优化registry，编写支持ssl和Authentication的两个运行环境

2024-11-29 18:38:34 +08:00 · 2019-06-26 15:54:46 +08:00 · 2019-06-26 15:54:46 +08:00 · 0c555f4263
commit 0c555f4263
parent fe979afd0f
11 changed files with 185 additions and 79 deletions
--- a/registry/.env
+++ b/registry/.env
@ -0,0 +1,2 @@
+docker_auth_public_ip=192.168.1.124
+docker_auth_port=5001
--- a/registry/README.md
+++ b/registry/README.md
@ -8,9 +8,40 @@

 默认docker镜像存储路径 `/var/lib/registry`

-### 使用
+### 生成证书命令

-registry应用启动成功后，若非https模式的话，需要修改docker上的配置，添加registry的信息到 `--insecure-registry` 才能正常使用(建议用域名)，例如:
+首次运行，请执行生成ssl证书脚本，命令参考如下:
+
+```
+sh gencert.sh
+```
+
+## 使用
+
+### https模式
+
+请确保证书已经生成好，利用docker-compose启动应用：
+
+```
+docker-compose up -d
+```
+
+测试执行下面命令
+
+```
+# 从公服下载镜像
+docker pull hello-world
+# 重命名
+docker tag hello-world localhost/hello-world
+# 提交到私服
+docker push localhost/hello-world
+# 查看提交的镜像
+curl -k -X GET https://localhost/v2/_catalog
+```
+
+### 非https模式
+
+非https模式的话，需要修改docker上的配置，添加registry的信息到 `--insecure-registry` 才能正常使用(建议用域名)，例如:

 ```
 {
@ -21,7 +52,13 @@ registry应用启动成功后，若非https模式的话，需要修改docker上
 }
 ```

-#### 测试
+启动非https的registry容器
+
+```
+docker-compose -f docker-compose-insecure.yml up -d
+```
+
+测试执行下面命令

 ```
 # 从公服下载镜像
@ -31,21 +68,58 @@ docker tag hello-world localhost:5000/hello-world
 # 提交到私服
 docker push localhost:5000/hello-world
 # 查看提交的镜像
-curl -X GET http://localhost:5000/v2/_catalog
+curl -k -X GET http://localhost:5000/v2/_catalog
 ```

-### 生成证书命令
+### Authentication身份认证
+
+身份认证，即配置docker registry的下载和上传权限，可实现不允许匿名随便上传镜像的功能。
+
+添加身份认证服务器依赖镜像 [cesanta/docker_auth](https://hub.docker.com/r/cesanta/docker_auth)，本地配置文件在 `auth_server/config/auth_config.yml` ，可自行根据实际情况进行修改。
+
+默认配置信息：admin可上传下载，账号密码 `admin/admin`，匿名用户可下载镜像
+
+其他更多配置参考: https://github.com/cesanta/docker_auth/tree/master/examples/
+
+#### 生成账号密码

 ```
-openssl req -x509 \
-subj "/C=CN/ST=BeiJing/L=Dongcheng/CN=docker.kennylee.cn" \
-nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.pem
+htpasswd -nbB <账号> <密码>
+```
+
+生成账号密码后可添加到 `auth_config.yml`
+
+#### 启动和使用
+
+启动命令
+
+```
+docker-compose -f docker-compose-with-auth.yml up -d
 ```

 ```
-openssl x509 -outform der -in server.pem -out server.crt
+# 从公服下载镜像
+docker pull hello-world
+# 重命名
+docker tag hello-world localhost/hello-world
+# 测试提交到私服是否上传失败
+docker push localhost/hello-world
+
+# 登录本地私服
+docker login --username admin --password admin  https://localhost
+# 再一次提交到私服
+docker push localhost/hello-world
 ```

-详细可参见https://the.binbashtheory.com/creating-private-docker-registry-2-0-with-token-authentication-service
+#### docker登录命令
+
+```
+# 登录
+docker login --username <账号> --password <密码> https://<私服地址>
+# 登出
+docker logout https://<私服地址>
+```
+
+**注意域名解析**


