇关于由于缺少熵,如何在Docker容器内使用GnuPG?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!