- 1python机械臂仿真_VTK与Python实现机械臂三维模型可视化详解
- 2DAY11_(简易版)VUE&Element&综合案例
- 3yolov5识别cf火线敌人(FPS类的AI瞄准)详细教程一_yolov5训练cf
- 4java自动化将用例和截图一起执行测试放入world中直接生成测试报告【搬代码】
- 5在CLion中安装第三方库的方式_clion添加外部库
- 6MongoDB—SQL到MongoDB映射图表
- 7java Web实现用户登录功能_javaweb写一个登录注册界面
- 8【深度学习】(五)目标检测——下篇_process custom dataset artifact link
- 95+App用户获取安卓手机权限_deniedalways": [ "android.permission.camera" ]
- 10Flink快速部署集群,体验炸了!_flink集群自动化部署
手把手docker registry配置登录名/密码及registry-web配置_docker配置htpasswd
赞
踩
我们的Docker私有仓库Registry服务只有加了认证机制之后我们的Registry服务才会更加的安全可靠。赶快跟随以下步骤来增加认证机制吧。
创建密码
- 创建docker registry工作目录
mkdir -p /data/docker.registry
- 创建将保存凭据的文件夹
mkdir -p /data/docker.registry/etc/registry/auth
- 安装htpasswd工具。
yum -y install httpd-tools
创建管理员admin,存入/data/docker.registry/etc/registry/auth/passwd里面,此passwd文件将包含登录凭据和加密的passwd
htpasswd -Bbn admin 123456 > /data/docker.registry/etc/registry/auth/passwd
- 验证密码
cat /data/docker.registry/etc/registry/auth/passwd
admin:$2y$05$3R0Y9nlTM.DQEAgSrGCdp.zFMkeRr8ILeK6kW/o0kvlagZLlpUmDG
启动Registry
- 配置Registry删除权限
默认安装的Registry不支持删除
# vi /data/docker.registry/etc/registry/config.yml version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry delete: #配置删除权限,默认安装的Registry不支持删除 enabled: true http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 密码创建完成,将凭据添加到注册表中。在这里,将auth目录和config.xml配置文件挂载到容器中:
docker run -d -p 5000:5000 \
--restart=always \
--name registry_private \
-v /data/docker.registry/etc/registry/auth:/etc/registry/auth \
-v /data/docker.registry/etc/registry/config.yml:/etc/docker/registry/config.yml \
-v /data/docker.registry/var/lib/registry:/var/lib/registry \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd" \
registry:latest
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
成功后会在/root/.docker/config.json 保存5000端口的密码,启动registry-web会用到,如下图:
3. 测试
[root@test data]# docker tag registry:latest 127.0.0.1:5000/registry:latest
[root@test data]# docker push 127.0.0.1:5000/registry
The push refers to repository [127.0.0.1:5000/registry]
fb6b1a93008f: Preparing
6d2d8cb41f01: Preparing
4f5aa08c5eaa: Preparing
8ebb9d6ed165: Preparing
0fcbbeeeb0d7: Preparing
no basic auth credentials
- 认证
[root@test data]# docker login 127.0.0.1:5000 # admin/123456
Username (): admin
Password:
Login Succeeded
- 重试推送
[root@test data]# docker push 127.0.0.1:5000/registry
The push refers to repository [127.0.0.1:5000/registry]
fb6b1a93008f: Pushed
6d2d8cb41f01: Pushed
4f5aa08c5eaa: Pushed
8ebb9d6ed165: Pushed
0fcbbeeeb0d7: Pushed
latest: digest: sha256:a0dd61073ad21122e5f1517682800272ef29df52041aaea7ee29e92a5d22aa28 size: 1363
- 凭据保存在 .docker/config.json中:
[root@test data]# cat ~/.docker/config.json
{
“auths”: {
“127.0.0.1:5000”: {
“auth”: “YWRtaW46ZkZHHGGluVDQ1SA==”
}
}
}
注意: 在使用凭据时建议使用https.
- 使用
登录
docker login 172.x.x.x:5000
输入用户名密码 admin/123456
- 查看镜像
浏览器访问:http:// 172.x.x.x:5000/v2/_catalog
输入用户名/密码admin/123456
- 查询镜像标签列表
curl -u admin:123456 ‘http:// 127.0.0.1:5000/v2/qingzhu-backend-gray/tags/list’
安装 registry-web
平时对仓库镜像的管理,如果仅通过接口请求来操作仓库镜像,还是挺麻烦的。
hyper/docker-registry-webUI是一款轻量级的管理界面
# 拉取镜像 docker pull hyper/docker-registry-web # 启动容器 --link registry_private 是我以前安装的 Registry docker rm -f registry-web docker run -d \ -p 8000:8080 \ --name registry-web\ --restart=always \ --link registry_private \ -e registry_url=http://registry_private:5000/v2 \ -e registry_name=registry_private \ -e REGISTRY_TRUST_ANY_SSL=false \ -e REGISTRY_BASIC_AUTH="YWRtaW46ZkZ0WWluVDQ1SA==" \ -e registry_auth_enabled=false \ -e registry_readonly=false \ hyper/docker-registry-web:latest docker logs -f registry-web
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
浏览器访问:
http://172.x.x.x:8000
启用registry-web登录认证
令牌身份验证需要PEM格式的RSA私钥以及与该密钥匹配的证书
- 生成私钥和证书
mkdir conf
openssl req -new -newkey rsa:4096 -days 365 -subj "/CN=localhost" \
-nodes -x509 -keyout conf/auth.key -out conf/auth.cert
- 1
- 2
- 3
- 创建registry配置 conf/registry-srv.yml
version: 0.1 storage: filesystem: rootdirectory: /var/lib/registry http: addr: 0.0.0.0:5000 auth: token: # external url to docker-web authentication endpoint realm: http://localhost:8080/api/auth # should be same as registry.name of registry-web service: localhost:5000 # should be same as registry.auth.issuer of registry-web issuer: 'my issuer' # path to auth certificate rootcertbundle: /etc/docker/registry/auth.cert
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- Start docker registry
docker run -v $(pwd)/conf/registry-srv.yml:/etc/docker/registry/config.yml:ro \
-v $(pwd)/conf/auth.cert:/etc/docker/registry/auth.cert:ro -p 5000:5000 --name registry-srv -d registry:2
- 1
- 2
- 3
- Create configuration file conf/registry-web.yml
registry: # Docker registry url url: http://registry-srv:5000/v2 # Docker registry fqdn name: localhost:5000 # To allow image delete, should be false readonly: false auth: # Enable authentication enabled: true # Token issuer # should equals to auth.token.issuer of docker registry issuer: 'my issuer' # Private key for token signing # certificate used on auth.token.rootcertbundle should signed by this key key: /conf/auth.key
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- Start registry-web
docker run -v $(pwd)/conf/registry-web.yml:/conf/config.yml:ro \
-v $(pwd)/conf/auth.key:/conf/auth.key -v $(pwd)/db:/data \
-it -p 8080:8080 --link registry-srv --name registry-web hyper/docker-registry-web
- 1
- 2
- 3
Web UI will be available on http://localhost:8080 with default admin user/password admin/admin.
