亚洲国产日韩欧美一区二区三区,精品亚洲国产成人av在线,国产99视频精品免视看7,99国产精品久久久久久久成人热,欧美日韩亚洲国产综合乱

目錄 搜尋
Compose About versions and upgrading (Compose) ASP.NET Core + SQL Server on Linux (Compose) CLI environment variables (Compose) Command-line completion (Compose) Compose(組成) Compose command-line reference(組合命令行參考) Control startup order (Compose) Django and PostgreSQL (Compose) Docker stacks and distributed application bundles (Compose) docker-compose build(docker-compose構(gòu)建) docker-compose bundle docker-compose config docker-compose create docker-compose down docker-compose events docker-compose exec docker-compose help docker-compose images docker-compose kill docker-compose logs docker-compose pause docker-compose port docker-compose ps docker-compose pull docker-compose push docker-compose restart docker-compose rm docker-compose run docker-compose scale docker-compose start docker-compose stop docker-compose top docker-compose unpause docker-compose up Environment file (Compose) Environment variables in Compose Extend services in Compose Frequently asked questions (Compose) Getting started (Compose) Install Compose Link environment variables (deprecated) (Compose) Networking in Compose Overview of Docker Compose Overview of docker-compose CLI Quickstart: Compose and WordPress Rails and PostgreSQL (Compose) Sample apps with Compose Using Compose in production Using Compose with Swarm Engine .NET Core application (Engine) About images, containers, and storage drivers (Engine) Add nodes to the swarm (Engine) Apply custom metadata (Engine) Apply rolling updates (Engine) apt-cacher-ng Best practices for writing Dockerfiles (Engine) Binaries (Engine) Bind container ports to the host (Engine) Breaking changes (Engine) Build your own bridge (Engine) Configure container DNS (Engine) Configure container DNS in user-defined networks (Engine) CouchDB (Engine) Create a base image (Engine) Create a swarm (Engine) Customize the docker0 bridge (Engine) Debian (Engine) Default bridge network Delete the service (Engine) Deploy a service (Engine) Deploy services to a swarm (Engine) Deprecated Engine features Docker container networking (Engine) Docker overview (Engine) Docker run reference (Engine) Dockerfile reference (Engine) Dockerize an application Drain a node (Engine) Engine FAQ (Engine) Fedora (Engine) Get started (Engine) Get started with macvlan network driver (Engine) Get started with multi-host networking (Engine) How nodes work (Engine) How services work (Engine) Image management (Engine) Inspect the service (Engine) Install Docker (Engine) IPv6 with Docker (Engine) Join nodes to a swarm (Engine) Legacy container links (Engine) Lock your swarm (Engine) Manage nodes in a swarm (Engine) Manage sensitive data with Docker secrets (Engine) Manage swarm security with PKI (Engine) Manage swarm service networks (Engine) Migrate to Engine 1.10 Optional Linux post-installation steps (Engine) Overview (Engine) PostgreSQL (Engine) Raft consensus in swarm mode (Engine) Riak (Engine) Run Docker Engine in swarm mode Scale the service (Engine) SDKs (Engine) Select a storage driver (Engine) Set up for the tutorial (Engine) SSHd (Engine) Storage driver overview (Engine) Store service configuration data (Engine) Swarm administration guide (Engine) Swarm mode key concepts (Engine) Swarm mode overlay network security model (Engine) Swarm mode overview (Engine) Understand container communication (Engine) Use multi-stage builds (Engine) Use swarm mode routing mesh (Engine) Use the AUFS storage driver (Engine) Use the Btrfs storage driver (Engine) Use the Device mapper storage driver (Engine) Use the OverlayFS storage driver (Engine) Use the VFS storage driver (Engine) Use the ZFS storage driver (Engine) Engine: Admin Guide Amazon CloudWatch logs logging driver (Engine) Bind mounts (Engine) Collect Docker metrics with Prometheus (Engine) Configuring and running Docker (Engine) Configuring logging drivers (Engine) Control and configure Docker with systemd (Engine) ETW logging driver (Engine) Fluentd logging driver (Engine) Format command and log output (Engine) Google Cloud logging driver (Engine) Graylog Extended Format (GELF) logging driver (Engine) Journald logging driver (Engine) JSON File logging driver (Engine) Keep containers alive during daemon downtime (Engine) Limit a container's resources (Engine) Link via an ambassador container (Engine) Log tags for logging driver (Engine) Logentries logging driver (Engine) PowerShell DSC usage (Engine) Prune unused Docker objects (Engine) Run multiple services in a container (Engine) Runtime metrics (Engine) Splunk logging driver (Engine) Start containers automatically (Engine) Storage overview (Engine) Syslog logging driver (Engine) tmpfs mounts Troubleshoot volume problems (Engine) Use a logging driver plugin (Engine) Using Ansible (Engine) Using Chef (Engine) Using Puppet (Engine) View a container's logs (Engine) Volumes (Engine) Engine: CLI Daemon CLI reference (dockerd) (Engine) docker docker attach docker build docker checkpoint docker checkpoint create docker checkpoint ls docker checkpoint rm docker commit docker config docker config create docker