自建镜像仓库
|
文章
|
5

599 字
|
34 分钟
本文最后更新于0 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com

Docker-registry-tls-auth

前期准备


# 安装htpasswd

yum install -y httpd-tools




registryHome="/data/docker-registry/0930-config-tls-auth"

自签证书


mkdir $registryHome/ssl

cd $registryHome/ssl




# 创建 CA 私钥

openssl genrsa -out "root-ca.key" 2048

openssl req  -new -key "root-ca.key"  -out "root-ca.csr" -sha256  -subj '/C=CN/ST=beijing/L=beijing/O=margu/CN=core-cache.registry.com'




# 配置 CA 根证书,新建 root-ca.cnf

cat > root-ca.cnf <<EOF

[root_ca]

basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = critical, nonRepudiation, cRLSign, keyCertSign subjectKeyIdentifier=hash EOF # 签发根证书 openssl x509 -req -days 3650 -in “root-ca.csr” -signkey “root-ca.key” -sha256 -out “root-ca.crt” -extfile “root-ca.cnf” -extensions root_ca # 生成站点 SSL 私钥 openssl genrsa -out “core-cache.registry.com.key” 2048 # 使用私钥生成证书请求文件 openssl req -new -key “core-cache.registry.com.key” -out “site.csr” -sha256 -subj ‘/C=CN/ST=beijing/L=beijing/O=registry/CN=core-cache.registry.com’ # 配置证书,新建 site.cnf 文件 cat > site.cnf <<EOF

[server]

authorityKeyIdentifier=keyid,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage=serverAuth keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = DNS:core-cache.registry.com, IP:10.20.3.103 subjectKeyIdentifier=hash EOF # 签署站点 SSL 证书 openssl x509 -req -days 750 -in “site.csr” -sha256 -CA “root-ca.crt” -CAkey “root-ca.key” -CAcreateserial -out “core-cache.registry.com.crt” -extfile “site.cnf” -extensions server

docker使用自签证书


mkdir /etc/docker/certs.d/core-cache.registry.com

cp -a core-cache.registry.com.crt /etc/docker/certs.d/core-cache.registry.com/

启动registry服务


mkdir  $registryHome/registry/config -p

mkdir  $registryHome/registry/data -p




cat > $registryHome/registry/config/config.yml <<EOF

version: 0.1

log:

  fields:

    service: registry

storage:

  cache:

    blobdescriptor: inmemory

  filesystem:

    rootdirectory: /var/lib/registry

http:

  addr: :443

  headers:

    X-Content-Type-Options: [nosniff]

  tls:

    certificate: /etc/docker/ssl/core-cache.registry.com.crt

    key: /etc/docker/ssl/core-cache.registry.com.key

  host: https://core-cache.registry.com

  secret: asecretforlocaldevelopment




auth:

  token:

    realm: https://core-cache.registry.com:5001/auth

    service: Docker-registry

    issuer: "Auth Service"

    rootcertbundle: /etc/docker/ssl/core-cache.registry.com.crt

health:

  storagedriver:

    enabled: true

    interval: 10s

    threshold: 3

EOF




docker rm -f tls-auth-registry




docker run -d -p 443:443 \

--name=tls-auth-registry   \

-v $registryHome/registry/data:/var/lib/registry \

-v $registryHome/ssl/:/etc/docker/ssl  \

-v $registryHome/registry/config:/etc/docker/registry \

--restart=always \

--oom-kill-disable \

hub.glodon.com/glodon-pub/registry:2.8.3

启动oauth2服务


mkdir  $registryHome/auth-server/config -p

mkdir  $registryHome/auth-server/logs -p




htpasswd -nB Securitit

> 123456







cat > $registryHome/auth-server/config/config.yml <<EOF

server:

  addr: ":5001"

  certificate: "/ssl/core-cache.registry.com.crt"

  key: "/ssl/core-cache.registry.com.key"

token:

  issuer: "Auth Service"  # Must match issuer in the Registry config.

  expiration: 900

users:

  # Password is specified as a BCrypt hash. Use `htpasswd -nB USERNAME` to generate.

  "Securitit":

    password: "\$2y\$05\$5bvbSafPYC0O0SH3tNF9Q.ittEKgL1Gjr2eTnZf/yCD.ggQdldmJS"  # 123456

acl:

  - match: {account: "Securitit"}

    actions: ["*"]

    comment: "Admin has full access to everything."

EOF




docker rm -f tls-auth-server

docker run -d --name docker_auth -p 5001:5001 \

--name=tls-auth-server   \

-v $registryHome/ssl:/ssl/ \

-v $registryHome/auth-server/config:/config:ro \

-v $registryHome/auth-server/logs:/logs \

--restart=always \

--oom-kill-disable \

hub.glodon.com/glodon-pub/docker_auth:latest /config/config.yml

绑定hosts


10.20.3.103 core-cache.registry.com

docker认证


docker login core-cache.registry.com -u Securitit -p 123456

带有认证的镜像仓库,通过curl的查看方式


# 获取token

curl -k -X POST "https://core-cache.registry.com:5001/auth?service=Docker-registry&scope=registry:catalog:*" \

-H "Content-Type: application/x-www-form-urlencoded" \

-d "grant_type=password&username=Securitit&password=123456"




# 查看仓库内容(获取token,复制token信息到下面的认证里面)

curl -H "Authorization: Bearer token" https://core-cache.registry.com/v2/_catalog -k







# 或许tags信息

curl -k -X POST "https://core-cache.registry.com:5001/auth?service=Docker-registry&scope=repository:lqx-test/message-service:pull" \

-H "Content-Type: application/x-www-form-urlencoded" \

-d "grant_type=password&username=Securitit&password=123456"




imagesName="lqx-test/message-service"

curl -H "Authorization: Bearer token" https://core-cache.registry.com/v2/$imagesName/tags/list -k




# 获取镜像详细信息

imagesName="lqx-test/message-service"

tag="5.0.0-ent-master-SNAPSHOT.20240713114406_58fba2a660b"

 curl -H "Authorization: Bearer token" https://core-cache.registry.com/v2/$imagesName/manifests/$tag -k

Docker-registry-tls

重复上面步骤

启动registry服务

配置文件不同


cat > $registryHome/registry/config/config.yml <<EOF

version: 0.1

log:

  fields:

    service: registry

storage:

  cache:

    blobdescriptor: inmemory

  filesystem:

    rootdirectory: /var/lib/registry

http:

  addr: :443

  headers:

    X-Content-Type-Options: [nosniff]

  tls:

    certificate: /etc/docker/ssl/core-cache.registry.com.crt

    key: /etc/docker/ssl/core-cache.registry.com.key

  host: https://core-cache.registry.com

  secret: asecretforlocaldevelopment




health:

  storagedriver:

    enabled: true

    interval: 10s

    threshold: 3

EOF

启动oauth2服务

无需启动

文末附加内容
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
世界,您好!

							
							

							
Prometheus笔记

							
							

							
Ceph 笔记

							
							

							
Docker 笔记

							
							

							
K8S 常用命令

							
							

							
二进制安装k8s集群

							
							

							
k8s集群变更所有节点IP恢复案例

							
							

							
centos7.9安装达梦数据库

							
							

							
【MySQL】主从复制+读写分离+高可用

							
							

							
【MySQL】主从复制+读写分离+高可用