麻豆国产尤物av尤物在线观看,亚洲日本中文字幕天天更新,自拍偷自拍亚洲精品10p

簡體中文(ZH-CN) English(EN) 繁體中文(ZH-TW) 日本語(JA) ???(KO) Melayu(MS) Fran?ais(FR) Deutsch(DE)

directory search

Compose About versions and upgrading (Compose) ASP.NET Core + SQL Server on Linux (Compose) CLI environment variables (Compose) Command-line completion (Compose) Compose（組成） Compose command-line reference（組合命令行參考） Control startup order (Compose) Django and PostgreSQL (Compose) Docker stacks and distributed application bundles (Compose) docker-compose build（docker-compose構建） docker-compose bundle docker-compose config docker-compose create docker-compose down docker-compose events docker-compose exec docker-compose help docker-compose images docker-compose kill docker-compose logs docker-compose pause docker-compose port docker-compose ps docker-compose pull docker-compose push docker-compose restart docker-compose rm docker-compose run docker-compose scale docker-compose start docker-compose stop docker-compose top docker-compose unpause docker-compose up Environment file (Compose) Environment variables in Compose Extend services in Compose Frequently asked questions (Compose) Getting started (Compose) Install Compose Link environment variables (deprecated) (Compose) Networking in Compose Overview of Docker Compose Overview of docker-compose CLI Quickstart: Compose and WordPress Rails and PostgreSQL (Compose) Sample apps with Compose Using Compose in production Using Compose with Swarm Engine .NET Core application (Engine) About images, containers, and storage drivers (Engine) Add nodes to the swarm (Engine) Apply custom metadata (Engine) Apply rolling updates (Engine) apt-cacher-ng Best practices for writing Dockerfiles (Engine) Binaries (Engine) Bind container ports to the host (Engine) Breaking changes (Engine) Build your own bridge (Engine) Configure container DNS (Engine) Configure container DNS in user-defined networks (Engine) CouchDB (Engine) Create a base image (Engine) Create a swarm (Engine) Customize the docker0 bridge (Engine) Debian (Engine) Default bridge network Delete the service (Engine) Deploy a service (Engine) Deploy services to a swarm (Engine) Deprecated Engine features Docker container networking (Engine) Docker overview (Engine) Docker run reference (Engine) Dockerfile reference (Engine) Dockerize an application Drain a node (Engine) Engine FAQ (Engine) Fedora (Engine) Get started (Engine) Get started with macvlan network driver (Engine) Get started with multi-host networking (Engine) How nodes work (Engine) How services work (Engine) Image management (Engine) Inspect the service (Engine) Install Docker (Engine) IPv6 with Docker (Engine) Join nodes to a swarm (Engine) Legacy container links (Engine) Lock your swarm (Engine) Manage nodes in a swarm (Engine) Manage sensitive data with Docker secrets (Engine) Manage swarm security with PKI (Engine) Manage swarm service networks (Engine) Migrate to Engine 1.10 Optional Linux post-installation steps (Engine) Overview (Engine) PostgreSQL (Engine) Raft consensus in swarm mode (Engine) Riak (Engine) Run Docker Engine in swarm mode Scale the service (Engine) SDKs (Engine) Select a storage driver (Engine) Set up for the tutorial (Engine) SSHd (Engine) Storage driver overview (Engine) Store service configuration data (Engine) Swarm administration guide (Engine) Swarm mode key concepts (Engine) Swarm mode overlay network security model (Engine) Swarm mode overview (Engine) Understand container communication (Engine) Use multi-stage builds (Engine) Use swarm mode routing mesh (Engine) Use the AUFS storage driver (Engine) Use the Btrfs storage driver (Engine) Use the Device mapper storage driver (Engine) Use the OverlayFS storage driver (Engine) Use the VFS storage driver (Engine) Use the ZFS storage driver (Engine) Engine: Admin Guide Amazon CloudWatch logs logging driver (Engine) Bind mounts (Engine) Collect Docker metrics with Prometheus (Engine) Configuring and running Docker (Engine) Configuring logging drivers (Engine) Control and configure Docker with systemd (Engine) ETW logging driver (Engine) Fluentd logging driver (Engine) Format command and log output (Engine) Google Cloud logging driver (Engine) Graylog Extended Format (GELF) logging driver (Engine) Journald logging driver (Engine) JSON File logging driver (Engine) Keep containers alive during daemon downtime (Engine) Limit a container's resources (Engine) Link via an ambassador container (Engine) Log tags for logging driver (Engine) Logentries logging driver (Engine) PowerShell DSC usage (Engine) Prune unused Docker objects (Engine) Run multiple services in a container (Engine) Runtime metrics (Engine) Splunk logging driver (Engine) Start containers automatically (Engine) Storage overview (Engine) Syslog logging driver (Engine) tmpfs mounts Troubleshoot volume problems (Engine) Use a logging driver plugin (Engine) Using Ansible (Engine) Using Chef (Engine) Using Puppet (Engine) View a container's logs (Engine) Volumes (Engine) Engine: CLI Daemon CLI reference (dockerd) (Engine) docker docker attach docker build docker checkpoint docker checkpoint create docker checkpoint ls docker checkpoint rm docker commit docker config docker config create docker config inspect docker config ls docker config rm docker container docker container attach docker container commit docker container cp docker container create docker container diff docker container exec docker container export docker container inspect docker container kill docker container logs docker container ls docker container pause docker container port docker container prune docker container rename docker container restart docker container rm docker container run docker container start docker container stats docker container stop docker container top docker container unpause docker container update docker container wait docker cp docker create docker deploy docker diff docker events docker exec docker export docker history docker image docker image build docker image history docker image import docker image inspect docker image load docker image ls docker image prune docker image pull docker image push docker image rm docker image save docker image tag docker images docker import docker info docker inspect docker kill docker load docker login docker logout docker logs docker network docker network connect docker network create docker network disconnect docker network inspect docker network ls docker network prune docker network rm docker node docker node demote docker node inspect docker node ls docker node promote docker node ps docker node rm docker node update docker pause docker plugin docker plugin create docker plugin disable docker plugin enable docker plugin inspect docker plugin install docker plugin ls docker plugin push docker plugin rm docker plugin set docker plugin upgrade docker port docker ps docker pull docker push docker rename docker restart docker rm docker rmi docker run docker save docker search docker secret docker secret create docker secret inspect docker secret ls docker secret rm docker service docker service create docker service inspect docker service logs docker service ls docker service ps docker service rm docker service scale docker service update docker stack docker stack deploy docker stack ls docker stack ps docker stack rm docker stack services docker start docker stats docker stop docker swarm docker swarm ca docker swarm init docker swarm join docker swarm join-token docker swarm leave docker swarm unlock docker swarm unlock-key docker swarm update docker system docker system df docker system events docker system info docker system prune docker tag docker top docker unpause docker update docker version docker volume docker volume create docker volume inspect docker volume ls docker volume prune docker volume rm docker wait Use the Docker command line (Engine) Engine: Extend Access authorization plugin (Engine) Docker log driver plugins Docker network driver plugins (Engine) Extending Engine with plugins Managed plugin system (Engine) Plugin configuration (Engine) Plugins API (Engine) Volume plugins (Engine) Engine: Security AppArmor security profiles for Docker (Engine) Automation with content trust (Engine) Content trust in Docker (Engine) Delegations for content trust (Engine) Deploying Notary (Engine) Docker security (Engine) Docker security non-events (Engine) Isolate containers with a user namespace (Engine) Manage keys for content trust (Engine) Play in a content trust sandbox (Engine) Protect the Docker daemon socket (Engine) Seccomp security profiles for Docker (Engine) Secure Engine Use trusted images Using certificates for repository client verification (Engine) Engine: Tutorials Engine tutorials Network containers (Engine) Get Started Part 1: Orientation Part 2: Containers Part 3: Services Part 4: Swarms Part 5: Stacks Part 6: Deploy your app Machine Amazon Web Services (Machine) Digital Ocean (Machine) docker-machine active docker-machine config docker-machine create docker-machine env docker-machine help docker-machine inspect docker-machine ip docker-machine kill docker-machine ls docker-machine provision docker-machine regenerate-certs docker-machine restart docker-machine rm docker-machine scp docker-machine ssh docker-machine start docker-machine status docker-machine stop docker-machine upgrade docker-machine url Driver options and operating system defaults (Machine) Drivers overview (Machine) Exoscale (Machine) Generic (Machine) Get started with a local VM (Machine) Google Compute Engine (Machine) IBM Softlayer (Machine) Install Machine Machine Machine CLI overview Machine command-line completion Machine concepts and help Machine overview Microsoft Azure (Machine) Microsoft Hyper-V (Machine) Migrate from Boot2Docker to Machine OpenStack (Machine) Oracle VirtualBox (Machine) Provision AWS EC2 instances (Machine) Provision Digital Ocean Droplets (Machine) Provision hosts in the cloud (Machine) Rackspace (Machine) VMware Fusion (Machine) VMware vCloud Air (Machine) VMware vSphere (Machine) Notary Client configuration (Notary) Common Server and signer configurations (Notary) Getting started with Notary Notary changelog Notary configuration files Running a Notary service Server configuration (Notary) Signer configuration (Notary) Understand the service architecture (Notary) Use the Notary client

?
This document uses PHP Chinese website manual Release

characters

本頁面介紹了如何設置和使用沙盒進行信任實驗。沙箱允許您在本地配置和嘗試信任操作，而不會影響生產(chǎn)映像。

在通過這個沙盒之前，您應該仔細閱讀信任概述。

先決條件

這些說明假定您正在Linux或macOS中運行。您可以在本地機器或虛擬機上運行此沙箱。您需要擁有在本地機器或虛擬機上運行docker命令的權限。

此沙箱需要您安裝兩個Docker工具：Docker Engine> = 1.10.0和Docker Compose> = 1.6.0。要安裝Docker引擎，請從支持的平臺列表中進行選擇。要安裝Docker Compose，請參閱此處的詳細說明。

最后，您需要在本地系統(tǒng)或VM上安裝一個文本編輯器。

沙箱里有什么？

如果您只是使用信任開箱即用，則只需要您的Docker Engine客戶端并訪問Docker Hub。沙盒模擬生產(chǎn)信任環(huán)境，并設置這些附加組件。

容器	描述
trustsandbox	具有最新版Docker Engine和一些預配置證書的容器。這是您的沙箱，您可以使用docker客戶端來測試信任操作。
注冊服務器	本地注冊表服務。
公證服務器	這項服務完成所有重要的管理信任

這意味著您將運行您自己的內容信任（公證）服務器和注冊表。如果您只使用Docker Hub工作，則不需要這些組件。它們?yōu)槟鴺嫿ㄔ贒ocker Hub中。但是，對于沙箱，您可以構建自己的整個模擬生產(chǎn)環(huán)境。

在trustsandbox容器中，您與本地注冊表交互而不是Docker Hub。這意味著您的日常圖像存儲庫不被使用，他們受到保護

當你在使用沙盒時，你也會創(chuàng)建root和倉庫密鑰。沙箱被配置為存儲trustsandbox容器內的所有密鑰和文件。由于您在沙盒中創(chuàng)建的鍵僅用于播放，因此銷毀容器也會破壞它們。

通過在trustsandbox容器中使用docker-in-docker圖像，您不會使用任何您推送和拖動的圖像來毀壞您的真正docker守護進程緩存。這些圖像將存儲在附加到此容器的匿名卷中，并且可以在銷毀容器后銷毀。

建造沙箱

在本節(jié)中，您將使用Docker Compose來指定如何設置trustsandbox容器，公證服務器和注冊服務器并將其鏈接在一起。

1. 創(chuàng)建一個新的trustsandbox目錄并進行更改。$ mkdir trustsandbox $ cd trustsandbox

2. 用你最喜歡的編輯器創(chuàng)建一個文件docker-compose.yml。例如，使用vim：

$ touch docker-compose.yml $ vim docker-compose.yml

3. 將以下內容添加到新文件中。version: "2" services: notaryserver: image: dockersecurity/notary_autobuilds:server-v0.4.2 volumes: - notarycerts:/go/src/github.com/docker/notary/fixtures networks: - sandbox environment: - NOTARY_SERVER_STORAGE_TYPE=memory - NOTARY_SERVER_TRUST_SERVICE_TYPE=local sandboxregistry: image: registry:2.4.1 networks: - sandbox container_name: sandboxregistry trustsandbox: image: docker:dind networks: - sandbox volumes: - notarycerts:/notarycerts privileged: true container_name: trustsandbox entrypoint: "" command: |- sh -c ' cp /notarycerts/root-ca.crt /usr/local/share/ca-certificates/root-ca.crt && update-ca-certificates && dockerd-entrypoint.sh --insecure-registry sandboxregistry:5000' volumes: notarycerts: external: false networks: sandbox: external: false

