[英]How to provide credentials for Docker commands without first using `docker login`?
I would like to know whether it's possible to provide credentials for the remote registry for Docker commands like docker pull... <image>
or docker run... <image>
without first using docker login
?我想知道是否可以为 Docker 命令(如
docker pull... <image>
或docker run... <image>
提供凭据,而无需先使用docker login
?
The reason is that I'd like to supply the credentials (inline) like in HTTP Basic Auth, so that I don't have to create ~/.docker/config.json
.原因是我想像 HTTP Basic Auth 那样提供凭据(内联),这样我就不必创建
~/.docker/config.json
。
Experimenting with <username>:<password>@<image>
doesn't seem to work, at least for me.尝试使用
<username>:<password>@<image>
似乎不起作用,至少对我而言。
This can be achived using the Docker HTTP API via curl
or equivalent.这可以使用 Docker HTTP API 通过
curl
或等价物来实现。
See the official documentation:https://docs.docker.com/engine/api/v1.39/#operation/ImageCreate参见官方文档:https://docs.docker.com/engine/api/v1.39/#operation/ImageCreate
The Engine API is an HTTP API served by Docker Engine.
引擎 API 是由 Docker 引擎服务的 HTTP API。 It is the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can be done with the API.
API Docker 客户端用于与引擎通信,因此 Docker 客户端可以做的所有事情都可以通过 API 完成。
Most of the client's commands map directly to API endpoints (eg docker ps is GET /containers/json).
大多数客户端的命令 map 直接指向 API 端点(例如 docker ps 是 GET /containers/json)。 The notable exception is running containers, which consists of several API calls.
值得注意的例外是运行容器,它由几个 API 调用组成。
Reverse Engineering :逆向工程:
First create a Unix socket for inspecting docker
client requests:首先创建一个 Unix 套接字来检查
docker
客户端请求:
socat -v UNIX-LISTEN:/tmp/fake,fork UNIX-CONNECT:/var/run/docker.sock
Next, use the docker
client to run docker pull...
:接下来,使用
docker
客户端运行docker pull...
:
docker -H unix:///tmp/fake pull db-docker-xsrt-rt.artifactory.example.net/aquasec/kube-hunter
HTTP traffic sent between docker
client and dockerd
server: docker
客户端和dockerd
服务器之间发送的 HTTP 流量:
> 2021/04/13 12:42:21.445593 length=80 from=0 to=79
GET /_ping HTTP/1.1\r
Host: docker\r
User-Agent: Docker-Client/18.09.6 (linux)\r
\r
< 2021/04/13 12:42:21.446085 length=212 from=0 to=211
HTTP/1.1 200 OK\r
Api-Version: 1.39\r
Docker-Experimental: false\r
Ostype: linux\r
Server: Docker/18.09.6 (linux)\r
Date: Tue, 13 Apr 2021 10:42:21 GMT\r
Content-Length: 2\r
Content-Type: text/plain; charset=utf-8\r
\r
OK> 2021/04/13 12:42:21.447291 length=401 from=80 to=480
POST /v1.39/images/create?fromImage=db-docker-xsrt-rt.artifactory.example.net%2Faquasec%2Fkube-hunter&tag=latest HTTP/1.1\r
Host: docker\r
User-Agent: Docker-Client/18.09.6 (linux)\r
Content-Length: 0\r
Content-Type: text/plain\r
X-Registry-Auth: <redacted>\r
\r
< 2021/04/13 12:42:21.546168 length=352 from=212 to=563
HTTP/1.1 200 OK\r
Api-Version: 1.39\r
Content-Type: application/json\r
Docker-Experimental: false\r
Ostype: linux\r
Server: Docker/18.09.6 (linux)\r
Date: Tue, 13 Apr 2021 10:42:21 GMT\r
Transfer-Encoding: chunked\r
\r
3d\r
{"status":"Pulling from aquasec/kube-hunter","id":"latest"}\r
\r
45\r
{"status":"Already exists","progressDetail":{},"id":"801bfaa63ef2"}\r
\r
< 2021/04/13 12:42:21.552481 length=811 from=564 to=1374
...
The relevant part is the following, where credentials from ~/docker/config.json
are provided Base64 encoded via X-Registry-Auth
HTTP header:相关部分如下,其中提供了来自
~/docker/config.json
的凭据 Base64 通过X-Registry-Auth
编码 HTTP header:
POST /v1.39/images/create?fromImage=db-docker-xsrt-rt.artifactory.example.net%2Faquasec%2Fkube-hunter&tag=latest HTTP/1.1\r
Host: docker\r
User-Agent: Docker-Client/18.09.6 (linux)\r
Content-Length: 0\r
Content-Type: text/plain\r
X-Registry-Auth: <redacted>\r
\r
Decoding the X-Registry-Auth
value yields something like (redacted):解码
X-Registry-Auth
值会产生类似(已编辑)的内容:
echo <redacted> | base64 -d
{"username":"<redacted","password":"<redacted>","serveraddress":"db-docker-xsrt-rt.artifactory.example.net"}
I would like to know whether it's possible to provide credentials for the remote registry for Docker commands like docker pull... <image>
or docker run... <image>
without first using docker login
? I would like to know whether it's possible to provide credentials for the remote registry for Docker commands like
docker pull... <image>
or docker run... <image>
without first using docker login
?
The reason is that I'd like to supply the credentials (inline) like in HTTP Basic Auth, so that I don't have to create ~/.docker/config.json
.原因是我想像 HTTP Basic Auth 一样提供凭据(内联),这样我就不必创建
~/.docker/config.json
。
Experimenting with <username>:<password>@<image>
doesn't seem to work, at least for me.尝试使用
<username>:<password>@<image>
似乎不起作用,至少对我而言。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.