前言:
docker的本地仓库其实要说随便一用,也确实简单,两三条命令就搞定了。但,如果想有一定的安全性,那么,还是比较复杂的一个事情。比如,用户权限,鉴权和web可视化管理界面的开启。
上一个博文大略的讲了一下如何搭建一个简单的本地私人docker仓库,并有两种方式,一个是最为简单的无任何安全性的本地仓库,人人都可随意上传下载的,一个是有证书的,使用https验证的本地私人docker仓库。博文地址是:猿创征文|docker本地仓库的搭建(简易可快速使用的本地仓库)_zsk_john的博客-CSDN博客
现在就接着上面的博文,继续优化这个本地docker仓库。
一,
前情回顾+安全验证配置
HTTP类型的本地仓库,容器启动命令:
docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registry -v /opt/data/config.yml:/etc/docker/registry/config.yml --name registry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
此时的开启web界面的容器启动命令:
docker run -it -d --name registry-web -e REGISTRY_URL=http://192.168.217.17:5000/v2 -e REGISTRY_NAME=192.168.217.17 -p 9055:8080 registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web
登录地址
这个时候启动的本地仓库是可以随意的push的,只要知道本地仓库的地址,这是很危险的,如果是有别有用心的人,那么,指不定push上传到服务器里什么文件呢,对吧,非常危险。那么,设置一个密码,在push操作之前我们对push的人做一个密码验证就可以大大提高本地仓库的安全性了。
(1)建立目录存放密码文件
先建立一个目录,mkdir /opt/auth/
(2)生成密码 文件,下面这个命令是生成的用户名是linkcm,密码是123456
docker run --entrypoint htpasswd \ registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1 \ -Bbn linkcm 123456 \ >>/opt/auth/htpasswd
添加第二个用户,用户名是zsk,密码是qwerasdf:
docker run --entrypoint htpasswd \ registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1 \ -Bbn zsk qwerasdf \ >>/opt/auth/htpasswd
(3)查看文件内容,确定是加密的
[root@slave1 ~]# cat /opt/auth/htpasswd linkcm:$2y$05$ImH24JuZ0NnsOHnwjUF9oeDO/F.t6JF3FHEYKaoomDa5327v/7YSC
(4) 启动本地开启了5000端口的http仓库,此时的私有仓库不管是推送还是拉取动作都需要登录才可以进行
docker run -d -p 5000:5000 \ -v /opt/registry/data:/var/lib/registry \ -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \ -v /opt/auth:/auth \ --name localregistry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
主要是启动镜像命令增加了以下这些内容:
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm -v /opt/auth:/auth
(5)验证:
第一次没有登录的push,结果失败:
[root@slave1 auth]# docker push 192.168.217.17:5000/pause The push refers to repository [192.168.217.17:5000/pause] ba0dae6243cc: Preparing unauthorized: authentication required
登录后的push,结果成功(账号是linkcm,密码是123456):
[root@slave1 auth]# docker login 192.168.217.17:5000 Authenticating with existing credentials... Login did not succeed, error: Error response from daemon: login attempt to http://192.168.217.17:5000/v2/ failed with status: 401 Unauthorized Username (test): linkcm Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@slave1 auth]# docker push 192.168.217.17:5000/pause The push refers to repository [192.168.217.17:5000/pause] ba0dae6243cc: Layer already exists 3.2: digest: sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108 size: 526
https容器启动(在16服务器上启动,这个端口是443的):
docker run -d --restart=always --name registry \ -v /opt/ssl:/certs \ -v /opt/registry/data:/var/lib/registry \ -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myssl.pem \ -e REGISTRY_HTTP_TLS_KEY=/certs/myssl.key \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \ -v /opt/auth:/auth \ -p 443:443 \ registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
在18服务器上登录私服:
[root@k8s-node1 ~]# docker login master.com.cn Username: linkcm Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
退出私服登录:
[root@k8s-node2 ~]# docker logout master.com.cn Removing login credentials for master.com.cn
此时的docker私服不管是上传还是下载都需要先登录才可以下一步了。
以上仅仅是本地仓库的用户安全加固,也就是必须登录私有仓库后才可以进行推拉操作,还没有开启web界面。
配合web端的全面安全加固,web端和命令行都有登录验证,上传,下载都有密码登录验证。
本地仓库的容器启动(这个本地仓库是没有密码验证的):
docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registry -v /opt/data/config.yml:/etc/docker/registry/config.yml --name registry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
此时的web界面开启(web端也是没有密码验证的,两个容器是一对的哦):
docker run -it -d --name registry-web -e REGISTRY_URL=http://192.168.217.17:5000/v2 -e REGISTRY_NAME=192.168.217.17:5000 -p 9055:8080 registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web
登录地址是:http://192.168.217.17:9055/
以上是没有用户认证的,那么,下面开启强制用户认证,也就是说web端,必须要输入密码验证后才可以上传镜像。
