容器 on lidongqi https://lidongqi.github.io/tags/%E5%AE%B9%E5%99%A8/ Recent content in 容器 on lidongqi Hugo -- 0.137.0 zh Wed, 06 Nov 2024 15:11:16 +0800 容器加密 https://lidongqi.github.io/posts/%E5%AE%B9%E5%99%A8%E5%8A%A0%E5%AF%86/ Wed, 06 Nov 2024 15:11:16 +0800 https://lidongqi.github.io/posts/%E5%AE%B9%E5%99%A8%E5%8A%A0%E5%AF%86/ <h2 id="oci">OCI</h2> <p>容器运行时标准,<a href="https://github.com/opencontainers">Open Container Initiative</a> containerd,cri-o,docker,rkt都是OCI的实现。 所以对镜像加密实际上是需要对OCI镜像进行处理。 # containerd containerd 支持对image的加解密具体说明参考<a href="https://github.com/containerd/containerd/blob/main/docs/cri/decryption.md">containerd文档</a>。 加密的镜像是包含加密blob(二进制对象)的OCI格式的镜像。 # 加密 ## imgcrypt ### install 需要提前准备好golang环境</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/containerd/imgcrypt.git </span></span><span class="line"><span class="cl"><span class="nb">cd</span> imgcrypt </span></span><span class="line"><span class="cl">make </span></span><span class="line"><span class="cl">sudo make install </span></span></code></pre></div><h3 id="encrypt">encrypt</h3> <p>创建RSA key</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">openssl genrsa -out mykey.pem </span></span><span class="line"><span class="cl">openssl rsa -in mykey.pem -pubout -out mypubkey.pem </span></span></code></pre></div><p>创建加密镜像</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 这里使用已经安装好的containerd服务</span> </span></span><span class="line"><span class="cl">sudo chmod <span class="m">0666</span> /run/containerd/containerd.sock </span></span><span class="line"><span class="cl"><span class="nv">CTR</span><span class="o">=</span><span class="s2">&#34;/usr/local/bin/ctr-enc&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$CTR</span> images pull --all-platforms docker.io/library/bash:latest </span></span></code></pre></div><p>查看镜像层数</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$CTR</span> images layerinfo --platform linux/amd64 docker.io/library/bash:latest </span></span></code></pre></div><figure> <img src="../%E5%AE%B9%E5%99%A8%E5%8A%A0%E5%AF%86/dc6ba61292a2cf9ce405af7c985d08d628db30e4.png" title="wikilink" alt="Pastedimage20241106181333.png" /> <figcaption aria-hidden="true">Pastedimage20241106181333.png</figcaption> </figure> <p>加密</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$CTR</span> images encrypt --recipient jwe:mypubkey.pem --platform linux/amd64 docker.io/library/bash:latest bash.enc:latest </span></span></code></pre></div><p>查看镜像层数</p>