Docker如何搭建基于Token认证的的Registry服务
这篇文章将为大家详细讲解有关Docker如何搭建基于Token认证的的Registry服务,小编觉得挺实用的,因此分享给大家做个参考,希望大家阅读完这篇文章后可以有所收获。
创新互联建站坚持“要么做到,要么别承诺”的工作理念,服务领域包括:成都做网站、成都网站建设、企业官网、英文网站、手机端网站、网站推广等服务,满足客户于互联网时代的瑶海网站设计、移动媒体设计的需求,帮助企业找到有效的互联网解决方案。努力成为您成熟可靠的网络建设合作伙伴!
搭建Token认证的Registry服务
1. 创建目录
mkdir -p {/data/volume/{auth_server/{config,ssl},docker_registry/data}}
2. 拷贝认证文件
如果有现成的认证文件,将文件拷贝至ssl文件夹下,文件包括( server.key, server.pem )
如果没有认证文件,使用下面的指令生成临时文件
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem
3. 配置认证服务的配置文件
在目录(/data/volumes/auth_server/config)下创建配置文件(auth_config.yml)
server: # Server settings. # Address to listen on. addr: ":5001" # TLS certificate and key. certificate: "/ssl/server.pem" key: "/ssl/server.key" token: # Settings for the tokens. issuer: "Auth Service" # Must match issuer in the Registry config. expiration: 900 # Static user map. users: # Password is specified as a BCrypt hash. Use htpasswd -B to generate. "admin": password: "$2y$05$B.x046DV3bvuwFgn0I42F.W/SbRU5fUoCbCGtjFl7S33aCUHNBxbq" "reader": password: "$2y$05$xN3hNmNlBIYpST7UzqwK/O5T1/JyXDGuJgKJzf4XuILmvX7L5ensa" "": {} # Allow anonymous (no "docker login") access. acl: # Admin has full access to everything. - match: {account: "admin"} actions: ["*"] - match: {account: "reader", name: "nginx"} actions: ["pull"]
4. 搭建registry和auth服务
采用compose模式搭建,创建compose文件(registry-auth.yml)
dockerauth: image: cesanta/docker_auth:stable container_name: docker_auth ports: - "5001:5001" volumes: - /data/volumes/auth_server/config:/config:ro - /var/log/docker_auth:/logs - /data/volumes/auth_server/ssl:/ssl command: /config/auth_config.yml restart: always registry: image: registry:2 container_name: docker_registry ports: - "5000:5000" volumes: - /data/volumes/auth_server/ssl:/ssl - /data/volumes/docker_registry/data:/var/lib/registry restart: always environment: - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry - REGISTRY_AUTH=token - REGISTRY_AUTH_TOKEN_REALM=https://registry.sky.com:5001/auth - REGISTRY_AUTH_TOKEN_SERVICE="Docker registry" - REGISTRY_AUTH_TOKEN_ISSUER="Auth Service" - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/server.pem - REGISTRY_HTTP_TLS_KEY=/ssl/server.key
执行指令
docker-compose -f registry-auth.yml up
5. 在线测试
找一个安装了docker的服务器
执行登录指令
docker login registry.sky.com:5000
输入用户名和密码
Username (reader): Password: Login Succeeded
根据前面的权限配置,reader用户只有pull权限,无法push操作
$ docker tag nginx registry.sky.com:5000/nginx $ docker push registry.sky.com:5000/nginx The push refers to a repository [registry.sky.com:5000/nginx] 5f70bf18a086: Preparing bbf4634aee1a: Preparing 64d0c8aee4b0: Preparing 4dcab49015d4: Preparing unauthorized: authentication required
测试成功,无法提交
重新采用admin用户登录
docker push registry.sky.com:5000/nginx The push refers to a repository [registry.sky.com:5000/nginx] 5f70bf18a086: Pushed bbf4634aee1a: Pushed 64d0c8aee4b0: Pushed 4dcab49015d4: Pushed latest: digest: sha256:e2ba8f461c877d3bbe0294dcce6398b085a19117d73e0ae1d75f9b412cab8c2e size: 1978
关于“Docker如何搭建基于Token认证的的Registry服务”这篇文章就分享到这里了,希望以上内容可以对大家有一定的帮助,使各位可以学到更多知识,如果觉得文章不错,请把它分享出去让更多的人看到。
分享标题:Docker如何搭建基于Token认证的的Registry服务
网页路径:http://ybzwz.com/article/jspsje.html