4. 保存并關閉文件。

5. 在本地系統(tǒng)上運行容器。$ docker-compose up -d

第一次運行這個時，docker-in-docker，Notary服務器和注冊表映像將首先從Docker Hub下載。在sandbox中播放現(xiàn)在所有東西都已設置好了，你可以進入你的trustsandbox容器并開始測試Docker內容信任。在你的主機上，在trustsandbox容器中獲取一個shell 。$ docker exec -it trustsandbox sh /＃測試一些信任操作現(xiàn)在，你將從trustsandbox容器中取出一些圖像。

6. 下載docker圖片以測試。

/ # docker pull docker/trusttest docker pull docker/trusttest Using default tag: latest latest: Pulling from docker/trusttest b3dbab3810fc: Pull complete a9539b34a6ab: Pull complete Digest: sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a Status: Downloaded newer image for docker/trusttest:latest

7. 標記為推送到我們的沙盒注冊表中：/＃docker標記docker / trusttest sandboxregistry：5000 / test / trusttest：latest

8. 啟用內容信任。

/ # export DOCKER_CONTENT_TRUST=1

9. 識別信任服務器。/＃export DOCKER_CONTENT_TRUST_SERVER = https：// notaryserver：4443這一步只是必要的，因為沙盒正在使用它自己的服務器。通常，如果您使用的是Docker公共集線器，則此步驟不是必需的。

10. 測試圖像。

/ # docker pull sandboxregistry:5000/test/trusttest Using default tag: latest Error: remote trust data does not exist for sandboxregistry:5000/test/trusttest: notaryserver:4443 does not have trust data for sandboxregistry:5000/test/trusttest

你看到一個錯誤，因為這個內容在尚未存在于notaryserver。

11. 推送并簽署可信映像。/ # docker push sandboxregistry:5000/test/trusttest:latest The push refers to a repository sandboxregistry:5000/test/trusttest 5f70bf18a086: Pushed c22f7bc058a9: Pushed latest: digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 size: 734 Signing and pushing trust metadata You are about to create a new root signing key passphrase.

此密碼將用于保護簽名系統(tǒng)中最敏感的密鑰。請選擇一個長而復雜的密碼，并小心保持密碼和密鑰文件本身的安全和備份。強烈建議您使用密碼管理器來生成密碼并保持安全。將無法恢復此密鑰。您可以在您的配置目錄中找到該密鑰。輸入ID為27ec255的新根密鑰的密碼：為ID為27ec255的新根密鑰重復密碼：為ID為58233f9（sandboxregistry：5000 / test / trusttest）的新存儲庫密鑰輸入密碼：為ID為58233f9（sandboxregistry：5000 / test / trusttest）的新存儲庫密鑰重復密碼：完成初始化“sandboxregistry：5000 / test / trusttest”已成功簽署“sandboxregistry：5000 / test / trusttest”：latest

由于您第一次推送此存儲庫，因此docker會創(chuàng)建新的根和存儲庫密鑰并要求您輸入加密密碼。如果在此之后再次推送，它只會要求您輸入存儲庫密碼，以便它可以解密密鑰并再次簽名。對ID為58233f9（sandboxregistry：5000 / test / trusttest）的新存儲庫密鑰重復密碼：完成初始化“sandboxregistry：5000 / test / trusttest”成功簽名為“sandboxregistry：5000 / test / trusttest”：latest由于您要將此存儲庫Docker首次創(chuàng)建新的根和存儲庫密鑰，并要求您輸入密碼來加密密碼。如果在此之后再次推送，它只會要求您輸入存儲庫密碼，以便它可以解密密鑰并再次簽名。對ID為58233f9（sandboxregistry：5000 / test / trusttest）的新存儲庫密鑰重復密碼：完成初始化“sandboxregistry：5000 / test / trusttest”成功簽名為“sandboxregistry：5000 / test / trusttest”：latest

由于您要將此存儲庫Docker首次創(chuàng)建新的根和存儲庫密鑰，并要求您輸入密碼來加密密碼。如果在此之后再次推送，它只會要求您輸入存儲庫密碼，以便它可以解密密鑰并再次簽名。碼頭工人創(chuàng)建新的根和存儲庫密鑰，并要求您輸入用于加密它們的密碼。如果在此之后再次推送，它只會要求您輸入存儲庫密碼，以便它可以解密密鑰并再次簽名。碼頭工人創(chuàng)建新的根和存儲庫密鑰，并要求您輸入用于加密它們的密碼。如果在此之后再次推送，它只會要求您輸入存儲庫密碼，以便它可以解密密鑰并再次簽名。