config inspect docker config ls docker config rm docker container docker container attach docker container commit docker container cp docker container create docker container diff docker container exec docker container export docker container inspect docker container kill docker container logs docker container ls docker container pause docker container port docker container prune docker container rename docker container restart docker container rm docker container run docker container start docker container stats docker container stop docker container top docker container unpause docker container update docker container wait docker cp docker create docker deploy docker diff docker events docker exec docker export docker history docker image docker image build docker image history docker image import docker image inspect docker image load docker image ls docker image prune docker image pull docker image push docker image rm docker image save docker image tag docker images docker import docker info docker inspect docker kill docker load docker login docker logout docker logs docker network docker network connect docker network create docker network disconnect docker network inspect docker network ls docker network prune docker network rm docker node docker node demote docker node inspect docker node ls docker node promote docker node ps docker node rm docker node update docker pause docker plugin docker plugin create docker plugin disable docker plugin enable docker plugin inspect docker plugin install docker plugin ls docker plugin push docker plugin rm docker plugin set docker plugin upgrade docker port docker ps docker pull docker push docker rename docker restart docker rm docker rmi docker run docker save docker search docker secret docker secret create docker secret inspect docker secret ls docker secret rm docker service docker service create docker service inspect docker service logs docker service ls docker service ps docker service rm docker service scale docker service update docker stack docker stack deploy docker stack ls docker stack ps docker stack rm docker stack services docker start docker stats docker stop docker swarm docker swarm ca docker swarm init docker swarm join docker swarm join-token docker swarm leave docker swarm unlock docker swarm unlock-key docker swarm update docker system docker system df docker system events docker system info docker system prune docker tag docker top docker unpause docker update docker version docker volume docker volume create docker volume inspect docker volume ls docker volume prune docker volume rm docker wait Use the Docker command line (Engine) Engine: Extend Access authorization plugin (Engine) Docker log driver plugins Docker network driver plugins (Engine) Extending Engine with plugins Managed plugin system (Engine) Plugin configuration (Engine) Plugins API (Engine) Volume plugins (Engine) Engine: Security AppArmor security profiles for Docker (Engine) Automation with content trust (Engine) Content trust in Docker (Engine) Delegations for content trust (Engine) Deploying Notary (Engine) Docker security (Engine) Docker security non-events (Engine) Isolate containers with a user namespace (Engine) Manage keys for content trust (Engine) Play in a content trust sandbox (Engine) Protect the Docker daemon socket (Engine) Seccomp security profiles for Docker (Engine) Secure Engine Use trusted images Using certificates for repository client verification (Engine) Engine: Tutorials Engine tutorials Network containers (Engine) Get Started Part 1: Orientation Part 2: Containers Part 3: Services Part 4: Swarms Part 5: Stacks Part 6: Deploy your app Machine Amazon Web Services (Machine) Digital Ocean (Machine) docker-machine active docker-machine config docker-machine create docker-machine env docker-machine help docker-machine inspect docker-machine ip docker-machine kill docker-machine ls docker-machine provision docker-machine regenerate-certs docker-machine restart docker-machine rm docker-machine scp docker-machine ssh docker-machine start docker-machine status docker-machine stop docker-machine upgrade docker-machine url Driver options and operating system defaults (Machine) Drivers overview (Machine) Exoscale (Machine) Generic (Machine) Get started with a local VM (Machine) Google Compute Engine (Machine) IBM Softlayer (Machine) Install Machine Machine Machine CLI overview Machine command-line completion Machine concepts and help Machine overview Microsoft Azure (Machine) Microsoft Hyper-V (Machine) Migrate from Boot2Docker to Machine OpenStack (Machine) Oracle VirtualBox (Machine) Provision AWS EC2 instances (Machine) Provision Digital Ocean Droplets (Machine) Provision hosts in the cloud (Machine) Rackspace (Machine) VMware Fusion (Machine) VMware vCloud Air (Machine) VMware vSphere (Machine) Notary Client configuration (Notary) Common Server and signer configurations (Notary) Getting started with Notary Notary changelog Notary configuration files Running a Notary service Server configuration (Notary) Signer configuration (Notary) Understand the service architecture (Notary) Use the Notary client
文字

