docker-registry登录认证
server(ubuntu 20.04) | centos7.7(client) |
---|---|
10.0.0.55 | 10.0.0.45 |
myrepo.com |
docker 版本(server) | 镜像版本(server) |
---|---|
19.03.13 | registry:2.6.2 |
1.环境部署
#新建目录
root@ylm-ubuntu:~# mkdir -p /opt/docker/certs
root@ylm-ubuntu:~# cd /opt/docker/
root@ylm-ubuntu:/opt/docker# ls
certs
#添加域名解析
root@ylm-ubuntu:/opt/docker# cat /etc/hosts
10.0.0.55 myrepo.comroot@ylm-ubuntu:/opt/docker# ping -w1 -c1 myrepo.com
PING myrepo.com (10.0.0.55) 56(84) bytes of data.
64 bytes from myrepo.com (10.0.0.55): icmp_seq=1 ttl=64 time=0.017 ms--- myrepo.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms
2.生成自签发证书
root@ylm-ubuntu:/opt/docker# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/myrepo.key -x509 -days 365 -out certs/myrepo.crt
Generating a RSA private key
....................................++++
................................................................................ ..............................++++writing new private key to 'certs/myrepo.key'
-----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter '.', the field will be left blank.
-----Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:myrepo.com #和域名保持一致
Email Address []:
3.生成鉴权密码文件
root@ylm-ubuntu:/opt/docker# mkdir auth
root@ylm-ubuntu:/opt/docker# ls
auth certs#注意的一点是 使用2.6.2的镜像 否则会报错
root@ylm-ubuntu:/opt/docker# docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin password > auth/htpasswd#个人感觉不知道怎么用 反正用下面的密文 我没有登录上去
root@ylm-ubuntu:/opt/docker# cat auth/htpasswd
admin:$2y$05$bOES6kCFIOpNbbQw9wb9o.uTB3qR01yJhr6gqnY72ycengYTKzpu.ps: 使用 :2 或latest的镜像 会报以下错误
docker: Error response from daemon: OCI runtime create failed: container_linux.g o:349: starting container process caused "exec: \"htpasswd\": executable file no t found in $PATH": unknown.
4.启动registry
$ docker run -d \
> --restart=always \
> --name registry \
> -v /opt/docker/certs:/certs \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/myrepo.key \
> -v /opt/data/registry:/var/lib/registry \
> -v /opt/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -p 5000:5000 \
> registry:2.6.2#查看容器
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
67285dfdc56c registry:2.6.2 "/entrypoint.sh /etc…" 3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry#查看端口
root@ylm-ubuntu:/opt/docker# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name1526/sshd: ylm@pts/
tcp6 0 0 :::5000 :::* LISTEN
5.测试上传镜像
$ docker pull busybox
$ docker tag busybox:latest myrepo.com:5000/busybox#push报错 因为本地没有ca证书
$ docker push myrepo.com:5000/busybox
The push refers to repository [myrepo.com:5000/busybox]
Get https://myrepo.com:5000/v2/: x509: certificate signed by unknown authority#解决办法 拷贝ca证书到/etc/docker/certs.d/myrepo.com:5000目录下(目录可以新建) 并改名ca.crt
root@ylm-ubuntu:/opt/docker/auth# mkdir -p /etc/docker/certs.d/myrepo.com:5000
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# cp /opt/docker/certs/myrepo.crt ./
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# ls
myrepo.crt
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# mv myrepo.crt ca.crt
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# service docker restart#再次上传镜像还是报错 出现 no basic auth credentials 因为我们设置的登录认证 所以必须先登录
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker push myrepo.com:5000/busybox
The push refers to repository [myrepo.com:5000/busybox]
be8b8b42328a: Preparing
no basic auth credentials#登录出现错误 因为现在 我是用的时/opt/docker/auth/htpasswd下的密文密码
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker login myrepo.com:5000
Username: admin
Password:
Error response from daemon: login attempt to https://myrepo.com:5000/v2/ failed with status: 401 Unauthorized#改用明文密码登录
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker login myrepo.com:5000
Username: admin
Password: password #步骤3创建的
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
#登录成功
Login Succeededps:这也是我一致疑惑的地方 有大神明白的可以留言 感谢#再次push成功
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker push myrepo.com:5000/busybox
The push refers to repository [myrepo.com:5000/busybox]
be8b8b42328a: Pushed
latest: digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 size: 527
6.远端节点下载镜像
#设置域名解析
[root@c7-45 myrepo.com:5000]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.55 myrepo.com#在远端节点上新建同样的目录
[root@c7-45 myrepo.com:5000]# pwd
/etc/docker/certs.d/myrepo.com:5000
[root@c7-45 myrepo.com:5000]# ls
ca.crt #使用scp命令将证书拷贝ps:
#server主机上执行scp命令(server是ubuntu20.04 无法用root直接登录 所以这样拷贝输入centos的密码 比较方便)
scp /etc/docker certs.d/myrepo.com:5000/ca.crt root@10.0.0.45:/etc/docker/certs.d/myrepo.com:5000#登录镜像服务器
[root@c7-45 myrepo.com:5000]# docker login myrepo.com:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded#下载镜像
[root@c7-45 myrepo.com:5000]# docker pull myrepo.com:5000/busybox
Using default tag: latest
latest: Pulling from busybox
Digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Status: Downloaded newer image for myrepo.com:5000/busybox:latest
myrepo.com:5000/busybox:latest#查看镜像
[root@c7-45 myrepo.com:5000]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myrepo.com:5000/busybox latest 6858809bf669 2 weeks ago 1.23MB
docker-registry登录认证相关推荐
- docker registry v2认证备忘
docker registry v2认证过程 https://docs.docker.com/registry/spec/images/v2-registry-auth.png1.尝试从docker ...
- 搭建私服-docker registry
Docke官方提供了Docker Hub网站来作为一个公开的集中仓库.然而,本地访问Docker Hub速度往往很慢,并且很多时候我们需要一个本地的私有仓库只供网内使用. Docker仓库实际上提供两 ...
- k8s tekton 实现CI流程,从git到docker registry
小白防忘. 在没学k8s之前一直使用的是jikens和docker watchtower实现CICD流程,在学习了k8s最后就决定使用tekton实现CI操作,tekton pipelines是一个k ...
- 【Docker】Registry搭建私有仓库、证书认证、用户登录认证
一.Docker Registry工作原理 02_Docker Registry角色 Docker Registry有三个角色,分别是index.registry和registry client. i ...
- 【K8S 二】搭建Docker Registry私有仓库(自签发证书+登录认证)(K8S和非K8S环境下)
目录 生成证书(更新:2022-08-02) 单SAN(Subject Alternative Name)的场景 多SAN(Subject Alternative Name)场景 创建openssl配 ...
- Docker Registry采用token认证实践
Docker Registry的Token认证 token认证过程 图解 详细介绍6个步骤 Step 1,Client 向registry 发起连接 Step 2,未认证响应(Unauthorized ...
- Docker Registry部署镜像私有仓库及鉴权认证
文章目录 一.Docker Registry是什么? 二.Docker Registry部署私有仓库 2.1.Docker Registry安装 2.2.Docker Registry配置 2.3.启 ...
- Docker registry
2019独角兽企业重金招聘Python工程师标准>>> Docker registry 本地运行一个registry hippo@ubuntu:~$ docker run -d -p ...
- Docker系列06—基于容器制作镜像并上传到Docker Registry
Docker系列06-基于容器制作镜像并上传到Docker Registry 1.制作镜像 1.1 镜像的生成途径 基于容器制作 dockerfile,docker build 本篇主要详细讲解基于容 ...
- Docker Registry本地私有仓库搭建
相比Docker Hub而言,Docker Registry的功能就不够全面了,且需要自己手动配置.升级.维护和管理,所以说对于Docker镜像管理不太熟悉的人员推荐使用Docker Hub.如果开发 ...
最新文章
- [导入]ubuntu全面介绍 与 ubuntu截图
- 用JavaScript做301转向
- Strom小实例,大小写转换
- Mac 环境变量配置
- Java知识点汇总1
- 7-181 帅到没朋友 (20 分)
- vscode中怎样格式化js代码_VSCode代码格式化设置
- 快播CEO认罪_成人网站对技术的要求有多高?
- 房友系统服务器地址,房友系统的那些功能,你都知道吗?
- STM8L USART串口使用
- AppFuse 3.0
- 硕士android毕业答辩ppt,硕士研究生毕业答辩ppt全攻略
- 16代表啥_16代表的爱情恋爱含义 16代表什么爱情含义
- 在linux虚拟机中进行jdk1.8的安装与环境变量的配置
- 蒟蒻数据观二叉树(基础篇)
- android 读写文件 简书,Android 读取asset文件
- 三维扫描三维建模在数字博物馆中的应用
- Q-dir 被默认设置为 资源管理器
- pytorch将数据送到GPU进行训练
- 打造Android数据绑定暂时基于AbsListView的派生类(ListView和GridView)
热门文章
- BUUCTF Misc杂项前十二道题的思路和感悟
- SQL-Server常用系统存储过程
- 有关Steam上CSGO游戏闪退
- 在html中雪碧图的坐标怎么看,Webpack中雪碧图使用详解
- 什么是平均值 (Average)?
- svn提示xxx文件已经过时
- 牛客小白月赛27 B.乐团派对
- [高通SDM450][Android9.0]默认取消dm-verity以及解决OTA校验vbmeta失败问题
- 《iOS开发完全上手——使用iOS 7和Xcode 5开发移动与平板应用》之Objective-C新手训练营
- 申宝证券-个股分化指数窄幅整理