NAME¶ 名称
podman-image-trust - Manage container registry image trust policy
podman-image-trust - 管理容器注册表镜像信任策略
SYNOPSIS¶ 概要
podman image trust set|show [options] registry[/repository]
DESCRIPTION¶ 描述
Manages which registries to trust as a source of container images based on its location. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
根据其位置管理信任作为容器镜像来源的注册表。 (此选项不适用于远程 Podman 客户端,包括 Mac 和 Windows(不包括 WSL2)机器)
The location is determined
by the transport and the registry host of the image. Using this container image docker://docker.io/library/busybox
as an example, docker is the transport and docker.io is the registry host.
位置由镜像的传输和注册表主机确定。 以此容器镜像 docker://docker.io/library/busybox 为例, docker 是传输, docker.io 是注册表主机。
Trust is defined in /etc/containers/policy.json and is enforced when a user attempts to pull
a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images.
信任在 /etc/containers/policy.json 中定义,并在用户尝试从注册表拉取远程镜像时执行。 policy.json 中的信任策略描述了信任的注册表范围(注册表和/或存储库)。 此信任可以使用用于签名镜像的公钥。
The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be:
信任的范围从最具体到最不具体进行评估。 换句话说,策略可能是:
Defined to an entire registry.
定义为整个注册表。Defined to a particular repository in that registry.
定义为该注册表中的特定存储库。Defined to a specific signed image inside of the registry.
定义为注册表中的特定已签名镜像。
The following list are examples of valid scope values used in policy.json from most specific to the least specific:
以下列表是 policy.json 中使用的有效范围值的示例,从最具体到最不具体:
docker.io/library/busybox:notlatest
docker.io/library/busybox
docker.io/library
docker.io
If no configuration is found for any of these scopes, the default value (specified by using “default” instead of REGISTRY[/REPOSITORY]) is used.
如果在这些范围中找不到任何配置,则使用默认值(使用“default”而不是 REGISTRY[/REPOSITORY] 指定)。
Trust type provides a way to:
信任类型提供了一种方式:
Allowlist (“accept”) or
Denylist (“reject”) registries or
Require a simple signing signature (“signedBy”),
Require a sigstore signature (“sigstoreSigned”).
允许列表(“接受”)或拒绝列表(“拒绝”)注册表或要求简单签名签名(“signedBy”),要求 sigstore 签名(“sigstoreSigned”)。
Trust may be updated using the command podman image trust set for an existing trust scope.
可以使用命令 podman image trust set 更新信任,用于现有的信任范围。
OPTIONS¶ 选项
--help, -h¶ --help,-h ¶
Print usage statement. 打印使用说明。
set OPTIONS¶ 设置选项 ¶
--pubkeysfile, -f=KEY1¶
A path to an exported public key on the local system. Key paths
are referenced in policy.json. Any path to a file may be used but locating the file in /etc/pki/containers is recommended. Options may be used multiple times to
require an image be signed by multiple keys. The --pubkeysfile option is required for the signedBy and sigstoreSigned types.
本地系统上导出的公钥的路径。密钥路径在 policy.json 中引用。可以使用任何文件路径,但建议将文件定位在 /etc/pki/containers 中。可以多次使用选项,以要求镜像由多个密钥签名。--pubkeysfile 选项对于 signedBy 和 sigstoreSigned 类型是必需的。
--type, -t=value¶ --类型, -t=值 ¶
The trust type for this policy entry.
Accepted values:
signedBy (default): Require simple signing signatures with corresponding list of
public keys
sigstoreSigned: Require sigstore signatures with corresponding list of
public keys
accept: do not require any signatures for this
registry scope
reject: do not accept images for this registry scope
此策略条目的信任类型。接受的值: signedBy (默认): 要求简单签名与相应的公钥列表 sigstoreSigned: 要求 sigstore 签名与相应的公钥列表 accept: 不要求此注册表范围的任何签名 reject: 不接受此注册表范围的图像
show OPTIONS¶ 显示选项 ¶
--json, -j¶ --json,-j ¶
Output trust as JSON for machine parsing
以 JSON 格式输出信任级别,以便机器解析
--noheading, -n¶ --noheading,-n ¶
Omit the table headings from the listing.
从列表中省略表头。
--raw¶
Output trust policy file as raw JSON
将信任策略文件输出为原始 JSON
EXAMPLES¶ 示例
Accept all unsigned images from a registry:
接受来自注册表的所有未签名图像
sudo podman image trust set --type accept docker.io
Modify default trust policy:
修改默认信任策略
sudo podman image trust set -t reject default
Display system trust policy:
显示系统信任策略
podman image trust show
TRANSPORT NAME TYPE ID STORE
all default reject
repository docker.io/library accept
repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
repository docker.io reject
docker-daemon accept
Display trust policy file:
显示信任策略文件:
podman image trust show --raw
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"docker.io": [
{
"type": "reject"
}
],
"docker.io/library": [
{
"type": "insecureAcceptAnything"
}
],
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
Display trust as JSON:
显示 JSON 格式的信任:
podman image trust show --json
[
{
"transport": "all",
"name": "* (default)",
"repo_name": "default",
"type": "reject"
},
{
"transport": "repository",
"name": "docker.io",
"repo_name": "docker.io",
"type": "reject"
},
{
"transport": "repository",
"name": "docker.io/library",
"repo_name": "docker.io/library",
"type": "accept"
},
{
"transport": "repository",
"name": "registry.access.redhat.com",
"repo_name": "registry.access.redhat.com",
"sigstore": "https://access.redhat.com/webassets/docker/content/sigstore",
"type": "signed",
"gpg_id": "security@redhat.com"
},
{
"transport": "repository",
"name": "registry.redhat.io",
"repo_name": "registry.redhat.io",
"sigstore": "https://registry.redhat.io/containers/sigstore",
"type": "signed",
"gpg_id": "security@redhat.com"
},
{
"transport": "docker-daemon",
"type": "accept"
}
]
SEE ALSO¶ 参见 ¶
HISTORY¶ 历史 ¶
January 2019, updated by Tom Sweeney (tsweeney at redhat dot com)
December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
2019 年 1 月,由 Tom Sweeney(tsweeney at redhat dot com)更新,2018 年 12 月,由王琦(qiwan at redhat dot com)最初编写