容器镜像仓库harbor+cosign的安装使用

admin 2022年5月4日20:29:30安全闲碎评论8 views2410字阅读8分2秒阅读模式

harbor2.5版本开始支持cosign做镜像签名,本周实践了一下,

ubuntu20.04.4,安装docker,sudo apt install docker.io,

sudo systemctl enable docker,

sudo gpasswd -a ubuntu docker,

newgrp docker,

安装docker-compose,sudo apt install docker-compose,

给harbor起个本地域名,sudo vim /etc/hosts,
10.90.11.120 harbortrivy.com

给harbor创建私钥和证书,

openssl genrsa -out ca.key 4096,

openssl req -x509 -new -nodes -sha512 -days 3650
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbortrivy.com"
 -key ca.key
 -out ca.crt,

openssl genrsa -out harbortrivy.com.key 4096,

openssl req -sha512 -new
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbortrivy.com"
    -key harbortrivy.com.key
    -out harbortrivy.com.csr,

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbortrivy.com
DNS.2=harbortrivy
DNS.3=ubuntu
EOF

openssl x509 -req -sha512 -days 3650
    -extfile v3.ext
    -CA ca.crt -CAkey ca.key -CAcreateserial
    -in harbortrivy.com.csr
    -out harbortrivy.com.crt,

下载harbor在线安装版本,

wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-online-installer-v2.5.0.tgz,

tar -zxvf harbor-online-installer-v2.5.0.tgz,cd harbor,

修改配置,vim harbor.yml,
hostname: harbortrivy.com
certificate: /home/ubuntu/harbortrivy.com.crt
private_key: /home/ubuntu/harbortrivy.com.key
harbor_admin_password: harbortrivy

安装,指定trivy,notary等参数,

sudo ./install.sh --with-notary --with-trivy --with-chartmuseum,

安装成功后,https登录,admin/harbortrivy,

在docker客户端,需要把harbor的证书弄过来放到docker的目录下,

sudo mkdir -p /etc/docker/certs.d/harbortrivy.com,
sudo cp ca.crt /etc/docker/certs.d/harbortrivy.com,

还需要更新系统的ca证书,

sudo cp ca.crt /usr/local/share/ca-certificates/,
sudo update-ca-certificate,

登录一下,docker login --username=admin harbortrivy.com,

下载cosign程序,

sudo wget https://github.com/sigstore/cosign/releases/download/v1.7.2/cosign-linux-amd64 -O /usr/local/bin/cosign,

sudo chmod +x /usr/local/bin/cosign,

创建签名的公私钥,cosign generate-key-pair,

下载log4j的镜像做实验,

docker pull ghcr.io/christophetd/log4shell-vulnerable-app,

docker tag 248241e9f7fa harbortrivy.com/library/log4shell-vulnerable-app:latest,

docker push harbortrivy.com/library/log4shell-vulnerable-app:latest,

用cosign对log4j镜像做签名,

cosign sign --key cosign.key harbortrivy.com/library/log4shell-vulnerable-app:latest,

容器镜像仓库harbor+cosign的安装使用

用cosign对log4j镜像的签名做验证,

cosign verify --key cosign.pub harbortrivy.com/library/log4shell-vulnerable-app:latest,

同样支持对未签名的镜像限制下载,

容器镜像仓库harbor+cosign的安装使用


原文始发于微信公众号(云计算和网络安全技术实践):容器镜像仓库harbor+cosign的安装使用

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月4日20:29:30
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  容器镜像仓库harbor+cosign的安装使用 http://cn-sec.com/archives/973210.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: