双向认证

描述

开启该功能后isulad和镜像仓库之间的通信采用https通信,isulad和镜像仓库都会验证对方的合法性。

用法

要支持该功能,需要镜像仓库支持该功能,同时isulad也需要做相应的配置:

  1. 修改isulad的配置(默认路径/etc/isulad/daemon.json),将配置里的use-decrypted-key项配置为false。
  2. 需要将相关的证书放置到/etc/isulad/certs.d目录下对应的镜像仓库命名的文件夹下,证书具体的生成方法见docker的官方链接:
  1. 执行systemctl restart isulad重启isulad。

参数

可以在/etc/isulad/daemon.json中配置参数,也可以在启动isulad时携带参数:

  1. isulad --use-decrypted-key=false

示例

配置use-decrypted-key参数为false

  1. $ cat /etc/isulad/daemon.json
  2. {
  3.     "group": "isulad",
  4.     "graph": "/var/lib/isulad",
  5.     "state": "/var/run/isulad",
  6.     "engine": "lcr",
  7.     "log-level": "ERROR",
  8.     "pidfile": "/var/run/isulad.pid",
  9.     "log-opts": {
  10.         "log-file-mode": "0600",
  11.         "log-path": "/var/lib/isulad",
  12.         "max-file": "1",
  13.         "max-size": "30KB"
  14.     },
  15.     "log-driver": "stdout",
  16.     "hook-spec": "/etc/default/isulad/hooks/default.json",
  17.     "start-timeout": "2m",
  18.     "storage-driver": "overlay2",
  19.     "storage-opts": [
  20.         "overlay2.override_kernel_check=true"
  21.     ],
  22.     "registry-mirrors": [
  23.         "docker.io"
  24.     ],
  25.     "insecure-registries": [
  26.         "rnd-dockerhub.huawei.com"
  27.     ],
  28.     "pod-sandbox-image": "",
  29.     "image-opt-timeout": "5m",
  30.     "native.umask": "secure",
  31.     "network-plugin": "",
  32.     "cni-bin-dir": "",
  33.     "cni-conf-dir": "",
  34.     "image-layer-check": false,
  35.     "use-decrypted-key": false,
  36.     "insecure-skip-verify-enforce": false
  37. }

将证书放到对应的目录下

  1. $ pwd
  2. /etc/isulad/certs.d/my.csp-edge.com:5000
  3. $ ls
  4. ca.crt  tls.cert  tls.key

重启isulad

  1. $ systemctl restart isulad

执行pull命令从仓库下载镜像

  1. $ isula pull my.csp-edge.com:5000/ubuntu
  2. Image "my.csp-edge.com:5000/ubuntu" pulling
  3. Image "my.csp-edge.com:5000/ubuntu@sha256:f1bdc62115dbfe8f54e52e19795ee34b4473babdeb9bc4f83045d85c7b2ad5c0" pulled