gpt4 book ai didi

docker - 使用 Docker Registry API 获取托管在 Docker Hub 上的公共(public) Docker 镜像的 list

转载 作者:行者123 更新时间:2023-12-02 17:59:10 33 4
gpt4 key购买 nike

我正在尝试找出正确的 URL 用于此目的。例如,假设我想获取 alpine:3.9 标签的 list 。我试过https://hub.docker.com/v2/repositories/library/alpine/manifests/3.9但这会产生 404 错误。

我发现 Docker Hub 的注册表实现与他们的文档并不匹配。例如,https://docs.docker.com/registry/spec/api/#tags表示获取标签列表的 URL 是 v2/ /tags/list,但是在查询 Docker Hub 时,实际上需要去掉 URL 的“列表”部分: https://hub.docker.com/v2/repositories/library/alpine/tags/ .因此,在查询 Docker Hub 注册表时,这让我对他们的文档提出了质疑。

最佳答案

下面是一些使用 V2 端点的 cURL 命令。我对 hub.docker.com 的内容感到非常困惑端点用于( https://hub.docker.com/v2/users/loginhttps://hub.docker.com/v2/repositories/library/ 等),但我认为 /v2/是否存在与注册表 V2 API 无关的总红鲱鱼? This文章使用 hub.docker.com可以获取标签,但不能获取 list 。

DOCKERHUB_USERNAME=$(jq -r '.username' < ~/.secrets/docker.json)
DOCKERHUB_PASSWORD=$(jq -r '.password' < ~/.secrets/docker.json)

TARGET_NS_REPO=library/debian

# yes, you need a new token for each repository, maybe you can have multiple scopes though?
PARAMS="service=registry.docker.io&scope=repository:$TARGET_NS_REPO:pull"
TOKEN=$(curl --user "$DOCKERHUB_USERNAME:$DOCKERHUB_PASSWORD" \
"https://auth.docker.io/token?$PARAMS" \
| jq -r '.token'
)

curl "https://registry-1.docker.io/v2/$TARGET_NS_REPO/tags/list" \
-H "Authorization:Bearer $TOKEN" \
| jq '.tags[:10]'

TAG="10-slim"
curl "https://registry-1.docker.io/v2/$TARGET_NS_REPO/manifests/$TAG" \
-H "Authorization:Bearer $TOKEN" \
| jq '.fsLayers'

输出:
[
"10-slim",
"10.0-slim",
"10.0",
"10",
"6.0.10",
"6.0.8",
"6.0.9",
"6.0",
"6",
"7-slim"
]
[
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:1ab2bdfe97783562315f98f94c0769b1897a05f7b0395ca1520ebee08666703b"
}
]

对其进行逆向工程

我基本上不得不用 mitmproxy 对其进行逆向工程。 .如果您想知道其他方法是如何工作的:
  • 安装/运行mitmproxy .检查它的工作方式:
  • curl -x localhost:8080 http://mitm.it/cert/pem  # should print out a cert
  • 获取/安装它的证书(给 MITM 自己):
  • # Ubuntu 18.04, other distros may vary
    MITM_CERT_PATH=/usr/local/share/ca-certificates/mitmproxy.crt
    sudo cp ~/.mitmproxy/mitmproxy-ca-cert.cer "$MITM_CERT_PATH"
    sudo chown root:root "$MITM_CERT_PATH"
    sudo chmod 644 "$MITM_CERT_PATH"
    sudo update-ca-certificates

    # Verify MITM root cert accepted
    curl -x localhost:8080 https://sha256.badssl.com/

    # Troubleshooting
    # - see if installed (https://unix.stackexchange.com/a/97252/42385)
    awk -v cmd='openssl x509 -noout -subject' \
    '/BEGIN/{close(cmd)};{print | cmd}' \
    < /etc/ssl/certs/ca-certificates.crt \
    | grep -i mitmproxy