12. 試著拉你剛才推送的圖片：

/ # docker pull sandboxregistry:5000/test/trusttest Using default tag: latest Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926: Pulling from test/trusttest Digest: sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 Status: Downloaded newer image for sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 Tagging sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 as sandboxregistry:5000/test/trusttest:latest

測試惡意圖像

數(shù)據(jù)損壞時會發(fā)生什么情況，并且在啟用信任時嘗試將其拉出？在本節(jié)中，您將進入sandboxregistry并篡改一些數(shù)據(jù)。然后，你試著拉它。

保持trustsandbox外殼和容器運行。

從您的主機打開一個新的交互式終端，并在sandboxregistry容器中獲得一個shell 。

$ docker exec -it sandboxregistry bash root@65084fc6f047:/#

列出test/trusttest您推送的映像的層次：

root@65084fc6f047:/# ls -l /var/lib/registry/docker/registry/v2/repositories/test/trusttest/_layers/sha256 total 12 drwxr-xr-x 2 root root 4096 Jun 10 17:26 a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 drwxr-xr-x 2 root root 4096 Jun 10 17:26 aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042 drwxr-xr-x 2 root root 4096 Jun 10 17:26 cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd

切換到其中一個圖層的注冊表存儲（請注意，它位于不同的目錄中）：

root@65084fc6f047:/# cd /var/lib/registry/docker/registry/v2/blobs/sha256/aa/aac0c133338db2b18ff054943cee3267fe50c75cdee969aed88b1992539ed042

將惡意數(shù)據(jù)添加到其中一個trusttest圖層：root @ 65084fc6f047：/＃echo“惡意數(shù)據(jù)”>數(shù)據(jù)

回到你的trustsandbox終端。

列出trusttest圖像。/ # docker images | grep trusttest REPOSITORY TAG IMAGE ID CREATED SIZE docker/trusttest latest cc7629d1331a 11 months ago 5.025 MB sandboxregistry:5000/test/trusttest latest cc7629d1331a 11 months ago 5.025 MB sandboxregistry:5000/test/trusttest <none> cc7629d1331a 11 months ago 5.025 MB

trusttest:latest從我們的本地緩存中刪除圖像。

/ # docker rmi -f cc7629d1331a Untagged: docker/trusttest:latest Untagged: sandboxregistry:5000/test/trusttest:latest Untagged: sandboxregistry:5000/test/trusttest@sha256:ebf59c538accdf160ef435f1a19938ab8c0d6bd96aef8d4ddd1b379edf15a926 Deleted: sha256:cc7629d1331a7362b5e5126beb5bf15ca0bf67eb41eab994c719a45de53255cd Deleted: sha256:2a1f6535dc6816ffadcdbe20590045e6cbf048d63fd4cc753a684c9bc01abeea Deleted: sha256:c22f7bc058a9a8ffeb32989b5d3338787e73855bf224af7aa162823da015d44c

Docker不會重新下載它已經(jīng)緩存的圖像，但我們希望Docker嘗試從注冊表中下載被篡改的圖像并拒絕它，因為它是無效的。

再次拉動圖像。這將從注冊表中下載圖像，因為我們沒有緩存它。

/ # docker pull sandboxregistry:5000/test/trusttest Using default tag: latest Pull (1 of 1): sandboxregistry:5000/test/trusttest:latest@sha256:35d5bc26fd358da8320c137784fe590d8fcf9417263ef261653e8e1c7f15672e sha256:35d5bc26fd358da8320c137784fe590d8fcf9417263ef261653e8e1c7f15672e: Pulling from test/trusttest aac0c133338d: Retrying in 5 seconds a3ed95caeb02: Download complete error pulling image configuration: unexpected EOF

你會看到拉操作沒有完成，因為信任系統(tǒng)無法驗證圖像。

沙盒中更多玩法

現(xiàn)在，您的本地系統(tǒng)上有一個完整的Docker內容信任沙箱，可以隨時使用它并查看它的行為。如果您發(fā)現(xiàn)Docker存在任何安全問題，請隨時通過security@docker.com向我們發(fā)送電子郵件。

清理你的沙箱

完成后，要清理所有已啟動的服務和已創(chuàng)建的所有匿名卷，只需在創(chuàng)建Docker Compose文件的目錄中運行以下命令：

    $ docker-compose down -v

Previous article： Next article：