--- a/registry/auth_server/config/auth_config.yml
+++ b/registry/auth_server/config/auth_config.yml
@ -2,8 +2,8 @@ server:  # Server settings.
  # Address to listen on.
  addr: ":5001"
  # TLS certificate and key.
-  certificate: "/ssl/server.pem"
-  key: "/ssl/server.key"
+  certificate: "/ssl/registry.crt"
+  key: "/ssl/registry.key"

 token:  # Settings for the tokens.
  issuer: "Auth Service"  # Must match issuer in the Registry config.
@ -14,7 +14,7 @@ token:  # Settings for the tokens.
 users:
  # Password is specified as a BCrypt hash. Use htpasswd -B to generate.
  "admin":
-    password: "$2y$05$QH.x7wSgRwX/T9LVKwr41e0djC2/2V5uNWPVaIbdssGInvzg.bd8S"
+    password: "$2y$05$vpPwtp7EQRZddhZwY4qtjObGdnsLipQOUcsdh2cq2DVWNjPJeun5u" # admin
  "": {}  # Allow anonymous (no "docker login") access.

 acl:
--- a/registry/auth_server/ssl/server.key
+++ b/registry/auth_server/ssl/server.key
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDpQZKkcD6nHJT9
-CFmGR/cnb3hiA9h1R1DwTJcH0E2wd7DAQNYYaBYk4bk9eVLl/m1Uf86tV6SieXDX
-M9BUu22WtwP2VD1jlZWqQrM5ym+YSdMv/4T1nTfdJCkc01NzMLyGlln3NOMGqyuu
-AWW+MhOySIlOtxbq7UIpQWvGxSxfFypzWz3wbI4tfHtBtH6AP4vVAf2RhMsGCkaN
-uwnGBWocp1Xn+XZ6a6Q/8ssboQfPsa6Q4OPBMXR8yB7lV+8dE8l365djQWRgL3P8
-BYZWwKv1M0Tnu32KVTskT9H9LBt+0rViEX9/izSK4PCeSrBXyUgj4iuXKiLls/Ml
-Jz+n5ZgbAgMBAAECggEBAJvSv2j0xxYSRQGog03uY5DHqc8orIDkbJCrSbXhlRTP
-UJeOeLgDSM/Ir1v+4b9dsaHiY6pvQz97C0PojEMelr45cv8rFXuiYUJFnr97mgNN
-RjTpaOQ/7CLiVki4cCYip77tUBqSDRvWW665pkNh5sCSLpAURc4ZQ7qVxq8Z52N5
-qqRmob4lUaL54cxrMzG2KIeEf8FwucgEjg+Su9RFRjC/2JjX9RmiLOOg7fMV38qs
-S0NygmzZoV+u2cj3K8lOowmd8D4lLzcmDnYre33httzXmyE4eWGJYGq7pQGFKXaZ
-Zl7SKFuWuYtfSFCcKpNRxnjGaVgfjJPdprTPMPWe8ekCgYEA/QsWuHfStB4tPjpj
-RnwDQNNHIRkMP4FyeAANVttMx5xSEngcYct54iMRhckJrrKnKki6ww27Ghv789p+
-d99ak+VH/odYhfCANL/N06gopq4xmxBv1LhBmym3/oV8xzU9tTipcHh3xOvXW8at
-kq6YD5Qf1H41ZyVnelnjIsPk8s0CgYEA6/tLyei164eex8Pu4yTKiFu+LM6KRE4r
-m7Rmgv4Uu5AIZhn7NNKMADBRQS7Ck+qYlq3Mqj6fHPfU47lfqBYnBO8AvsQ4RF67
-T+8KIc66s83Lnf1UH3BGwPx1PylvfpmLYcxlfx2g4A7hJLcfl1KRi2QXoMan9Fa5
-gjkVo9XbxocCgYEAw+Y+y8cwH3OxURjA3MOLfTdUPOJ4Yf3kUdSwfwq+UVbLDzNf
-vbJahODjYvC2B0KWOh0eQX2y2U7K6wm/mSwYoqEB8KJ1vRPpHW1UesUX25rGGqdJ
-/KQ9XlOY93n+lPa59D+Opd0N1C1Fh+6zV/jFDmJ9lfOzgkwp5UYLm1GPQQ0CgYBJ
-JiWRGgTCVNDgRZkYagAqEp45z3BGyiB0bJBWTKJqnbQsyiL3dciWCmQ1m2QPa+oO
-0yMdJro1xZEFYiIHvY4s1lVZzQNQFjlkBsoSPr3bHJDgkXVxJWGZUuiZQqPgD4KI
-N07C/5Etww8BTY6KXrrlBYrZeJr5f6STfFR767/rowKBgFn46Je41J7LJpgSvtTo
-7E64PLohGmxnPIccbmvathRMvt1kB7SLNZEaZ6nGK7l7s14bG6eOiZCnwCnfQaA8
-SqZPzaJE+qtdMloOVy1uria6JfcWZLJM3ANA9z0mVB9B+xlbSXLHs82QUIvNp/dm
-FEV080MmmQWyGNpx3/fIIAxH
-----END PRIVATE KEY-----
--- a/registry/auth_server/ssl/server.pem
+++ b/registry/auth_server/ssl/server.pem
@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDazCCAlOgAwIBAgIJAJ3TzenOkZYDMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
-BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxEjAQBgNVBAcMCUd1YW5nemhvdTEV
-MBMGA1UEAwwMMTkyLjE2OC4xLjk2MB4XDTE1MTEyMzA3MTY1OFoXDTI1MTEyMDA3
-MTY1OFowTDELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzESMBAGA1UE
-BwwJR3Vhbmd6aG91MRUwEwYDVQQDDAwxOTIuMTY4LjEuOTYwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDpQZKkcD6nHJT9CFmGR/cnb3hiA9h1R1DwTJcH
-0E2wd7DAQNYYaBYk4bk9eVLl/m1Uf86tV6SieXDXM9BUu22WtwP2VD1jlZWqQrM5
-ym+YSdMv/4T1nTfdJCkc01NzMLyGlln3NOMGqyuuAWW+MhOySIlOtxbq7UIpQWvG
-xSxfFypzWz3wbI4tfHtBtH6AP4vVAf2RhMsGCkaNuwnGBWocp1Xn+XZ6a6Q/8ssb
-oQfPsa6Q4OPBMXR8yB7lV+8dE8l365djQWRgL3P8BYZWwKv1M0Tnu32KVTskT9H9
-LBt+0rViEX9/izSK4PCeSrBXyUgj4iuXKiLls/MlJz+n5ZgbAgMBAAGjUDBOMB0G
-A1UdDgQWBBREtfXUd6l0q0yT8bQ0HnL5j6xIFDAfBgNVHSMEGDAWgBREtfXUd6l0
-q0yT8bQ0HnL5j6xIFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAx
-0ShP3mrN0ItR/scm0fUPq6rRA/1o3xdkBMCY9cTRGMBvKZ0tbHj1L6n24nKNmr4z
-JSMAw8niLOMOY8nvbbMYeAvAmairdlEmRnN0jAHu3wfl8ZZdZjaKZHIxuwgAAb7S
-hxp5wJzY5SfSUbs0+X1agNQtMMyG1yniPR//GAJ96Lr2UTj/tRw2BQX6woklj+th
-tQTTRwLjnmoXCyn10cr0vdzg5iPeifZuYUA1rmOioIeqS0b/dQ6OrSIckBdQ694B
-loEOvyNTbgrHWMktVUYSEsVDT8u/xtHDyLwpi2iTX5E0wHTOjt5PurEcpEarx4//
-l2FEj/yjkxMVYeJQM/gg
-----END CERTIFICATE-----
--- a/registry/certs/.gitignore
+++ b/registry/certs/.gitignore
@ -0,0 +1,2 @@
+*
+!.gitignore
--- a/registry/docker-compose-insecure.yml
+++ b/registry/docker-compose-insecure.yml
@ -0,0 +1,16 @@
+version: '2.4'
+services:
+    registry:
+        image: registry.cn-hangzhou.aliyuncs.com/kennylee/registry:2
+        container_name: 'docker-registry'
+        ports:
+            - 5000:5000
+        volumes:
+            - ./data/registry:/var/lib/registry
+        restart: on-failure
+        logging:
+            driver: 'json-file'
+            options:
+                max-size: '12m'
+                max-file: '5'
+
--- a/registry/docker-compose-with-auth.yml
+++ b/registry/docker-compose-with-auth.yml
@ -1,42 +1,43 @@
 version: '3'
 services:
    docker_auth:
-        image: cesanta/docker_auth
+        image: registry.cn-hangzhou.aliyuncs.com/kennylee/docker_auth
        container_name: 'docker_auth'
        ports:
-            - "5001:5001"
+            - "${docker_auth_port}:5001"
        volumes:
-            - ./data/docker_auth/auth_server/config:/config:ro
-            - ./data/log/docker_auth:/logs
-            - ./data/docker_auth/auth_server/ssl:/ssl
+            - ./auth_server/config:/config:ro
+            - ./data/docker_auth/logs:/logs
+            - ./certs:/ssl:ro
        command: /config/auth_config.yml
        restart: on-failure
        logging:
            driver: 'json-file'
            options:
-                max-size: '30m'
-                max-file: '1'
+                max-size: '12m'
+                max-file: '5'
    registry:
        image: registry.cn-hangzhou.aliyuncs.com/kennylee/registry:2
        container_name: 'docker_registry'
        ports:
-            - 5000:5000
+            - "443:443"
        volumes:
-            - ./data/docker_auth/auth_server/ssl:/ssl
-            - ./data/registry2:/var/lib/registry
+            - ./certs:/ssl:ro
+            - ./data/registry:/var/lib/registry
        restart: on-failure
        environment:
            - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
            - REGISTRY_AUTH=token
-            - REGISTRY_AUTH_TOKEN_REALM=https://192.168.1.100:5001/auth
+            - REGISTRY_AUTH_TOKEN_REALM=https://${docker_auth_public_ip}:${docker_auth_port}/auth # 注意修改.env文件中docker_auth_public_ip为外部访问ip
            - REGISTRY_AUTH_TOKEN_SERVICE="Docker registry"
            - REGISTRY_AUTH_TOKEN_ISSUER="Auth Service"
-            - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem
-            - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/server.pem
-            - REGISTRY_HTTP_TLS_KEY=/ssl/server.key
+            - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/registry.crt
+            - REGISTRY_HTTP_ADDR=0.0.0.0:443
+            - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/registry.crt
+            - REGISTRY_HTTP_TLS_KEY=/ssl/registry.key
        logging:
            driver: 'json-file'
            options:
-                max-size: '30m'
-                max-file: '1'
+                max-size: '12m'
+                max-file: '5'

