企业中使用镜像仓库,通常都需要开启认证,认证凭据可能是用户在企业中通用的账户。但docker login以后,会在 .docker/config.json 中保存base64以后的用户名、密码,这样,在一些多人使用的服务器上,就会出现账号泄露的问题。

有没有解决方法呢?

docker提供credentials store,也就是讲密码存储到外置的credentials store中。

目前支持如下几种:

  • D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases
  • Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases
  • Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
  • pass: https://github.com/docker/docker-credential-helpers/releases

对于linux服务器来说,只能选择pass,因为D-Bus需要X11支持,而Apple和Microsoft看上去就不像是给Linux准备的。

以下是配置步骤。

1、 安装gnupg2和pass

sudo apt install gnupg2 pass

2、安装docker-credential-pass

如下是0.6.3版本的下载地址,下载的是amd64的docker-credential-pass(不是上面的pass)。

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz

下载后,解压,并将docker-credential-pass文件拷贝到/usr/bin/目录下,添加可执行权限。

3、登出docker hub

$ docker logout
Removing login credentials for https://index.docker.io/v1/

4、修改docker配置,增加"credsStore": "pass"

··· $ cat ~/.docker/config.json { “auths”: {}, “credsStore”: “pass”, “HttpHeaders”: { “User-Agent”: “Docker-Client/19.03.6 (linux)” } } ···

5、gpg2

生成GPG keypaire。记住这里设置的密码,这个密码是用来保存docker密码的。

$ gpg2 --full-generate-key
gpg2 --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
...

生成后可以gpg2 -k查看。

$ gpg2 -k
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/bottle/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2020-06-20 [SC]
      4B65C16E5349EC64D77A9EB1C1E8818FCC8126B8
uid           [ultimate] silenceshell <me@ieevee.com>
sub   rsa3072 2020-06-20 [E]

6、初始化pass

$ pass init me@ieevee.com
mkdir: created directory '/home/bottle/.password-store/'
Password store initialized for me@ieevee.com

7、docker login

登录后,查看 .docker/config.json,可以看到auths中没有保存用户名和密码信息。

$ cat ~/.docker/config.json
{
	"auths": {
		"https://index.docker.io/v1/": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.6 (linux)"
	},
	"credsStore": "pass"
}

之后,就可以使用该用户的身份,进行docker后续的操作了。

Ref: