Menu

目录

双向认证

描述

开启该功能后isulad和镜像仓库之间的通信采用https通信,isulad和镜像仓库都会验证对方的合法性。

用法

要支持该功能,需要镜像仓库支持该功能,同时isulad也需要做相应的配置:

1、修改isulad的配置(默认路径/etc/isulad/daemon.json),将配置里的use-decrypted-key项配置为false。

2、需要将相关的证书放置到/etc/isulad/certs.d目录下对应的镜像仓库命名的文件夹下,证书具体的生成方法见docker的官方链接:

https://docs.docker.com/engine/security/certificates/

https://docs.docker.com/engine/security/https/

3、执行systemctl restart lcrd重启isulad

参数

可以在/etc/isulad/daemon.json中配置参数,也可以在启动isulad时携带参数:

lcrd --use-decrypted-key=false

示例

配置use-decrypted-key参数为false

$ cat /etc/isulad/daemon.json
{
    "group": "lcrd",
    "graph": "/var/lib/lcrd",
    "state": "/var/run/lcrd",
    "engine": "lcr",
    "log-level": "ERROR",
    "pidfile": "/var/run/lcrd.pid",
    "log-opts": {
        "log-file-mode": "0600",
        "log-path": "/var/lib/lcrd",
        "max-file": "1",
        "max-size": "30KB"
    },
    "log-driver": "stdout",
    "hook-spec": "/etc/default/lcrd/hooks/default.json",
    "start-timeout": "2m",
    "storage-driver": "overlay2",
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ],
    "registry-mirrors": [
        "docker.io"
    ],
    "insecure-registries": [
        "rnd-dockerhub.huawei.com"
    ],
    "pod-sandbox-image": "",
    "image-opt-timeout": "5m",
    "native.umask": "secure",
    "network-plugin": "",
    "cni-bin-dir": "",
    "cni-conf-dir": "",
    "image-layer-check": false,
    "use-decrypted-key": false,
    "insecure-skip-verify-enforce": false
}

将证书放到对应的目录下

$ pwd
/etc/isulad/certs.d/my.csp-edge.com:5000
$ ls
ca.crt  tls.cert  tls.key

重启isulad

$ systemctl restart lcrd

执行pull命令从仓库下载镜像

$ lcrc pull my.csp-edge.com:5000/ubuntu
Image "my.csp-edge.com:5000/ubuntu" pulling
Image "my.csp-edge.com:5000/ubuntu@sha256:f1bdc62115dbfe8f54e52e19795ee34b4473babdeb9bc4f83045d85c7b2ad5c0" pulled