Dockerhub的访问令牌 [英] Access Token for Dockerhub

问题描述

我在hub.docker.com上创建了一个存储库，现在想使用我的凭据将映像推送到Dockerhub.我想知道是否必须使用用户名和密码，或者是否可以创建某种访问令牌来推送Docker映像.

I created a repository on hub.docker.com and now want to push my image to the Dockerhub using my credentials. I am wondering whether I have to use my username and password or whether I can create some kind of access token to push the docker image.

我想要做的是使用Concourse中的docker-image资源将映像推送到Dockerhub.因此，我必须配置凭据，例如:

What I want to do is using the docker-image resource from Concourse to push an image to Dockerhub. Therefore I have to configure credentials like:

type: docker-image
source:
  email: {{docker-hub-email}}
  username: {{docker-hub-username}}
  password: {{docker-hub-password}}
  repository: {{docker-hub-image-dummy-resource}}

我不想为此使用Dockerhub密码.

and I don't want to use my Dockerhub password for that.

推荐答案

简而言之，你做不到.有一些解决方案可能会吸引您，但首先知道这一点有结构性原因可能会让您放心:

In short, you can't. There are some solutions that may appeal to you, but it may ease your mind first to know there's a structural reason for this:

资源是通过它们的source和params配置的，它们在管道级别(在yml文件中)定义.必须在此处定义任何身份验证信息，因为无法从构建的较早步骤获取信息到get步骤(没有输入).

Resources are configured via their source and params, which are defined at the pipeline level (in your yml file). Any authentication information has to be defined there, because there's no way to get information from an earlier step in your build into the get step (it has no inputs).

由于承载令牌通常会在不那么长"(即数小时或数天)之后超时，这对DockerHub令牌也是如此，因此，每次构建运行时，concourse实例都需要能够从身份验证服务中获取新令牌如有必要.无论如何，这都需要某种形式的持久性身份验证存储在中心服务器中，并且当前Dockerhub不支持CI访问令牌，例如

Since bearer tokens usually time out after "not that long" (i.e. hours or days) which is also true of DockerHub tokens, the concourse instance needs to be able to fetch a new token from the authentication service every time the build runs if necessary. This requires some form of persistent auth to be stored in the concourse server anyway, and currently Dockerhub does not support CI access tokens a la github.

这就是说，您将需要以一种或另一种方式向Concourse提供用户名和密码.

All that is to say, you will need to provide a username and password to Concourse one way or another.

如果您担心安全性，可以采取一些措施来降低风险:

If you're worried about security, there are some steps you can most likely take to reduce risk:

• 您可以使用 --load-vars-from 来保护您的凭据以免保存在管道中，将它们存储在其他位置(LastPass，本地文件等).
• 您可能能够在Dockerhub上创建一个用户，该用户仅有权访问要推送的特定存储库，如果可以的话，可以是"CI bot用户".

这篇关于Dockerhub的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！