Top

Docker-私有仓库-密码认证(+证书)

搭建密码认证的私有仓库(如果想要使用就带证书,否则不安全)

我的环境是Centos7.4!2台服务器:Server、Client(docker版本为1.13.1)

192.168.237.130-server|192.168.237.132-server-2
↓操作

服务端:
1.创建一个带帐号和密码的文件.
2.启动仓库(指定认证类型和认证的密码文件).
客户端:
1.使用login登录仓库就可以访问了.

↓原文出自

超详细记录公司多用户Docker仓库创建安全认证和应用:https://blog.csdn.net/dream_an/article/details/58005324

1. 创建密码文件以及环境介绍

↓创建密码文件.

[root@server ~]# mkdir /etc/docker/auth
[root@server ~]# docker run --entrypoint htpasswd docker.io/registry:latest -Bbn hyiqie 123456 >/etc/docker/auth/htpasswd

↓Docker环境.

[root@server ~]# docker version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      b2f74b2/1.13.1
 Built:           Wed May  1 14:55:20 2019
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      b2f74b2/1.13.1
 Built:           Wed May  1 14:55:20 2019
 OS/Arch:         linux/amd64
 Experimental:    false
[root@server ~]# docker images
REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE
192.168.237.130:5000/nginx   latest              53f3fd8007f7        5 days ago          109 MB
docker.io/nginx              latest              53f3fd8007f7        5 days ago          109 MB
docker.io/registry           latest              f32a97de94e1        2 months ago        25.8 MB

2. 启动私有仓库

↓启动私有仓库.

[root@server ~]# docker run -d -p 5000:5000 --restart=always --name registry \
-v /data/registry/:/var/lib/registry/ \
-v /etc/docker/auth/:/auth/ \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
docker.io/registry:latest
c894b1c4c8a20973d6ebd528841e0d3f61642116e2a1b00dd5c7dc5399715d4a

3. 测试

↓允许使用不安全仓库(因为没配置证书,只能用http.).

[root@server ~]# vim /etc/docker/daemon.json

1
2
3
4
{
  "insecure-registries":["192.168.237.130:5000"],               #加入这一句即可:允许使用不安全的仓库地址.
  "registry-mirrors": ["https://xxx.mirror.aliyuncs.com"]
}



↓重启Docker让配置生效.

[root@server ~]# systemctl restart docker

↓上传失败(因为没登录).

[root@server ~]# docker push 192.168.237.130:5000/nginx:latest
The push refers to a repository [192.168.237.130:5000/nginx]
332fa54c5886: Preparing 
6ba094226eea: Preparing 
6270adb5794c: Preparing 
no basic auth credentials

↓登录私有仓库.

[root@server ~]# docker login 192.168.237.130:5000
Username: hyiqie
Password: 123456
Login Succeeded

↓上传成功.

[root@server ~]# docker push 192.168.237.130:5000/nginx:latest
The push refers to a repository [192.168.237.130:5000/nginx]
332fa54c5886: Pushed 
6ba094226eea: Pushed 
6270adb5794c: Pushed 
latest: digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d size: 948

↓查询失败.

[root@server ~]# curl https://192.168.237.130:5000/v2/_catalog -k
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog",
"Action":"*"}]}]}

↓设置帐号密码后查询成功.

[root@server ~]# curl https://192.168.237.130:5000/v2/_catalog -k -u hyiqie:123456
{"repositories":["nginx"]}

4. 整合(证书+密码)

↓↓说明↓↓

将证书认证和密码认证配置在一起

4.1 服务器

[root@server ~]# mkdir /etc/docker/certs.d/192.168.237.130:5000
[root@server ~]# mkdir /etc/docker/auth
[root@server ~]# cp cacert.pem /etc/docker/certs.d/192.168.237.130\:5000/ca.crt
[root@server ~]# cp new* /etc/docker/certs.d/
[root@server ~]# docker run --entrypoint htpasswd docker.io/registry:latest -Bbn hyiqie 123456 >/etc/docker/auth/htpasswd
[root@server ~]# docker run -d -p 5000:5000 --restart=always --name registry \
-v /data/registry/:/var/lib/registry/ \
-v /etc/docker/certs.d/:/certs.d/ \
-v /etc/docker/auth/:/auth/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs.d/newcert.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs.d/newreq.pem \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
docker.io/registry:latest
44db15e69d3fb81e202ec4672c1c7e44508af950aabc123c2f47fdedcb101819

4.2 客户端

[root@server-2 ~]# scp -r 192.168.237.130:/etc/docker/certs.d/192.168.237.130:5000 /etc/docker/certs.d/
root@192.168.237.130's password:123456 
ca.crt                                                                    100% 4295   915.7KB/s   00:00


        
 Centos   Docker 
 上一篇

  Centos, Docker