0
0

手把手docker registry配置登录名/密码及registry-web配置

我们的Docker私有仓库Registry服务只有加了认证机制之后我们的Registry服务才会更加的安全可靠。赶快跟随以下步骤来增加认证机制吧。

创建密码

  1. 创建docker registry工作目录

mkdir -p /data/docker.registry

  1. 创建将保存凭据的文件夹

mkdir -p /data/docker.registry/etc/registry/auth

  1. 安装htpasswd工具。

yum -y install httpd-tools

创建管理员admin,存入/data/docker.registry/etc/registry/auth/passwd里面,此passwd文件将包含登录凭据和加密的passwd

htpasswd -Bbn admin 123456 > /data/docker.registry/etc/registry/auth/passwd

  1. 验证密码

cat /data/docker.registry/etc/registry/auth/passwd
admin:$2y$05$3R0Y9nlTM.DQEAgSrGCdp.zFMkeRr8ILeK6kW/o0kvlagZLlpUmDG

启动Registry

  1. 配置Registry删除权限 默认安装的Registry不支持删除
# vi /data/docker.registry/etc/registry/config.yml 
version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
  delete: #配置删除权限,默认安装的Registry不支持删除
    enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
  1. 密码创建完成,将凭据添加到注册表中。在这里,将auth目录和config.xml配置文件挂载到容器中:
docker run -d-p5000:5000 \--restart=always \--name registry_private \-v /data/docker.registry/etc/registry/auth:/etc/registry/auth \-v /data/docker.registry/etc/registry/config.yml:/etc/docker/registry/config.yml \-v /data/docker.registry/var/lib/registry:/var/lib/registry \-e"REGISTRY_AUTH=htpasswd"\-e"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"\-e"REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd"\
registry:latest

成功后会在/root/.docker/config.json 保存5000端口的密码,启动registry-web会用到,如下图:
在这里插入图片描述
3. 测试

[root@test data]# docker tag registry:latest 127.0.0.1:5000/registry:latest
[root@test data]# docker push 127.0.0.1:5000/registry
The push refers to repository [127.0.0.1:5000/registry]
fb6b1a93008f: Preparing
6d2d8cb41f01: Preparing
4f5aa08c5eaa: Preparing
8ebb9d6ed165: Preparing
0fcbbeeeb0d7: Preparing
no basic auth credentials

  1. 认证

[root@test data]# docker login 127.0.0.1:5000 # admin/123456
Username (): admin
Password:
Login Succeeded

  1. 重试推送

[root@test data]# docker push 127.0.0.1:5000/registry
The push refers to repository [127.0.0.1:5000/registry]
fb6b1a93008f: Pushed
6d2d8cb41f01: Pushed
4f5aa08c5eaa: Pushed
8ebb9d6ed165: Pushed
0fcbbeeeb0d7: Pushed
latest: digest: sha256:a0dd61073ad21122e5f1517682800272ef29df52041aaea7ee29e92a5d22aa28 size: 1363

  1. 凭据保存在 .docker/config.json中:

[root@test data]# cat ~/.docker/config.json
{
“auths”: {
“127.0.0.1:5000”: {
“auth”: “YWRtaW46ZkZHHGGluVDQ1SA==”
}
}
}

注意: 在使用凭据时建议使用https.

  1. 使用

登录
docker login 172.x.x.x:5000
输入用户名密码 admin/123456

  1. 查看镜像

浏览器访问:http:// 172.x.x.x:5000/v2/_catalog
输入用户名/密码admin/123456

  1. 查询镜像标签列表

curl -u admin:123456 ‘http:// 127.0.0.1:5000/v2/qingzhu-backend-gray/tags/list’

安装 registry-web

平时对仓库镜像的管理,如果仅通过接口请求来操作仓库镜像,还是挺麻烦的。
hyper/docker-registry-webUI是一款轻量级的管理界面

# 拉取镜像docker pull hyper/docker-registry-web
# 启动容器 --link registry_private 是我以前安装的 Registry dockerrm-f registry-web
docker run -d\-p8000:8080 \--name registry-web\--restart=always \--link registry_private \-eregistry_url=http://registry_private:5000/v2 \-eregistry_name=registry_private \-eREGISTRY_TRUST_ANY_SSL=false   \-eREGISTRY_BASIC_AUTH="YWRtaW46ZkZ0WWluVDQ1SA=="\-eregistry_auth_enabled=false \-eregistry_readonly=false \
hyper/docker-registry-web:latest

docker logs -f registry-web

浏览器访问:

http://172.x.x.x:8000

启用registry-web登录认证

令牌身份验证需要PEM格式的RSA私钥以及与该密钥匹配的证书

  1. 生成私钥和证书
mkdir conf
openssl req -new-newkey rsa:4096 -days365-subj"/CN=localhost"\-nodes-x509-keyout conf/auth.key -out conf/auth.cert
  1. 创建registry配置 conf/registry-srv.yml
version: 0.1    

storage:
  filesystem:
    rootdirectory: /var/lib/registry
    
http:
  addr: 0.0.0.0:5000   
    
auth:
  token:
    # external url to docker-web authentication endpoint
    realm: http://localhost:8080/api/auth
    # should be same as registry.name of registry-web
    service: localhost:5000
    # should be same as registry.auth.issuer of registry-web
    issuer: 'my issuer'# path to auth certificate
    rootcertbundle: /etc/docker/registry/auth.cert
  1. Start docker registry
docker run -v$(pwd)/conf/registry-srv.yml:/etc/docker/registry/config.yml:ro \-v$(pwd)/conf/auth.cert:/etc/docker/registry/auth.cert:ro -p5000:5000  --name registry-srv -d registry:2
  1. Create configuration file conf/registry-web.yml
registry:
  # Docker registry url
  url: http://registry-srv:5000/v2
  # Docker registry fqdn
  name: localhost:5000
  # To allow image delete, should be false
  readonly: false
  auth:
    # Enable authentication
    enabled: true# Token issuer# should equals to auth.token.issuer of docker registry
    issuer: 'my issuer'# Private key for token signing# certificate used on auth.token.rootcertbundle should signed by this key
    key: /conf/auth.key
  1. Start registry-web
docker run -v$(pwd)/conf/registry-web.yml:/conf/config.yml:ro \-v$(pwd)/conf/auth.key:/conf/auth.key -v$(pwd)/db:/data \-it-p8080:8080 --link registry-srv --name registry-web hyper/docker-registry-web

Web UI will be available on http://localhost:8080 with default admin user/password admin/admin.

参考:docker-registry-web

标签: docker 运维
本文转载自: https://blog.csdn.net/weixin_38251332/article/details/129261314
版权归原作者 PONY LEE 所有, 如有侵权,请联系我们删除。
登录后发布评论

“手把手docker registry配置登录名/密码及registry-web配置”的评论:

还没有评论
关于作者
...
overfit同步小助手
文章同步
相关阅读

机器人技术在安全领域的重要作用

安全学习记录——网络篇(一)

图腾柱PFC:HP1010为您的电动两轮车之旅提供绿色,高效,安全的动力

单元测试数据库回滚问题

这才是单元测试,之前我们都错了

【C语言基础】:字符函数和字符串函数

ChatGPT-Next-Web SSRF漏洞+XSS漏洞复现(CVE-2023-49785)

文章导航