企业中使用镜像仓库,通常都需要开启认证,认证凭据可能是用户在企业中通用的账户。但docker login以后,会在 .docker/config.json 中保存base64以后的用户名、密码,这样,在一些多人使用的服务器上,就会出现账号泄露的问题。
有没有解决方法呢?
docker提供credentials store,也就是讲密码存储到外置的credentials store中。
目前支持如下几种:
- D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases
- Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases
- Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
- pass: https://github.com/docker/docker-credential-helpers/releases
对于linux服务器来说,只能选择pass,因为D-Bus需要X11支持,而Apple和Microsoft看上去就不像是给Linux准备的。
以下是配置步骤。
sudo apt install gnupg2 pass
如下是0.6.3版本的下载地址,下载的是amd64的docker-credential-pass(不是上面的pass)。
wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz
下载后,解压,并将docker-credential-pass文件拷贝到/usr/bin/
目录下,添加可执行权限。
$ docker logout
Removing login credentials for https://index.docker.io/v1/
"credsStore": "pass"
··· $ cat ~/.docker/config.json { “auths”: {}, “credsStore”: “pass”, “HttpHeaders”: { “User-Agent”: “Docker-Client/19.03.6 (linux)” } } ···
生成GPG keypaire。记住这里设置的密码,这个密码是用来保存docker密码的。
$ gpg2 --full-generate-key
gpg2 --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
...
生成后可以gpg2 -k
查看。
$ gpg2 -k
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/bottle/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2020-06-20 [SC]
4B65C16E5349EC64D77A9EB1C1E8818FCC8126B8
uid [ultimate] silenceshell
sub rsa3072 2020-06-20 [E]
$ pass init [email protected]
mkdir: created directory '/home/bottle/.password-store/'
Password store initialized for [email protected]
登录后,查看 .docker/config.json
,可以看到auths中没有保存用户名和密码信息。
$ cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.6 (linux)"
},
"credsStore": "pass"
}
之后,就可以使用该用户的身份,进行docker后续的操作了。
Ref: