From 0c555f42636790e040d73bd4dc1fae25d241eef2 Mon Sep 17 00:00:00 2001 From: KennyLee Date: Wed, 26 Jun 2019 15:54:46 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96registry=EF=BC=8C=E7=BC=96?= =?UTF-8?q?=E5=86=99=E6=94=AF=E6=8C=81ssl=E5=92=8CAuthentication=E7=9A=84?= =?UTF-8?q?=E4=B8=A4=E4=B8=AA=E8=BF=90=E8=A1=8C=E7=8E=AF=E5=A2=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- registry/.env | 2 + registry/README.md | 94 ++++++++++++++++++--- registry/auth_server/config/auth_config.yml | 6 +- registry/auth_server/ssl/server.key | 28 ------ registry/auth_server/ssl/server.pem | 21 ----- registry/certs/.gitignore | 2 + registry/docker-compose-insecure.yml | 16 ++++ registry/docker-compose-with-auth.yml | 33 ++++---- registry/docker-compose.yml | 7 +- registry/gencert.sh | 51 +++++++++++ registry/image-build/docker_auth/Dockerfile | 4 + 11 files changed, 185 insertions(+), 79 deletions(-) create mode 100644 registry/.env delete mode 100755 registry/auth_server/ssl/server.key delete mode 100755 registry/auth_server/ssl/server.pem create mode 100644 registry/certs/.gitignore create mode 100644 registry/docker-compose-insecure.yml create mode 100755 registry/gencert.sh create mode 100755 registry/image-build/docker_auth/Dockerfile diff --git a/registry/.env b/registry/.env new file mode 100644 index 0000000..04ec26e --- /dev/null +++ b/registry/.env @@ -0,0 +1,2 @@ +docker_auth_public_ip=192.168.1.124 +docker_auth_port=5001 diff --git a/registry/README.md b/registry/README.md index ba9b614..f9a3602 100755 --- a/registry/README.md +++ b/registry/README.md @@ -8,9 +8,40 @@ 默认docker镜像存储路径 `/var/lib/registry` -### 使用 +### 生成证书命令 -registry应用启动成功后,若非https模式的话,需要修改docker上的配置,添加registry的信息到 `--insecure-registry` 才能正常使用(建议用域名),例如: +首次运行,请执行生成ssl证书脚本,命令参考如下: + +``` +sh gencert.sh +``` + +## 使用 + +### https模式 + +请确保证书已经生成好,利用docker-compose启动应用: + +``` +docker-compose up -d +``` + +测试执行下面命令 + +``` +# 从公服下载镜像 +docker pull hello-world +# 重命名 +docker tag hello-world localhost/hello-world +# 提交到私服 +docker push localhost/hello-world +# 查看提交的镜像 +curl -k -X GET https://localhost/v2/_catalog +``` + +### 非https模式 + +非https模式的话,需要修改docker上的配置,添加registry的信息到 `--insecure-registry` 才能正常使用(建议用域名),例如: ``` { @@ -21,7 +52,13 @@ registry应用启动成功后,若非https模式的话,需要修改docker上 } ``` -#### 测试 +启动非https的registry容器 + +``` +docker-compose -f docker-compose-insecure.yml up -d +``` + +测试执行下面命令 ``` # 从公服下载镜像 @@ -31,21 +68,58 @@ docker tag hello-world localhost:5000/hello-world # 提交到私服 docker push localhost:5000/hello-world # 查看提交的镜像 -curl -X GET http://localhost:5000/v2/_catalog +curl -k -X GET http://localhost:5000/v2/_catalog ``` -### 生成证书命令 +### Authentication身份认证 + +身份认证,即配置docker registry的下载和上传权限,可实现不允许匿名随便上传镜像的功能。 + +添加身份认证服务器依赖镜像 [cesanta/docker_auth](https://hub.docker.com/r/cesanta/docker_auth),本地配置文件在 `auth_server/config/auth_config.yml` ,可自行根据实际情况进行修改。 + +默认配置信息:admin可上传下载,账号密码 `admin/admin`,匿名用户可下载镜像 + +其他更多配置参考: https://github.com/cesanta/docker_auth/tree/master/examples/ + +#### 生成账号密码 ``` -openssl req -x509 \ --subj "/C=CN/ST=BeiJing/L=Dongcheng/CN=docker.kennylee.cn" \ --nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.pem +htpasswd -nbB <账号> <密码> +``` + +生成账号密码后可添加到 `auth_config.yml` + +#### 启动和使用 + +启动命令 + +``` +docker-compose -f docker-compose-with-auth.yml up -d ``` ``` -openssl x509 -outform der -in server.pem -out server.crt +# 从公服下载镜像 +docker pull hello-world +# 重命名 +docker tag hello-world localhost/hello-world +# 测试提交到私服是否上传失败 +docker push localhost/hello-world + +# 登录本地私服 +docker login --username admin --password admin https://localhost +# 再一次提交到私服 +docker push localhost/hello-world ``` -详细可参见https://the.binbashtheory.com/creating-private-docker-registry-2-0-with-token-authentication-service +#### docker登录命令 + +``` +# 登录 +docker login --username <账号> --password <密码> https://<私服地址> +# 登出 +docker logout https://<私服地址> +``` + +**注意域名解析** diff --git a/registry/auth_server/config/auth_config.yml b/registry/auth_server/config/auth_config.yml index 3b1b16d..521cd42 100755 --- a/registry/auth_server/config/auth_config.yml +++ b/registry/auth_server/config/auth_config.yml @@ -2,8 +2,8 @@ server: # Server settings. # Address to listen on. addr: ":5001" # TLS certificate and key. - certificate: "/ssl/server.pem" - key: "/ssl/server.key" + certificate: "/ssl/registry.crt" + key: "/ssl/registry.key" token: # Settings for the tokens. issuer: "Auth Service" # Must match issuer in the Registry config. @@ -14,7 +14,7 @@ token: # Settings for the tokens. users: # Password is specified as a BCrypt hash. Use htpasswd -B to generate. "admin": - password: "$2y$05$QH.x7wSgRwX/T9LVKwr41e0djC2/2V5uNWPVaIbdssGInvzg.bd8S" + password: "$2y$05$vpPwtp7EQRZddhZwY4qtjObGdnsLipQOUcsdh2cq2DVWNjPJeun5u" # admin "": {} # Allow anonymous (no "docker login") access. acl: diff --git a/registry/auth_server/ssl/server.key b/registry/auth_server/ssl/server.key deleted file mode 100755 index 21d0c61..0000000 --- a/registry/auth_server/ssl/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDpQZKkcD6nHJT9 -CFmGR/cnb3hiA9h1R1DwTJcH0E2wd7DAQNYYaBYk4bk9eVLl/m1Uf86tV6SieXDX -M9BUu22WtwP2VD1jlZWqQrM5ym+YSdMv/4T1nTfdJCkc01NzMLyGlln3NOMGqyuu -AWW+MhOySIlOtxbq7UIpQWvGxSxfFypzWz3wbI4tfHtBtH6AP4vVAf2RhMsGCkaN -uwnGBWocp1Xn+XZ6a6Q/8ssboQfPsa6Q4OPBMXR8yB7lV+8dE8l365djQWRgL3P8 -BYZWwKv1M0Tnu32KVTskT9H9LBt+0rViEX9/izSK4PCeSrBXyUgj4iuXKiLls/Ml -Jz+n5ZgbAgMBAAECggEBAJvSv2j0xxYSRQGog03uY5DHqc8orIDkbJCrSbXhlRTP -UJeOeLgDSM/Ir1v+4b9dsaHiY6pvQz97C0PojEMelr45cv8rFXuiYUJFnr97mgNN -RjTpaOQ/7CLiVki4cCYip77tUBqSDRvWW665pkNh5sCSLpAURc4ZQ7qVxq8Z52N5 -qqRmob4lUaL54cxrMzG2KIeEf8FwucgEjg+Su9RFRjC/2JjX9RmiLOOg7fMV38qs -S0NygmzZoV+u2cj3K8lOowmd8D4lLzcmDnYre33httzXmyE4eWGJYGq7pQGFKXaZ -Zl7SKFuWuYtfSFCcKpNRxnjGaVgfjJPdprTPMPWe8ekCgYEA/QsWuHfStB4tPjpj -RnwDQNNHIRkMP4FyeAANVttMx5xSEngcYct54iMRhckJrrKnKki6ww27Ghv789p+ -d99ak+VH/odYhfCANL/N06gopq4xmxBv1LhBmym3/oV8xzU9tTipcHh3xOvXW8at -kq6YD5Qf1H41ZyVnelnjIsPk8s0CgYEA6/tLyei164eex8Pu4yTKiFu+LM6KRE4r -m7Rmgv4Uu5AIZhn7NNKMADBRQS7Ck+qYlq3Mqj6fHPfU47lfqBYnBO8AvsQ4RF67 -T+8KIc66s83Lnf1UH3BGwPx1PylvfpmLYcxlfx2g4A7hJLcfl1KRi2QXoMan9Fa5 -gjkVo9XbxocCgYEAw+Y+y8cwH3OxURjA3MOLfTdUPOJ4Yf3kUdSwfwq+UVbLDzNf -vbJahODjYvC2B0KWOh0eQX2y2U7K6wm/mSwYoqEB8KJ1vRPpHW1UesUX25rGGqdJ -/KQ9XlOY93n+lPa59D+Opd0N1C1Fh+6zV/jFDmJ9lfOzgkwp5UYLm1GPQQ0CgYBJ -JiWRGgTCVNDgRZkYagAqEp45z3BGyiB0bJBWTKJqnbQsyiL3dciWCmQ1m2QPa+oO -0yMdJro1xZEFYiIHvY4s1lVZzQNQFjlkBsoSPr3bHJDgkXVxJWGZUuiZQqPgD4KI -N07C/5Etww8BTY6KXrrlBYrZeJr5f6STfFR767/rowKBgFn46Je41J7LJpgSvtTo -7E64PLohGmxnPIccbmvathRMvt1kB7SLNZEaZ6nGK7l7s14bG6eOiZCnwCnfQaA8 -SqZPzaJE+qtdMloOVy1uria6JfcWZLJM3ANA9z0mVB9B+xlbSXLHs82QUIvNp/dm -FEV080MmmQWyGNpx3/fIIAxH ------END PRIVATE KEY----- diff --git a/registry/auth_server/ssl/server.pem b/registry/auth_server/ssl/server.pem deleted file mode 100755 index 974965f..0000000 --- a/registry/auth_server/ssl/server.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDazCCAlOgAwIBAgIJAJ3TzenOkZYDMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV -BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxEjAQBgNVBAcMCUd1YW5nemhvdTEV -MBMGA1UEAwwMMTkyLjE2OC4xLjk2MB4XDTE1MTEyMzA3MTY1OFoXDTI1MTEyMDA3 -MTY1OFowTDELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzESMBAGA1UE -BwwJR3Vhbmd6aG91MRUwEwYDVQQDDAwxOTIuMTY4LjEuOTYwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDpQZKkcD6nHJT9CFmGR/cnb3hiA9h1R1DwTJcH -0E2wd7DAQNYYaBYk4bk9eVLl/m1Uf86tV6SieXDXM9BUu22WtwP2VD1jlZWqQrM5 -ym+YSdMv/4T1nTfdJCkc01NzMLyGlln3NOMGqyuuAWW+MhOySIlOtxbq7UIpQWvG -xSxfFypzWz3wbI4tfHtBtH6AP4vVAf2RhMsGCkaNuwnGBWocp1Xn+XZ6a6Q/8ssb -oQfPsa6Q4OPBMXR8yB7lV+8dE8l365djQWRgL3P8BYZWwKv1M0Tnu32KVTskT9H9 -LBt+0rViEX9/izSK4PCeSrBXyUgj4iuXKiLls/MlJz+n5ZgbAgMBAAGjUDBOMB0G -A1UdDgQWBBREtfXUd6l0q0yT8bQ0HnL5j6xIFDAfBgNVHSMEGDAWgBREtfXUd6l0 -q0yT8bQ0HnL5j6xIFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAx -0ShP3mrN0ItR/scm0fUPq6rRA/1o3xdkBMCY9cTRGMBvKZ0tbHj1L6n24nKNmr4z -JSMAw8niLOMOY8nvbbMYeAvAmairdlEmRnN0jAHu3wfl8ZZdZjaKZHIxuwgAAb7S -hxp5wJzY5SfSUbs0+X1agNQtMMyG1yniPR//GAJ96Lr2UTj/tRw2BQX6woklj+th -tQTTRwLjnmoXCyn10cr0vdzg5iPeifZuYUA1rmOioIeqS0b/dQ6OrSIckBdQ694B -loEOvyNTbgrHWMktVUYSEsVDT8u/xtHDyLwpi2iTX5E0wHTOjt5PurEcpEarx4// -l2FEj/yjkxMVYeJQM/gg ------END CERTIFICATE----- diff --git a/registry/certs/.gitignore b/registry/certs/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/registry/certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/registry/docker-compose-insecure.yml b/registry/docker-compose-insecure.yml new file mode 100644 index 0000000..6d8dbcb --- /dev/null +++ b/registry/docker-compose-insecure.yml @@ -0,0 +1,16 @@ +version: '2.4' +services: + registry: + image: registry.cn-hangzhou.aliyuncs.com/kennylee/registry:2 + container_name: 'docker-registry' + ports: + - 5000:5000 + volumes: + - ./data/registry:/var/lib/registry + restart: on-failure + logging: + driver: 'json-file' + options: + max-size: '12m' + max-file: '5' + diff --git a/registry/docker-compose-with-auth.yml b/registry/docker-compose-with-auth.yml index bb5a470..4ac2b4d 100644 --- a/registry/docker-compose-with-auth.yml +++ b/registry/docker-compose-with-auth.yml @@ -1,42 +1,43 @@ version: '3' services: docker_auth: - image: cesanta/docker_auth + image: registry.cn-hangzhou.aliyuncs.com/kennylee/docker_auth container_name: 'docker_auth' ports: - - "5001:5001" + - "${docker_auth_port}:5001" volumes: - - ./data/docker_auth/auth_server/config:/config:ro - - ./data/log/docker_auth:/logs - - ./data/docker_auth/auth_server/ssl:/ssl + - ./auth_server/config:/config:ro + - ./data/docker_auth/logs:/logs + - ./certs:/ssl:ro command: /config/auth_config.yml restart: on-failure logging: driver: 'json-file' options: - max-size: '30m' - max-file: '1' + max-size: '12m' + max-file: '5' registry: image: registry.cn-hangzhou.aliyuncs.com/kennylee/registry:2 container_name: 'docker_registry' ports: - - 5000:5000 + - "443:443" volumes: - - ./data/docker_auth/auth_server/ssl:/ssl - - ./data/registry2:/var/lib/registry + - ./certs:/ssl:ro + - ./data/registry:/var/lib/registry restart: on-failure environment: - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry - REGISTRY_AUTH=token - - REGISTRY_AUTH_TOKEN_REALM=https://192.168.1.100:5001/auth + - REGISTRY_AUTH_TOKEN_REALM=https://${docker_auth_public_ip}:${docker_auth_port}/auth # 注意修改.env文件中docker_auth_public_ip为外部访问ip - REGISTRY_AUTH_TOKEN_SERVICE="Docker registry" - REGISTRY_AUTH_TOKEN_ISSUER="Auth Service" - - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem - - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/server.pem - - REGISTRY_HTTP_TLS_KEY=/ssl/server.key + - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/registry.crt + - REGISTRY_HTTP_ADDR=0.0.0.0:443 + - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/registry.crt + - REGISTRY_HTTP_TLS_KEY=/ssl/registry.key logging: driver: 'json-file' options: - max-size: '30m' - max-file: '1' + max-size: '12m' + max-file: '5' diff --git a/registry/docker-compose.yml b/registry/docker-compose.yml index 6d8dbcb..209aeb0 100644 --- a/registry/docker-compose.yml +++ b/registry/docker-compose.yml @@ -4,10 +4,15 @@ services: image: registry.cn-hangzhou.aliyuncs.com/kennylee/registry:2 container_name: 'docker-registry' ports: - - 5000:5000 + - 443:443 volumes: - ./data/registry:/var/lib/registry + - ./certs:/certs:ro restart: on-failure + environment: + - REGISTRY_HTTP_ADDR=0.0.0.0:443 + - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt + - REGISTRY_HTTP_TLS_KEY=/certs/registry.key logging: driver: 'json-file' options: diff --git a/registry/gencert.sh b/registry/gencert.sh new file mode 100755 index 0000000..908c248 --- /dev/null +++ b/registry/gencert.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# 最终证书存放的目录 +FOLDER_DIR=certs/ +# 证书文件名字,默认为空的话代表用输入domain作为证书文件名字 +CERT_NAME=registry + +# create self-signed server certificate: + +read -p "Enter your domain [www.example.com]: " DOMAIN + +echo "Create server key..." + +if [ -z "$CERT_NAME" ]; then + CERT_NAME=$DOMAIN +fi + +openssl genrsa -des3 -out $CERT_NAME.key 1024 + +echo "Create server certificate signing request..." + +SUBJECT="/C=CN/ST=BeiJing/L=Dongcheng/CN=$DOMAIN" + +openssl req -new -subj $SUBJECT -key $CERT_NAME.key -out $CERT_NAME.csr + +echo "Remove password..." + +mv $CERT_NAME.key $CERT_NAME.origin.key +openssl rsa -in $CERT_NAME.origin.key -out $CERT_NAME.key + +echo "Sign SSL certificate..." + +openssl x509 -req -days 3650 -in $CERT_NAME.csr -signkey $CERT_NAME.key -out $CERT_NAME.crt + +echo "TODO:" +echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt" +echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key" +echo "Add configuration in nginx:" +echo "server {" +echo " ..." +echo " listen 443 ssl;" +echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;" +echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;" +echo "}" + +if [ -n "$FOLDER_DIR" ]; then + mv $CERT_NAME.key $FOLDER_DIR + mv $CERT_NAME.crt $FOLDER_DIR + mv $CERT_NAME.csr $FOLDER_DIR + mv $CERT_NAME.origin.key $FOLDER_DIR +fi diff --git a/registry/image-build/docker_auth/Dockerfile b/registry/image-build/docker_auth/Dockerfile new file mode 100755 index 0000000..0e957c9 --- /dev/null +++ b/registry/image-build/docker_auth/Dockerfile @@ -0,0 +1,4 @@ +FROM cesanta/docker_auth + + +