創(chuàng)建授權(quán)插件

本文檔描述了Docker Engine中通常提供的Docker Engine插件。要查看由Docker Engine管理的插件的信息,請(qǐng)參閱Docker Engine插件系統(tǒng)。

Docker的開箱即用授權(quán)模式是全部或沒有。任何有權(quán)訪問Docker守護(hù)程序的用戶都可以運(yùn)行任何Docker客戶端命令。對(duì)于使用Docker的Engine API來調(diào)用守護(hù)進(jìn)程的調(diào)用者也是如此。如果您需要更大的訪問控制權(quán),您可以創(chuàng)建授權(quán)插件并將其添加到Docker守護(hù)程序配置中。使用授權(quán)插件,Docker管理員可以配置粒度訪問策略來管理對(duì)Docker守護(hù)進(jìn)程的訪問。

任何具有相應(yīng)技能的人都可以開發(fā)授權(quán)插件。這些技能,最基本的是Docker的知識(shí),對(duì)REST的理解以及良好的編程知識(shí)。本文檔描述授權(quán)插件開發(fā)人員可用的體系結(jié)構(gòu),狀態(tài)和方法信息。

基本原則

Docker的插件基礎(chǔ)架構(gòu)可以通過使用通用API加載,刪除和與第三方組件進(jìn)行通信來擴(kuò)展Docker。訪問授權(quán)子系統(tǒng)是使用這種機(jī)制構(gòu)建的。

使用這個(gè)子系統(tǒng),您不需要重建Docker守護(hù)程序來添加授權(quán)插件。您可以將插件添加到已安裝的Docker守護(hù)程序。您確實(shí)需要重新啟動(dòng)Docker守護(hù)程序才能添加新的插件。

授權(quán)插件基于當(dāng)前認(rèn)證上下文和命令上下文來批準(zhǔn)或拒絕對(duì)Docker守護(hù)進(jìn)程的請(qǐng)求。認(rèn)證上下文包含所有用戶詳細(xì)信息和認(rèn)證方法。命令上下文包含所有相關(guān)的請(qǐng)求數(shù)據(jù)。

授權(quán)插件必須遵循Docker插件API每個(gè)插件必須駐留在插件發(fā)現(xiàn)部分。

注意:分別是縮寫AuthZAuthN平均授權(quán)和認(rèn)證。

默認(rèn)用戶授權(quán)機(jī)制

如果在Docker守護(hù)進(jìn)程中啟用了TLS,則默認(rèn)的用戶授權(quán)流程會(huì)從證書主體名稱中提取用戶詳細(xì)信息。即,User字段設(shè)置為客戶端證書主題公用名稱,并且該AuthenticationMethod字段設(shè)置為TLS

基本架構(gòu)

您有責(zé)任將您的插件注冊(cè)為Docker守護(hù)程序啟動(dòng)的一部分。您可以安裝多個(gè)插件并將它們鏈接在一起。這條鏈可以訂購。對(duì)守護(hù)進(jìn)程的每個(gè)請(qǐng)求都按順序通過鏈。只有當(dāng)所有插件授予對(duì)資源的訪問權(quán)時(shí),授予的訪問權(quán)才是。

