释意:
Verify platform binaries 验证平台的二进制文件
https://cloud.tencent.com/act?from=10680
https://cloud.tencent.com/act/season?from=14065
https://cloud.tencent.com/?from=10680
https://cloud.tencent.com/product/cns?from=10680
(照旧加几个腾讯云连接)
1. Hashes 哈希散列
详见知乎:https://zhuanlan.zhihu.com/p/37165658关于哈希算法与MD5、SHA讲的很是详细。还有csdn的https://blog.csdn.net/ljy1988123/article/details/51506578
1.1 Theory and Hashes-理论与哈希
哈希算法有两个评价标准,一个是无法回源,一个是随机性(碰撞概率小),一个是计算速度。常见的算法 Hash SHA MD5
1.2 Download and verify binaries 下载并验证二进制文件
1.2.1 确认版本
1.2.2 Dowload kubernetes release from github
1.2.3 verify downloaded files 验证下载文件
代码语言:txt复制sha512sum kubernetes-server-linux-amd64.tar.gz >compare
将github页面的sha512 hash 跟本地验证的对比 oK一致
1.3. Verify binaries from container验证容器中的二进制文件
1.3.1 解压 从github下载的1.9.3的kubernetes压缩包,以kube-apiserver为例,验证解压文件夹内的kuber-apiserver的 sha512sum.并将其写入compare文件
代码语言:txt复制root@cks-master:~/hash# tar -zxf kubernetes-server-linux-amd64.tar.gz
root@cks-master:~/hash# ls kubernetes
addons kubernetes-src.tar.gz LICENSES server
root@cks-master:~/hash# ls kubernetes/server/bin/
apiextensions-apiserver kube-aggregator kube-apiserver.docker_tag kube-controller-manager kube-controller-manager.tar kubelet kube-proxy.docker_tag kube-scheduler kube-scheduler.tar
kubeadm kube-apiserver kube-apiserver.tar kube-controller-manager.docker_tag kubectl kube-proxy kube-proxy.tar kube-scheduler.docker_tag mounter
root@cks-master:~/hash# sha512sum kubernetes/server/bin/kube-apiserver
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a kubernetes/server/bin/kube-apiserver
root@cks-master:~/hash# sha256sum kubernetes/server/bin/kube-apiserver > compare1.3.2 再次确认下 kubernetes集群中kube-apiserver运行的是同版本1.19.3,然后container中是没有bash sh的。使用docker cp copy到container-fs文件夹,当然其实也可以用kubectl cp查找文件夹中kube-apiserver文件。然后sh512sum ,追加如compare文件。对哈希值进行对比:
代码语言:txt复制root@cks-master:~/hash# kubectl get pods -n kube-system|grep api
kube-apiserver-cks-master 1/1 Running 0 42d
root@cks-master:~/hash# kubectl get pod kube-apiserver-cks-master -n kube-system -o yaml|grep image
f:image: {}
f:imagePullPolicy: {}
image: k8s.gcr.io/kube-apiserver:v1.19.3
imagePullPolicy: IfNotPresent
image: k8s.gcr.io/kube-apiserver:v1.19.3
imageID: docker://sha256:a301be0cd44bb11162da49b9c55fc5d137f493bdefcf80226378204be403fa41
root@cks-master:~/hash# kubectl exec -it kube-apiserver-cks-master bash -n kube-system
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
OCI runtime exec failed: exec failed: container_linux.go:349: starting container process caused "exec: "bash": executable file not found in $PATH": unknown
command terminated with exit code 126
root@cks-master:~/hash# docker ps |grep apiserver
72c54882e5c0 a301be0cd44b "kube-apiserver --ad…" 6 weeks ago Up 6 weeks k8s_kube-apiserver_kube-apiserver-cks-master_kube-system_a2aef6235c950d78a8c2a8f52536f35e_0
4045b57cf208 k8s.gcr.io/pause:3.2 "/pause" 6 weeks ago Up 6 weeks k8s_POD_kube-apiserver-cks-master_kube-system_a2aef6235c950d78a8c2a8f52536f35e_0
root@cks-master:~/hash# docker cp 72c54882e5c0:/ container-fs
root@cks-master:~/hash# find container-fs/ -name kube-apiserver
container-fs/usr/local/bin/kube-apiserver
root@cks-master:~/hash# sha512sum container-fs/usr/local/bin/kube-apiserver
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a container-fs/usr/local/bin/kube-apiserver
root@cks-master:~/hash# sha512sum container-fs/usr/local/bin/kube-apiserver >> co
compare container-fs/
root@cks-master:~/hash# sha512sum container-fs/usr/local/bin/kube-apiserver >> compare
root@cks-master:~/hash# cat compare
3bda7b83d70fc762759f88a93b760355a6c1023be959d613a3faf113b975200c kubernetes/server/bin/kube-apiserver
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a container-fs/usr/local/bin/kube-apiserver
root@cks-master:~/hash# rm -rf compare
root@cks-master:~/hash# sha512sum kubernetes/server/bin/kube-apiserver
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a kubernetes/server/bin/kube-apiserver
root@cks-master:~/hash# sha512sum kubernetes/server/bin/kube-apiserver > compare
root@cks-master:~/hash# cat compare
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a kubernetes/server/bin/kube-apiserver
root@cks-master:~/hash# sha512sum container-fs/usr/local/bin/kube-apiserver >> compare
root@cks-master:~/hash# cat compare
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a kubernetes/server/bin/kube-apiserver
49b3a12ee597ea3bf9ece98accb62018ef758e4766ae44e24386838306cf69a2bc5dc7f8c0b728abecb972a4b651271f140bfdf0047e483c1556662cbd5b914a container-fs/usr/local/bin/kube-apiserver
