堆栈内存溢出
  简体   繁体   English

如何在不首先使用 `docker login` 的情况下为 Docker 命令提供凭据?

[英]How to provide credentials for Docker commands without first using `docker login`?

 原文  2021-04-13 10:26:55       linux/ docker/ containers/ cloud

问题描述

I would like to know whether it's possible to provide credentials for the remote registry for Docker commands like docker pull... <image> or docker run... <image> without first using docker login ?我想知道是否可以为 Docker 命令(如docker pull... <image>docker run... <image>提供凭据,而无需先使用docker login

The reason is that I'd like to supply the credentials (inline) like in HTTP Basic Auth, so that I don't have to create ~/.docker/config.json .原因是我想像 HTTP Basic Auth 那样提供凭据(内联),这样我就不必创建~/.docker/config.json

Experimenting with <username>:<password>@<image> doesn't seem to work, at least for me.尝试使用<username>:<password>@<image>似乎不起作用,至少对我而言。

1 个解决方案

解决方案1
 2 已采纳  2021-04-13 11:01:21

This can be achived using the Docker HTTP API via curl or equivalent.这可以使用 Docker HTTP API 通过curl或等价物来实现。

See the official documentation:https://docs.docker.com/engine/api/v1.39/#operation/ImageCreate参见官方文档:https://docs.docker.com/engine/api/v1.39/#operation/ImageCreate

The Engine API is an HTTP API served by Docker Engine.引擎 API 是由 Docker 引擎服务的 HTTP API。 It is the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can be done with the API. API Docker 客户端用于与引擎通信,因此 Docker 客户端可以做的所有事情都可以通过 API 完成。

Most of the client's commands map directly to API endpoints (eg docker ps is GET /containers/json).大多数客户端的命令 map 直接指向 API 端点(例如 docker ps 是 GET /containers/json)。 The notable exception is running containers, which consists of several API calls.值得注意的例外是运行容器,它由几个 API 调用组成。

Reverse Engineering :逆向工程

First create a Unix socket for inspecting docker client requests:首先创建一个 Unix 套接字来检查docker客户端请求:

socat -v UNIX-LISTEN:/tmp/fake,fork UNIX-CONNECT:/var/run/docker.sock

Next, use the docker client to run docker pull... :接下来,使用docker客户端运行docker pull...

docker -H unix:///tmp/fake pull db-docker-xsrt-rt.artifactory.example.net/aquasec/kube-hunter

HTTP traffic sent between docker client and dockerd server: docker客户端和dockerd服务器之间发送的 HTTP 流量:

> 2021/04/13 12:42:21.445593  length=80 from=0 to=79
GET /_ping HTTP/1.1\r
Host: docker\r
User-Agent: Docker-Client/18.09.6 (linux)\r
\r
< 2021/04/13 12:42:21.446085  length=212 from=0 to=211
HTTP/1.1 200 OK\r
Api-Version: 1.39\r
Docker-Experimental: false\r
Ostype: linux\r
Server: Docker/18.09.6 (linux)\r
Date: Tue, 13 Apr 2021 10:42:21 GMT\r
Content-Length: 2\r
Content-Type: text/plain; charset=utf-8\r
\r
OK> 2021/04/13 12:42:21.447291  length=401 from=80 to=480
POST /v1.39/images/create?fromImage=db-docker-xsrt-rt.artifactory.example.net%2Faquasec%2Fkube-hunter&tag=latest HTTP/1.1\r
Host: docker\r
User-Agent: Docker-Client/18.09.6 (linux)\r
Content-Length: 0\r
Content-Type: text/plain\r
X-Registry-Auth: <redacted>\r
\r
< 2021/04/13 12:42:21.546168  length=352 from=212 to=563
HTTP/1.1 200 OK\r
Api-Version: 1.39\r
Content-Type: application/json\r
Docker-Experimental: false\r
Ostype: linux\r
Server: Docker/18.09.6 (linux)\r
Date: Tue, 13 Apr 2021 10:42:21 GMT\r
Transfer-Encoding: chunked\r
\r
3d\r
{"status":"Pulling from aquasec/kube-hunter","id":"latest"}\r
\r
45\r
{"status":"Already exists","progressDetail":{},"id":"801bfaa63ef2"}\r
\r
< 2021/04/13 12:42:21.552481  length=811 from=564 to=1374
...

The relevant part is the following, where credentials from ~/docker/config.json are provided Base64 encoded via X-Registry-Auth HTTP header:相关部分如下,其中提供了来自~/docker/config.json的凭据 Base64 通过X-Registry-Auth编码 HTTP header:

POST /v1.39/images/create?fromImage=db-docker-xsrt-rt.artifactory.example.net%2Faquasec%2Fkube-hunter&tag=latest HTTP/1.1\r
Host: docker\r
User-Agent: Docker-Client/18.09.6 (linux)\r
Content-Length: 0\r
Content-Type: text/plain\r
X-Registry-Auth: <redacted>\r
\r

Decoding the X-Registry-Auth value yields something like (redacted):解码X-Registry-Auth值会产生类似(已编辑)的内容:

echo <redacted> | base64 -d
{"username":"<redacted","password":"<redacted>","serveraddress":"db-docker-xsrt-rt.artifactory.example.net"}

解决方案2
 0  2021-04-13 10:30:12

I would like to know whether it's possible to provide credentials for the remote registry for Docker commands like docker pull... <image> or docker run... <image> without first using docker login ? I would like to know whether it's possible to provide credentials for the remote registry for Docker commands like docker pull... <image> or docker run... <image> without first using docker login ?

The reason is that I'd like to supply the credentials (inline) like in HTTP Basic Auth, so that I don't have to create ~/.docker/config.json .原因是我想像 HTTP Basic Auth 一样提供凭据(内联),这样我就不必创建~/.docker/config.json

Experimenting with <username>:<password>@<image> doesn't seem to work, at least for me.尝试使用<username>:<password>@<image>似乎不起作用,至少对我而言。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在docker命令中使用$()似乎不起作用 - Using $() in docker commands doesn't seem to work 在boot2docker中使用shell命令 - Using shell commands with boot2docker 如何在使用 systemd 退出 docker-machine 之前运行 docker 命令? - How to run the docker commands before exiting docker-machine with systemd? 如何使用 nohup 让 docker 命令在后台运行 - How to get docker commands to run in the background with nohup 如何在 docker 中的一行中运行 3 个命令 - How to run 3 commands in one line in a docker Docker 命令挂起,无响应 - Docker commands hanging with no response 在 Ubuntu 16.04 中没有 sudo 用户无法运行 Docker 命令 - Unable to run Docker commands without sudo user in Ubuntu 16.04 如何以其他用户身份运行docker login命令? - How to run a docker login command as a different user? Docker - 使用 RUN 的 Dockerfile 中的 MySQL 命令(错误 2002) - Docker - MySQL commands within Dockerfile using RUN (ERROR 2002) 用 docker exec 执行两条命令 - Execute two commands with docker exec
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM