我们的Docker私有仓库Registry服务只有加了认证机制之后我们的Registry服务才会更加的安全可靠。赶快跟随以下步骤来增加认证机制吧。
创建密码
- 创建docker registry工作目录
mkdir -p /data/docker.registry
- 创建将保存凭据的文件夹
mkdir -p /data/docker.registry/etc/registry/auth
- 安装htpasswd工具。
yum -y install httpd-tools
创建管理员admin,存入/data/docker.registry/etc/registry/auth/passwd里面,此passwd文件将包含登录凭据和加密的passwd
htpasswd -Bbn admin 123456 > /data/docker.registry/etc/registry/auth/passwd
- 验证密码
cat /data/docker.registry/etc/registry/auth/passwd
admin:$2y$05$3R0Y9nlTM.DQEAgSrGCdp.zFMkeRr8ILeK6kW/o0kvlagZLlpUmDG
启动Registry
- 配置Registry删除权限
默认安装的Registry不支持删除
# vi /data/docker.registry/etc/registry/config.yml version: 0.1log:fields:service: registrystorage:cache:blobdescriptor: inmemoryfilesystem:rootdirectory: /var/lib/registrydelete: #配置删除权限,默认安装的Registry不支持删除enabled: truehttp:addr: :5000headers:X-Content-Type-Options: [nosniff]health:storagedriver:enabled: trueinterval: 10sthreshold: 3
- 密码创建完成,将凭据添加到注册表中。在这里,将auth目录和config.xml配置文件挂载到容器中:
docker run -d -p 5000:5000 \--restart=always \--name registry_private \-v /data/docker.registry/etc/registry/auth:/etc/registry/auth \-v /data/docker.registry/etc/registry/config.yml:/etc/docker/registry/config.yml \-v /data/docker.registry/var/lib/registry:/var/lib/registry \-e "REGISTRY_AUTH=htpasswd" \-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \-e "REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd" \registry:latest
成功后会在/root/.docker/config.json 保存5000端口的密码,启动registry-web会用到,如下图:
3. 测试
[root@test data]# docker tag registry:latest 127.0.0.1:5000/registry:latest
[root@test data]# docker push 127.0.0.1:5000/registry
The push refers to repository [127.0.0.1:5000/registry]
fb6b1a93008f: Preparing
6d2d8cb41f01: Preparing
4f5aa08c5eaa: Preparing
8ebb9d6ed165: Preparing
0fcbbeeeb0d7: Preparing
no basic auth credentials
- 认证
[root@test data]# docker login 127.0.0.1:5000 # admin/123456
Username (): admin
Password:
Login Succeeded
- 重试推送
[root@test data]# docker push 127.0.0.1:5000/registry
The push refers to repository [127.0.0.1:5000/registry]
fb6b1a93008f: Pushed
6d2d8cb41f01: Pushed
4f5aa08c5eaa: Pushed
8ebb9d6ed165: Pushed
0fcbbeeeb0d7: Pushed
latest: digest: sha256:a0dd61073ad21122e5f1517682800272ef29df52041aaea7ee29e92a5d22aa28 size: 1363
- 凭据保存在 .docker/config.json中:
[root@test data]# cat ~/.docker/config.json
{
“auths”: {
“127.0.0.1:5000”: {
“auth”: “YWRtaW46ZkZHHGGluVDQ1SA==”
}
}
}
注意: 在使用凭据时建议使用https.
- 使用
登录
docker login 172.x.x.x:5000
输入用户名密码 admin/123456
- 查看镜像
浏览器访问:http:// 172.x.x.x:5000/v2/_catalog
输入用户名/密码admin/123456
- 查询镜像标签列表
curl -u admin:123456 ‘http:// 127.0.0.1:5000/v2/qingzhu-backend-gray/tags/list’
安装 registry-web
平时对仓库镜像的管理,如果仅通过接口请求来操作仓库镜像,还是挺麻烦的。
hyper/docker-registry-webUI是一款轻量级的管理界面
# 拉取镜像docker pull hyper/docker-registry-web# 启动容器 --link registry_private 是我以前安装的 Registry docker rm -f registry-webdocker run -d \-p 8000:8080 \--name registry-web\--restart=always \--link registry_private \-e registry_url=http://registry_private:5000/v2 \-e registry_name=registry_private \-e REGISTRY_TRUST_ANY_SSL=false \-e REGISTRY_BASIC_AUTH="YWRtaW46ZkZ0WWluVDQ1SA==" \-e registry_auth_enabled=false \-e registry_readonly=false \hyper/docker-registry-web:latestdocker logs -f registry-web
浏览器访问:
http://172.x.x.x:8000
启用registry-web登录认证
令牌身份验证需要PEM格式的RSA私钥以及与该密钥匹配的证书
- 生成私钥和证书
mkdir confopenssl req -new -newkey rsa:4096 -days 365 -subj "/CN=localhost" \-nodes -x509 -keyout conf/auth.key -out conf/auth.cert
- 创建registry配置 conf/registry-srv.yml
version: 0.1storage:filesystem:rootdirectory: /var/lib/registryhttp:addr: 0.0.0.0:5000 auth:token:# external url to docker-web authentication endpointrealm: http://localhost:8080/api/auth# should be same as registry.name of registry-webservice: localhost:5000# should be same as registry.auth.issuer of registry-webissuer: 'my issuer'# path to auth certificaterootcertbundle: /etc/docker/registry/auth.cert
- Start docker registry
docker run -v $(pwd)/conf/registry-srv.yml:/etc/docker/registry/config.yml:ro \-v $(pwd)/conf/auth.cert:/etc/docker/registry/auth.cert:ro -p 5000:5000--name registry-srv -d registry:2
- Create configuration file conf/registry-web.yml
registry:# Docker registry urlurl: http://registry-srv:5000/v2# Docker registry fqdnname: localhost:5000# To allow image delete, should be falsereadonly: falseauth:# Enable authenticationenabled: true# Token issuer# should equals to auth.token.issuer of docker registryissuer: 'my issuer'# Private key for token signing# certificate used on auth.token.rootcertbundle should signed by this keykey: /conf/auth.key
- Start registry-web
docker run -v $(pwd)/conf/registry-web.yml:/conf/config.yml:ro \ -v $(pwd)/conf/auth.key:/conf/auth.key -v $(pwd)/db:/data \ -it -p 8080:8080 --link registry-srv --name registry-web hyper/docker-registry-web
Web UI will be available on http://localhost:8080 with default admin user/password admin/admin.
参考:docker-registry-web