--- a/registry/docker-compose.yml
+++ b/registry/docker-compose.yml
@ -4,10 +4,15 @@ services:
        image: registry.cn-hangzhou.aliyuncs.com/kennylee/registry:2
        container_name: 'docker-registry'
        ports:
-            - 5000:5000
+            - 443:443
        volumes:
            - ./data/registry:/var/lib/registry
+            - ./certs:/certs:ro
        restart: on-failure
+        environment:
+            - REGISTRY_HTTP_ADDR=0.0.0.0:443
+            - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt
+            - REGISTRY_HTTP_TLS_KEY=/certs/registry.key
        logging:
            driver: 'json-file'
            options:
--- a/registry/gencert.sh
+++ b/registry/gencert.sh
@ -0,0 +1,51 @@
+#!/bin/sh
+
+# 最终证书存放的目录
+FOLDER_DIR=certs/
+# 证书文件名字，默认为空的话代表用输入domain作为证书文件名字
+CERT_NAME=registry
+
+# create self-signed server certificate:
+
+read -p "Enter your domain [www.example.com]: " DOMAIN
+
+echo "Create server key..."
+
+if [ -z "$CERT_NAME" ]; then
+    CERT_NAME=$DOMAIN
+fi
+
+openssl genrsa -des3 -out $CERT_NAME.key 1024
+
+echo "Create server certificate signing request..."
+
+SUBJECT="/C=CN/ST=BeiJing/L=Dongcheng/CN=$DOMAIN"
+
+openssl req -new -subj $SUBJECT -key $CERT_NAME.key -out $CERT_NAME.csr
+
+echo "Remove password..."
+
+mv $CERT_NAME.key $CERT_NAME.origin.key
+openssl rsa -in $CERT_NAME.origin.key -out $CERT_NAME.key
+
+echo "Sign SSL certificate..."
+
+openssl x509 -req -days 3650 -in $CERT_NAME.csr -signkey $CERT_NAME.key -out $CERT_NAME.crt
+
+echo "TODO:"
+echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
+echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
+echo "Add configuration in nginx:"
+echo "server {"
+echo "    ..."
+echo "    listen 443 ssl;"
+echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"
+echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
+echo "}"
+
+if [ -n "$FOLDER_DIR" ]; then
+    mv $CERT_NAME.key $FOLDER_DIR
+    mv $CERT_NAME.crt $FOLDER_DIR
+    mv $CERT_NAME.csr $FOLDER_DIR
+    mv $CERT_NAME.origin.key $FOLDER_DIR    
+fi
--- a/registry/image-build/docker_auth/Dockerfile
+++ b/registry/image-build/docker_auth/Dockerfile
@ -0,0 +1,4 @@
+FROM cesanta/docker_auth
+
+
+