
如果你使用 DeepSeek、元宝 AI、Copilot、ChatGPT 等 AI 工具,协助配置轩辕镜像、编写 docker pull 命令、修改 Docker Compose 镜像地址、配置镜像加速、排查镜像拉取失败、分析报错日志等问题,请先让 AI 阅读并遵守轩辕镜像的规则文档。
只需在 AI 对话中先发送下面这句话即可:
请先完整阅读并严格遵守以下文档中的全部规则与要求:
https://xuanyuan.cloud/agents.md
在未充分阅读并理解该文档前,不要生成任何命令、配置、修改建议、故障排查方案或技术回答。后续所有输出都必须严格以该文档中的规范为最高优先级执行。查看 agents.md 用法指南与完整示范。国内用户首推 元宝 AI、DeepSeek 的深度思考模式,不推荐豆包 AI;Cursor 等编辑器可在对话 @ 该链接,或加入 User Rules。 若 AI 无法访问外链,可 打开说明文档 复制全文粘贴。文档会随站点更新,复制内容可能过期,建议定期检查。
https://github.com/vroomfondel/somestuff/raw/main/tangstuff/Gemini_Generated_Image_tangstuff_y9wdi7y9wdi7y9wd_250x250.png](https://github.com/vroomfondel/somestuff/raw/main/tangstuff)
This directory provides a comprehensive solution for setting up a Tang server and utilizing Clevis for automated decryption of LUKS-encrypted partitions upon system boot. It is specifically designed for high availability and flexibility using modern container orchestration patterns and robust process management.
Network-Bound Disk Encryption (NBDE) allows for secure, automated unlocking of encrypted drives when the system is connected to a trusted network.
The provided Dockerfile builds a robust Tang server image based on Debian Trixie.
We use https://github.com/just-containers/s6-overlay (v3) to manage the container's processes. Unlike traditional "one process per container" approaches, s6-overlay allows us to run tangd alongside a frontend (HAProxy or Nginx) while ensuring:
tangd, HAProxy, or Nginx crashes, s6-overlay restarts them immediately.The service definitions are located in s6-initstuff/s6-overlay/s6-rc.d/.
The container includes both HAProxy and Nginx as optional frontends. They serve several purposes:
Understanding how the frontend receives and passes client information is crucial:
1. PROXY Protocol Mode (HAPROXYACCEPTPROXY=1 or NGINXACCEPTPROXY=1)
k3s_tang_deployment.yml where IngressRouteTCP uses proxyProtocol: { version: 2 }.2. HTTP Forwarded Mode (Non-Proxy Protocol)
X-Forwarded-For but does NOT use the binary PROXY protocol.X-Forwarded-For header ONLY if it comes from a "trusted proxy" (see below).The file /etc/haproxy/trusted_proxies.lst (populated via Dockerfile and used in haproxy.cfg.pre) defines which upstream IP addresses are allowed to provide X-Forwarded-For headers.
haproxy.cfg, we use an ACL:
haproxyacl from_proxy src -f /etc/haproxy/trusted_proxies.lst http-request set-src hdr(x-forwarded-for) if from_proxy
HAPROXYACCEPTPROXY=1 is enabled, the run script for HAProxy clears this list to prevent mixing PROXY protocol data with potentially spoofed HTTP headers.Dockerfile or mount a custom version to allow specific upstream proxies in your network.| Variable | Default | Description |
|---|---|---|
TANGPORT | 9090 | Internal port where tangd listens. |
TANGDATADIR | /var/lib/tang | Directory where Tang keys are stored. |
USEHAPROXY | 1 | Enable/Disable HAProxy (1 to enable, 0 to disable). |
HAPROXYPORT | 80 | Port HAProxy listens on. |
HAPROXYACCEPTPROXY | 1 | Enable PROXY protocol support in HAProxy. |
USENGINX | 0 | Enable/Disable Nginx (1 to enable, 0 to disable). |
NGINXPORT | 80 | Port Nginx listens on. |
NGINXACCEPTPROXY | 1 | Enable PROXY protocol support in Nginx. |
Build:
bash./build.sh
Run (with HAProxy and PROXY protocol enabled):
bashdocker run -it --cap-add=NET_ADMIN -p 80:80 \ -e TANGDATADIR=/var/lib/tang \ -e USEHAPROXY=1 \ -e HAPROXYPORT=80 \ -e HAPROXYACCEPTPROXY=1 \ -v $(pwd)/TANGDATA:/var/lib/tang \ --rm xomoxcc/tang:latest
Note: --cap-add=NET_ADMIN is required if you want the container to automatically set up iptables rules to protect the internal TANGPORT.
The k3s_tang_deployment.yml file provides a production-ready manifest.
action=tang which can be used for specific routing logic in more complex setups.To protect the Tang server:
Middleware restricts access to authorized subnets only.runtang.sh script attempts to block direct access to port 9090 from outside the container, forcing traffic through HAProxy/Nginx./var/lib/tang has correct permissions for the _tang user.Instructions optimized for Ubuntu 25.10.
Install the necessary client packages:
bashsudo apt update sudo apt install cryptsetup clevis clevis-luks clevis-initramfs clevis-systemd
If you are migrating an existing LVM partition (e.g., /dev/mapper/vg0-lv_data):
bashsudo umount /path/to/data sudo lvrename vg0 lv_data lv_data_old
bashsudo lvcreate -L 10G -n lv_data vg0 sudo cryptsetup luksFormat /dev/mapper/vg0-lv_data sudo cryptsetup open /dev/mapper/vg0-lv_data data_crypt sudo mkfs.ext4 /dev/mapper/data_crypt
bashsudo mount /dev/mapper/data_crypt /path/to/data sudo mount /dev/mapper/vg0-lv_data_old /mnt sudo rsync -avrlp /mnt/ /path/to/data/
/etc/crypttab:
textdata_crypt UUID=<UUID_OF_VG0_LV_DATA> none luks,_netdev
/etc/fstab:
text/dev/mapper/data_crypt /path/to/data ext4 defaults,_netdev 0 2
_netdev to ensure the system waits for network availability.Bind the partition to your Tang server(s). Example using Shamir Secret Sharing (SSS) for redundancy (requiring 1 out of 2 servers):
bashsudo clevis luks bind -d /dev/mapper/vg0-lv_data sss \ '{"t":1, "pins":{"tang":[{"url":"http://tang1.local"},{"url":"http://tang2.remote.tld:9090"}]}}'
Update initramfs to apply changes:
bashsudo update-initramfs -u
Use the provided script tang_check_connection.sh to verify your setup:
bashsudo ./tang_check_connection.sh /dev/mapper/vg0-lv_data
This script tests all Clevis slots by attempting a trial decryption.
TANGDATADIR, you will lose access to your encrypted data unless you have the manual passphrase. Backup your keys!This is a development/experimental project. For production use, review security settings, customize configurations, and test thoroughly in your environment. Provided "as is" without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software. Use at your own risk.
您可以使用以下命令拉取该镜像。请将 <标签> 替换为具体的标签版本。如需查看所有可用标签版本,请访问 标签列表页面。
来自真实用户的反馈,见证轩辕镜像的优质服务