证书生成的命令:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/ssl/myssl.key -x509 -days 365 -out /opt/ssl/myssl.pem
相关证书的存放路径:
[root@master conf]# ll /opt/ssl/ total 8 -rw------- 1 root root 3272 Sep 2 20:59 myssl.key -rw-r--r-- 1 root root 2009 Sep 2 21:00 myssl.pem
建立证书另一个存放路径并拷贝证书到相应路径:
mkdir -p /etc/docker/registry cp /opt/ssl/myssl.pem /etc/docker/registry
私有仓库的配置文件:
[root@master conf]# cat /opt/registry/conf/config.yml version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: 0.0.0.0:5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 4 auth: token: realm: http://192.168.217.16:9055/api/auth service: 192.168.217.16:5000 issuer: 'my issuer' rootcertbundle: /etc/docker/registry/myssl.pem
启动本地仓库容器的命令:
docker run -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml:ro \ -v /opt/registry/data:/var/lib/registry \ -v /opt/ssl/myssl.pem:/etc/docker/registry/myssl.pem:ro \ -p 5000:5000 \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \ -v /opt/auth:/auth \ --name registry-srv \ -d registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
建立私有仓库web界面的配置文件存放路径,并编写配置文件:
mkdir -p /opt/registry-web/conf/
registry-web的配置文件内容:
[root@master conf]# cat /opt/registry-web/conf/config.yml registry: url: http://192.168.217.16:5000/v2 name: 192.168.217.16:5000 readonly: false auth: enabled: true issuer: 'my issuer' key: /conf/myssl.key
启动web界面容器的命令:
docker run -it -d -v /opt/registry-web/conf/config.yml:/conf/config.yml:ro \ -v /opt/ssl/myssl.key:/conf/myssl.key \ -p 9055:8080 \ --name registry-web \ registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web
web端登录地址和界面(192.168.217.16:9055):
用户鉴权这些都在web端操作了,初始登录账户和密码是admin/admin
测试拉取镜像,可以看到,如果没有登录,将会报错:
[root@slave2 ~]# docker pull 192.168.217.16:5000/nginx:1.8 Error response from daemon: Head http://192.168.217.16:5000/v2/nginx/manifests/1.8: unauthorized: authentication required
当然,上传文件如果不登录也是会报错的,就不演示了。用户登录是这样的:
[root@slave2 ~]# docker login 192.168.217.16:5000 Username: zsk Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
输入正确的密码后,zsk用户登录成功,并且上传和下载镜像都正常了,例如上传:
[root@slave2 ~]# docker push 192.168.217.16:5000/registry-web Using default tag: latest The push refers to repository [192.168.217.16:5000/registry-web] 8779b4998d0c: Layer already exists 9eb22ef427e2: Layer already exists 64d1c65ea33e: Layer already exists d6c3b0e63834: Layer already exists 1315f14832fa: Layer already exists d16096ccf0bb: Layer already exists 463a4bd8f8c1: Layer already exists be44224e76b9: Layer already exists d96a8038b794: Layer already exists f469fc28e82e: Layer already exists 8418a42306ef: Layer already exists 03457c5158e2: Layer already exists 7ef05f1204ee: Layer already exists f7049feabf0b: Layer already exists 5ee52271b8b7: Layer already exists 8b1153b14d3a: Layer already exists 367b9c52c931: Layer already exists 3567b2f05514: Layer already exists 292a66992f77: Layer already exists 641fcd2417bc: Layer already exists 78ff13900d61: Layer already exists latest: digest: sha256:2c4f88572e1626792d3ceba6a5ee3ea99f1c3baee2a0e8aad56f0e7c3a6bf481 size: 4695
命令行退出登录;
[root@slave2 ~]# docker logout 192.168.217.16:5000 Removing login credentials for 192.168.217.16:5000
完美达到预期,用户鉴权功能非常好,如果没有登录,push镜像会是这样的,(pull也是一样的):
[root@master conf]# docker push 192.168.217.16:5000/registry-web The push refers to repository [192.168.217.16:5000/registry-web] 8779b4998d0c: Preparing 9eb22ef427e2: Preparing 64d1c65ea33e: Preparing d6c3b0e63834: Preparing 1315f14832fa: Preparing d16096ccf0bb: Waiting 463a4bd8f8c1: Waiting be44224e76b9: Waiting d96a8038b794: Waiting f469fc28e82e: Waiting 8418a42306ef: Waiting 03457c5158e2: Waiting 7ef05f1204ee: Waiting f7049feabf0b: Waiting 5ee52271b8b7: Waiting 8b1153b14d3a: Waiting 367b9c52c931: Waiting 3567b2f05514: Waiting 292a66992f77: Waiting 641fcd2417bc: Waiting 78ff13900d61: Waiting unauthorized: authentication required