这篇文章将为大家详细讲解有关Docker如何搭建基于Token认证的的Registry服务,小编觉得挺实用的,因此分享给大家做个参考,希望大家阅读完这篇文章后可以有所收获。
搭建Token认证的Registry服务
1. 创建目录
mkdir -p {/data/volume/{auth_server/{config,ssl},docker_registry/data}}
2. 拷贝认证文件
如果有现成的认证文件,将文件拷贝至ssl文件夹下,文件包括( server.key, server.pem )
如果没有认证文件,使用下面的指令生成临时文件
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem
3. 配置认证服务的配置文件
在目录(/data/volumes/auth_server/config)下创建配置文件(auth_config.yml)
server: # Server settings.
# Address to listen on.
addr: ":5001"
# TLS certificate and key.
certificate: "/ssl/server.pem"
key: "/ssl/server.key"
token: # Settings for the tokens.
issuer: "Auth Service" # Must match issuer in the Registry config.
expiration: 900
# Static user map.
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$B.x046DV3bvuwFgn0I42F.W/SbRU5fUoCbCGtjFl7S33aCUHNBxbq"
"reader":
password: "$2y$05$xN3hNmNlBIYpST7UzqwK/O5T1/JyXDGuJgKJzf4XuILmvX7L5ensa"
"": {} # Allow anonymous (no "docker login") access.
acl:
# Admin has full access to everything.
- match: {account: "admin"}
actions: ["*"]
- match: {account: "reader", name: "nginx"}
actions: ["pull"]
4. 搭建registry和auth服务
采用compose模式搭建,创建compose文件(registry-auth.yml)
dockerauth:
image: cesanta/docker_auth:stable
container_name: docker_auth
ports:
- "5001:5001"
volumes:
- /data/volumes/auth_server/config:/config:ro
- /var/log/docker_auth:/logs
- /data/volumes/auth_server/ssl:/ssl
command: /config/auth_config.yml
restart: always
registry:
image: registry:2
container_name: docker_registry
ports:
- "5000:5000"
volumes:
- /data/volumes/auth_server/ssl:/ssl
- /data/volumes/docker_registry/data:/var/lib/registry
restart: always
environment:
- REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
- REGISTRY_AUTH=token
- REGISTRY_AUTH_TOKEN_REALM=https://registry.sky.com:5001/auth
- REGISTRY_AUTH_TOKEN_SERVICE="Docker registry"
- REGISTRY_AUTH_TOKEN_ISSUER="Auth Service"
- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem
- REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/server.pem
- REGISTRY_HTTP_TLS_KEY=/ssl/server.key
执行指令
docker-compose -f registry-auth.yml up
5. 在线测试
Username (reader):
Password:
Login Succeeded
$ docker tag nginx registry.sky.com:5000/nginx
$ docker push registry.sky.com:5000/nginx
The push refers to a repository [registry.sky.com:5000/nginx]
5f70bf18a086: Preparing
bbf4634aee1a: Preparing
64d0c8aee4b0: Preparing
4dcab49015d4: Preparing
unauthorized: authentication required
测试成功,无法提交
docker push registry.sky.com:5000/nginx
The push refers to a repository [registry.sky.com:5000/nginx]
5f70bf18a086: Pushed
bbf4634aee1a: Pushed
64d0c8aee4b0: Pushed
4dcab49015d4: Pushed
latest: digest: sha256:e2ba8f461c877d3bbe0294dcce6398b085a19117d73e0ae1d75f9b412cab8c2e size: 1978
关于“Docker如何搭建基于Token认证的的Registry服务”这篇文章就分享到这里了,希望以上内容可以对大家有一定的帮助,使各位可以学到更多知识,如果觉得文章不错,请把它分享出去让更多的人看到。