當(dāng)通過CLI或通過引擎API向Docker守護(hù)進(jìn)程發(fā)出HTTP請(qǐng)求時(shí),身份驗(yàn)證子系統(tǒng)會(huì)將請(qǐng)求傳遞給已安裝的身份驗(yàn)證插件。該請(qǐng)求包含用戶(調(diào)用者)和命令上下文。該插件負(fù)責(zé)決定是允許還是拒絕該請(qǐng)求。

下面的序列圖描述了一個(gè)允許和拒絕授權(quán)流:

發(fā)送給插件的每個(gè)請(qǐng)求都包括經(jīng)過身份驗(yàn)證的用戶,HTTP標(biāo)頭和請(qǐng)求/響應(yīng)主體。只有用戶名和使用的認(rèn)證方法被傳遞給插件。最重要的是,沒有用戶憑證或令牌傳遞。最后,并非所有的請(qǐng)求/響應(yīng)主體都被發(fā)送到授權(quán)插件。只有那些請(qǐng)求/響應(yīng)機(jī)構(gòu),其中Content-Type或者是text/*application/json被發(fā)送。

對(duì)于可能劫持HTTP連接(HTTP Upgrade)的命令,例如exec,授權(quán)插件僅針對(duì)初始HTTP請(qǐng)求進(jìn)行調(diào)用。一旦插件批準(zhǔn)了該命令,授權(quán)就不會(huì)應(yīng)用于其余的流程。具體來說,流式傳輸數(shù)據(jù)不會(huì)傳遞給授權(quán)插件。對(duì)于返回分塊HTTP響應(yīng)的命令,比如logsevents,只有HTTP請(qǐng)求被發(fā)送到授權(quán)插件。

在請(qǐng)求/響應(yīng)處理期間,一些授權(quán)流可能需要對(duì)Docker守護(hù)進(jìn)程執(zhí)行額外的查詢。為了完成這樣的流程,插件可以像守護(hù)用戶一樣調(diào)用守護(hù)進(jìn)程API。要啟用這些額外的查詢,插件必須為管理員提供配置正確的身份驗(yàn)證和安全策略的手段。

Docker客戶端流量

要啟用和配置授權(quán)插件,插件開發(fā)人員必須支持本節(jié)詳細(xì)介紹的Docker客戶端交互。

設(shè)置Docker守護(hù)進(jìn)程

使用--authorization-plugin=PLUGIN_ID格式中的專用命令行標(biāo)志啟用授權(quán)插件。該標(biāo)志提供一個(gè)PLUGIN_ID值。該值可以是插件的套接字或指定文件的路徑。授權(quán)插件可以在不重新啟動(dòng)守護(hù)進(jìn)程的情況下加載。請(qǐng)參閱dockerd文檔以獲取更多信息。

$ dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...

Docker的授權(quán)子系統(tǒng)支持多個(gè)--authorization-plugin參數(shù)。

調(diào)用授權(quán)命令(允許)

$ docker pull centos...f1b10cd84249: Pull complete...

調(diào)用未授權(quán)的命令(拒絕)

$ docker pull centos...docker: Error response from daemon: authorization denied by plugin PLUGIN_NAME: volumes are not allowed.

插件錯(cuò)誤

$ docker pull centos...docker: Error response from daemon: plugin PLUGIN_NAME failed with error: AuthZPlugin.AuthZReq: Cannot connect to the Docker daemon. Is the docker daemon running on this host?.

API模式及其實(shí)現(xiàn)

除了Docker的標(biāo)準(zhǔn)插件注冊(cè)方法外,每個(gè)插件還應(yīng)該實(shí)現(xiàn)以下兩種方法:

  • /AuthZPlugin.AuthZReq在Docker守護(hù)進(jìn)程處理客戶端請(qǐng)求之前調(diào)用此授權(quán)請(qǐng)求方法。

  • /AuthZPlugin.AuthZRes此授權(quán)響應(yīng)方法在響應(yīng)從Docker守護(hù)進(jìn)程返回到客戶端之前被調(diào)用。