    # - print the cert used (OpenSSL 1.1.0+)
    openssl s_client -proxy localhost:8080 -showcerts -connect sha256.badssl.com:443 </dev/null

    Uninstall the cert later if desired

    sudo rm /usr/local/share/ca-certificates/mitmproxy.crt
    sudo update-ca-certificates

    Check not in the list
    awk -v cmd='openssl x509 -noout -subject' \
    '/BEGIN/{close(cmd)};{print | cmd}' \
    < /etc/ssl/certs/ca-certificates.crt \
    | grep -i mitmproxy

    # Double-check MITM root cert rejected
    curl -x localhost:8080 https://sha256.badssl.com/

  • 运行dockerd (如果服务已经在运行,则停止服务)使用 HTTPS_PROXY设置
  • sudo HTTPS_PROXY=http://localhost:8080/ dockerd  # bash
    # sudo env HTTPS_PROXY=http://localhost:8080/ dockerd # fish
  • 告诉 Docker 守护进程做某事,例如docker pull alpine .在 mitmproxy 中,您会看到类似
  • 的内容
    Flows
    GET https://registry-1.docker.io/v2/
    ← 401 application/json 87b 213ms
    GET https://auth.docker.io/token?account=youraccount&scope=repository%3Alibrary%2Fal
    pine%3Apull&service=registry.docker.io
    ← 200 application/json 4.18k 245ms
    >> GET https://registry-1.docker.io/v2/library/alpine/manifests/latest
    ← 200 application/vnd.docker.distribution.manifest.list.v2+json 1.6k 294ms
    GET https://registry-1.docker.io/v2/library/alpine/manifests/sha256:57334c50959f26ce
    1ee025d08f136c2292c128f84e7b229d1b0da5dac89e9866
    ← 200 application/vnd.docker.distribution.manifest.v2+json 528b 326ms
    GET https://registry-1.docker.io/v2/library/alpine/blobs/sha256:b7b28af77ffec6054d13
    378df4fdf02725830086c7444d9c278af25312aa39b9
    ← 307 text/html 242b 288ms
    GET https://registry-1.docker.io/v2/library/alpine/blobs/sha256:0503825856099e6adb39
    c8297af09547f69684b7016b7f3680ed801aa310baaa
    ← 307 text/html 242b 322ms
    GET https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sh
    a256/b7/b7b28af77ffec6054d13378df4fdf02725830086c7444d9c278af25312aa39b9/data?…
    ← 200 application/octet-stream 1.48k 191ms
    GET https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sh
    a256/05/0503825856099e6adb39c8297af09547f69684b7016b7f3680ed801aa310baaa/data?…
    ← 200 application/octet-stream 2.66m 207ms
    ⇩ [27/32] [*:8080]
  • 检查请求。挑选...manifests/latest请求查看:

  • Flow Details
    2019-08-20 13:43:44 GET https://registry-1.docker.io/v2/library/alpine/manifests/latest
    ← 200 OK application/vnd.docker.distribution.manifest.list.v2+json 1.6k 294ms
    [[ Request ]] Response Detail
    Host: registry-1.docker.io
    User-Agent: docker/19.03.1 go/go1.12.5 git-commit/74b1e89 kernel/4.15.0-55-generic
    os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.1\\(linux\\))
    Accept: application/vnd.docker.distribution.manifest.v2+json
    Accept: application/vnd.docker.distribution.manifest.list.v2+json
    Accept: application/vnd.oci.image.index.v1+json
    Accept: application/vnd.docker.distribution.manifest.v1+prettyjws
    Accept: application/json
    Accept: application/vnd.oci.image.manifest.v1+json
    Authorization: Bearer eyJhbGci...(a big JWT returned by the auth.docker.io req.)
    Accept-Encoding: gzip
    Connection: close

    关于docker - 使用 Docker Registry API 获取托管在 Docker Hub 上的公共(public) Docker 镜像的 list ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57316115/

    33 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com