Discourse Docker 镜像未签名

支持 安装
1

你好,

我目前正尝试在一台新机器上设置 Discourse。我克隆了 discourse_docker 仓库并运行了 ./launcher rebuild app。(由于之前已有配置,我跳过了引导步骤)。

重建操作产生了以下输出:

WARNING: We are about to start downloading the Discourse base image
This process may take anywhere between a few minutes to an hour, depending on your network speed

Please be patient

ERRO[0001] Metadata for targets expired
ERRO[0002] Metadata for targets expired
/usr/bin/docker: Error: remote repository docker.io/discourse/base out-of-date: targets expired at Mon Nov 18 12:52:09 -0500 2019.
See '/usr/bin/docker run --help'.
Your Docker installation is not working correctly

See: https://meta.discourse.org/t/docker-error-on-bootstrap/13657/18?u=sam

为了查明问题的根源,我检查了实际执行的命令,并以调试模式运行它:

/usr/bin/docker --debug run -i --rm -a stdout -a stderr discourse/base:2.0.20191219-2109 echo working

参考:discourse_docker/launcher at 1b3dd3a41b544592be46b39db563bb757f88bbad · discourse/discourse_docker · GitHub

命令的输出: 
DEBU[0000] reading certificate directory: /root/.docker/tls/notary.docker.io
DEBU[0000] No yubikey found, using alternative key storage: no library found
DEBU[0000] Making dir path: /root/.docker/trust/tuf/docker.io/discourse/base/changelist
DEBU[0000] entered ValidateRoot with dns: docker.io/discourse/base
DEBU[0000] found the following root keys: [5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8]
DEBU[0000] found 1 valid leaf certificates for docker.io/discourse/base: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/discourse/base
DEBU[0000] checking root against trust_pinning config for docker.io/discourse/base
DEBU[0000] checking trust-pinning for cert: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000]  role has key IDs: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000] verifying signature for key ID: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000] root validation succeeded for docker.io/discourse/base
DEBU[0000] entered ValidateRoot with dns: docker.io/discourse/base
DEBU[0000] found the following root keys: [5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8]
DEBU[0000] found 1 valid leaf certificates for docker.io/discourse/base: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/discourse/base
DEBU[0000] checking root against trust_pinning config for docker.io/discourse/base
DEBU[0000] checking trust-pinning for cert: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000]  role has key IDs: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000] verifying signature for key ID: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0000] root validation succeeded for docker.io/discourse/base
DEBU[0000] updating TUF client
DEBU[0000] Loading timestamp...
DEBU[0001] 200 when retrieving metadata for timestamp
DEBU[0001] timestamp role has key IDs: db679e1f17a2a2bdd9952b6f37c9048635611f162bc6a0957ec30fbb1412d366
DEBU[0001] verifying signature for key ID: db679e1f17a2a2bdd9952b6f37c9048635611f162bc6a0957ec30fbb1412d366
DEBU[0001] timestamp role has key IDs: db679e1f17a2a2bdd9952b6f37c9048635611f162bc6a0957ec30fbb1412d366
DEBU[0001] verifying signature for key ID: db679e1f17a2a2bdd9952b6f37c9048635611f162bc6a0957ec30fbb1412d366
DEBU[0001] successfully verified downloaded timestamp
DEBU[0001] Loading snapshot...
DEBU[0001] snapshot role has key IDs: e88a99d5b23301178976a4a103df4716f7943301d9972db0541bfa17c94cb75b
DEBU[0001] verifying signature for key ID: e88a99d5b23301178976a4a103df4716f7943301d9972db0541bfa17c94cb75b
DEBU[0001] successfully verified cached snapshot
DEBU[0001] Loading targets...
DEBU[0001] no targets in cache, must download
DEBU[0001] 200 when retrieving metadata for targets.09b50021560effa664eb8271cd16e2212ed55b7b63b2127cf9a0e69cfe2b47b7
DEBU[0001] targets role has key IDs: c016860a9293a48bc98f27b9c36d81515f4bcc3dd2ec93bb2d6d8af8f37a39d2
DEBU[0001] verifying signature for key ID: c016860a9293a48bc98f27b9c36d81515f4bcc3dd2ec93bb2d6d8af8f37a39d2
ERRO[0001] Metadata for targets expired
DEBU[0001] downloaded targets.09b50021560effa664eb8271cd16e2212ed55b7b63b2127cf9a0e69cfe2b47b7 is invalid: targets expired at Mon Nov 18 12:52:09 -0500 2019
DEBU[0001] Client Update (Targets): targets expired at Mon Nov 18 12:52:09 -0500 2019
DEBU[0001] Error occurred. Root will be downloaded and another update attempted
DEBU[0001] Resetting the TUF builder...
DEBU[0001] entered ValidateRoot with dns: docker.io/discourse/base
DEBU[0001] found the following root keys: [5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8]
DEBU[0001] found 1 valid leaf certificates for docker.io/discourse/base: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001] found 1 leaf certs, of which 1 are valid leaf certs for docker.io/discourse/base
DEBU[0001] found the following root keys: [5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8]
DEBU[0001] found 1 valid leaf certificates for docker.io/discourse/base: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001] found 1 valid root leaf certificates for docker.io/discourse/base: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001]  role has key IDs: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001] verifying signature for key ID: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001] checking root against trust_pinning config for docker.io/discourse/base
DEBU[0001] checking trust-pinning for cert: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001]  role has key IDs: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001] verifying signature for key ID: 5f5ba22b20768b8f2d49e9035400a1922ae761aa70b5bb0d930fe91dd06bd5d8
DEBU[0001] root validation succeeded for docker.io/discourse/base
DEBU[0001] successfully verified cached root
DEBU[0001] retrying TUF client update
DEBU[0001] Loading timestamp...
DEBU[0002] 200 when retrieving metadata for timestamp
DEBU[0002] timestamp role has key IDs: db679e1f17a2a2bdd9952b6f37c9048635611f162bc6a0957ec30fbb1412d366
DEBU[0002] verifying signature for key ID: db679e1f17a2a2bdd9952b6f37c9048635611f162bc6a0957ec30fbb1412d366
DEBU[0002] successfully verified downloaded timestamp
DEBU[0002] Loading snapshot...
DEBU[0002] snapshot role has key IDs: e88a99d5b23301178976a4a103df4716f7943301d9972db0541bfa17c94cb75b
DEBU[0002] verifying signature for key ID: e88a99d5b23301178976a4a103df4716f7943301d9972db0541bfa17c94cb75b
DEBU[0002] successfully verified cached snapshot
DEBU[0002] Loading targets...
DEBU[0002] no targets in cache, must download
DEBU[0002] 200 when retrieving metadata for targets.09b50021560effa664eb8271cd16e2212ed55b7b63b2127cf9a0e69cfe2b47b7
DEBU[0002] targets role has key IDs: c016860a9293a48bc98f27b9c36d81515f4bcc3dd2ec93bb2d6d8af8f37a39d2
DEBU[0002] verifying signature for key ID: c016860a9293a48bc98f27b9c36d81515f4bcc3dd2ec93bb2d6d8af8f37a39d2
ERRO[0002] Metadata for targets expired
DEBU[0002] downloaded targets.09b50021560effa664eb8271cd16e2212ed55b7b63b2127cf9a0e69cfe2b47b7 is invalid: targets expired at Mon Nov 18 12:52:09 -0500 2019
DEBU[0002] Client Update (Targets): targets expired at Mon Nov 18 12:52:09 -0500 2019
/usr/bin/docker: Error: remote repository docker.io/discourse/base out-of-date: targets expired at Mon Nov 18 12:52:09 -0500 2019.
See '/usr/bin/docker run --help'.

我完全不知道为什么会发生这种情况。我检查了 Git 历史记录,并回退到之前使用的基础镜像以测试是否可行,但结果相同。

参考:Bump base image · discourse/discourse_docker@1b3dd3a · GitHub

任何帮助都将不胜感激 :slight_smile:

更新 #1

按照 @Falco 的建议,我已在 Docker 论坛发帖讨论此问题。

2

请为您的操作系统更新 Docker 到最新版本,然后重试。

3

感谢您的回复 @Falco

我运行的是最新版本的 Docker:

Docker version 19.03.5, build 633a0ea838

参见:Engine v29 | Docker Docs

抱歉之前没有提到这一点 :roll_eyes:

4

所以一个简单的

docker pull discourse/base:2.0.20191219-2109

命令会失败吗?

5

是的。该命令的失败方式与我最初帖子中描述的一致:

ERRO[0001] 目标元数据已过期
ERRO[0002] 目标元数据已过期
错误:远程仓库 docker.io/discourse/base 已过时:目标于 2019 年 11 月 18 日星期一 12:52:09 -0500 过期
6

这很奇怪。你的服务器时间正确吗?有没有什么奇怪的缓存、防火墙或其他问题?

7

@Falco 我的时钟似乎已同步:

$ timedatectl status

                      Local time: 2019 年 12 月 27 日 星期五 19:57:48 CET
                  Universal time: 2019 年 12 月 27 日 星期五 18:57:48 UTC
                        RTC time: 2019 年 12 月 27 日 星期五 18:57:49
                       Time zone: Europe/Berlin (CET, +0100)
       System clock synchronized: yes
systemd-timesyncd.service active: yes
                 RTC in local TZ: no

我正在运行 Ubuntu 18.04 LTS。

8

我也想提一下,其他容器运行正常。所以这似乎与 Discourse 镜像有关。

9

好吧,我在多个操作系统、不同云服务商以及不同大洲的环境中都能顺利执行 docker pull discourse/base:2.0.20191219-2109,因此我认为问题出在您的本地计算机或 Docker 安装上。

由于此问题源自 docker 服务,建议您前往 https://forums.docker.com/ 寻求帮助。

10

好的,@Falco。非常感谢你迄今为止的帮助 :slight_smile:

11

@Falco 我已在 Docker 论坛发布了一篇帖子并收到了回复。

问题与 DOCKER_CONTENT_TRUST=1 有关。

要复现此问题,您可以运行以下命令:

$ export DOCKER_CONTENT_TRUST=1
$ docker pull discourse/base:2.0.20191219-2109
12

哦,我明白了。你为什么在本地机器上设置这个标志?在 Ubuntu 中,它默认并未启用。

13

我正在互联网上设置服务器。这不是在我的本地机器上。该服务器应经过“加固”,因此启用了此选项。

14

在 Ubuntu Server 中,它默认也未启用。

15

没错 @Falco。我已经启用了它。据我所知,Discourse 的镜像要么没有正确签名,要么根本没有签名(我正在调查中)。

无论如何,拥有已签名的镜像/标签是理想的。我想我并不唯一一个使用 DCT 的人。

它是像 Docker Bench Security 这样的审计工具的一部分(见下文):

4.5  - 确保 Docker 的内容信任已启用

目前我可以将其停用,但如果能为 Discourse 镜像也提供已签名的镜像/标签那就太棒了 :slight_smile:

16

我应该创建一个功能请求,以便我们可以关闭这个问题吗?

17

目前您正在偏离推荐的安装说明,因此该操作将被标记为不受支持,以避免其他人犯同样的错误。