/AuthZPlugin。AuthZReq

請(qǐng)求*

{    "User":              "The user identification",    "UserAuthNMethod":   "The authentication method used",    "RequestMethod":     "The HTTP method",    "RequestURI":        "The HTTP request URI",    "RequestBody":       "Byte array containing the raw HTTP request body",    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string "}

反應(yīng)*

{    "Allow": "Determined whether the user is allowed or not",    "Msg":   "The authorization message",    "Err":   "The error message if things go wrong"}

/AuthZPlugin。AuthZRes

請(qǐng)求*

{    "User":              "The user identification",    "UserAuthNMethod":   "The authentication method used",    "RequestMethod":     "The HTTP method",    "RequestURI":        "The HTTP request URI",    "RequestBody":       "Byte array containing the raw HTTP request body",    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string",    "ResponseBody":      "Byte array containing the raw HTTP response body",    "ResponseHeader":    "Byte array containing the raw HTTP response header as a map[string][]string",    "ResponseStatusCode":"Response status code"}

反應(yīng)*

{   "Allow":              "Determined whether the user is allowed or not",   "Msg":                "The authorization message",   "Err":                "The error message if things go wrong"}

請(qǐng)求授權(quán)

每個(gè)插件必須支持兩種請(qǐng)求授權(quán)消息格式,一種是從守護(hù)進(jìn)程到插件,然后從插件到守護(hù)進(jìn)程。下面的表格詳細(xì)列出了每條消息所期望的內(nèi)容。

Daemon->插件

Name

類型

描述

用戶

用戶標(biāo)識(shí)

身份驗(yàn)證方法

使用的驗(yàn)證方法

請(qǐng)求方法

枚舉

HTTP方法(GET / DELETE / POST)

請(qǐng)求URI

包含API版本的HTTP請(qǐng)求URI(例如,v.1.17 / containers / json)

請(qǐng)求標(biāo)頭

mapstringstring

請(qǐng)求標(biāo)頭作為鍵值對(duì)(不含授權(quán)標(biāo)頭)

請(qǐng)求正文

[]byte

原始請(qǐng)求主體

Plugin -> Daemon

Name

類型

描述

Allow

布爾

指示請(qǐng)求是允許還是拒絕的布爾值

Msg

授權(quán)消息(如果訪問被拒絕,將返回給客戶端)

Err

錯(cuò)誤信息(如果插件遇到錯(cuò)誤,將返回給客戶端。提供的字符串值可能會(huì)出現(xiàn)在日志中,因此不應(yīng)包含機(jī)密信息)

響應(yīng)授權(quán)

插件必須支持兩種授權(quán)消息格式,一種是從守護(hù)進(jìn)程到插件,然后從插件到守護(hù)進(jìn)程。下面的表格詳細(xì)列出了每條消息所期望的內(nèi)容。

Daemon -> Plugin

Name

類型

描述

用戶

用戶標(biāo)識(shí)

身份驗(yàn)證方法

使用的驗(yàn)證方法

請(qǐng)求方法

HTTP方法(GET / DELETE / POST)

請(qǐng)求URI

包含API版本的HTTP請(qǐng)求URI(例如,v.1.17 / containers / json)

請(qǐng)求標(biāo)頭

mapstringstring

請(qǐng)求標(biāo)頭作為鍵值對(duì)(不含授權(quán)標(biāo)頭)

請(qǐng)求正文

[]字節(jié)

原始請(qǐng)求主體

響應(yīng)狀態(tài)碼

INT

來自docker守護(hù)程序的狀態(tài)碼

響應(yīng)標(biāo)題

mapstringstring

響應(yīng)標(biāo)題作為鍵值對(duì)

響應(yīng)機(jī)構(gòu)

[]字節(jié)

原始碼頭守護(hù)程序響應(yīng)正文

Plugin -> Daemon

Name

類型

描述

Allow

布爾

指示響應(yīng)是被允許還是被拒絕的布爾值

Msg

授權(quán)消息(如果訪問被拒絕,將返回給客戶端)

Err

錯(cuò)誤信息(如果插件遇到錯(cuò)誤,將返回給客戶端。提供的字符串值可能會(huì)出現(xiàn)在日志中,因此不應(yīng)包含機(jī)密信息)

上一篇: 下一篇: