Docker如何搭建基于Token认证的的Registry服务

这篇文章将为大家详细讲解有关Docker如何搭建基于Token认证的的Registry服务，小编觉得挺实用的，因此分享给大家做个参考，希望大家阅读完这篇文章后可以有所收获。

搭建Token认证的Registry服务

1. 创建目录

mkdir -p {/data/volume/{auth_server/{config,ssl},docker_registry/data}}

2. 拷贝认证文件

如果有现成的认证文件，将文件拷贝至ssl文件夹下，文件包括( server.key, server.pem )

如果没有认证文件，使用下面的指令生成临时文件

 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.pem

3. 配置认证服务的配置文件

在目录（/data/volumes/auth_server/config）下创建配置文件（auth_config.yml）

server:  # Server settings.  # Address to listen on.  addr: ":5001"  # TLS certificate and key.  certificate: "/ssl/server.pem"  key: "/ssl/server.key"token:  # Settings for the tokens.  issuer: "Auth Service"  # Must match issuer in the Registry config.  expiration: 900# Static user map. users:  # Password is specified as a BCrypt hash. Use htpasswd -B to generate.  "admin":    password: "$2y$05$B.x046DV3bvuwFgn0I42F.W/SbRU5fUoCbCGtjFl7S33aCUHNBxbq"  "reader":    password: "$2y$05$xN3hNmNlBIYpST7UzqwK/O5T1/JyXDGuJgKJzf4XuILmvX7L5ensa"  "": {}  # Allow anonymous (no "docker login") access.acl:  # Admin has full access to everything.  - match: {account: "admin"}    actions: ["*"]  - match: {account: "reader", name: "nginx"}    actions: ["pull"]

4. 搭建registry和auth服务

采用compose模式搭建，创建compose文件（registry-auth.yml）

dockerauth:  image: cesanta/docker_auth:stable  container_name: docker_auth  ports:    - "5001:5001"  volumes:    - /data/volumes/auth_server/config:/config:ro    - /var/log/docker_auth:/logs    - /data/volumes/auth_server/ssl:/ssl  command: /config/auth_config.yml  restart: alwaysregistry:  image: registry:2  container_name: docker_registry  ports:    - "5000:5000"  volumes:    - /data/volumes/auth_server/ssl:/ssl    - /data/volumes/docker_registry/data:/var/lib/registry  restart: always  environment:    - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry    - REGISTRY_AUTH=token    - REGISTRY_AUTH_TOKEN_REALM=https://registry.sky.com:5001/auth    - REGISTRY_AUTH_TOKEN_SERVICE="Docker registry"    - REGISTRY_AUTH_TOKEN_ISSUER="Auth Service"    - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem    - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/server.pem    - REGISTRY_HTTP_TLS_KEY=/ssl/server.key

执行指令

docker-compose -f registry-auth.yml up

5. 在线测试

• 找一个安装了docker的服务器

• 执行登录指令docker login registry.sky.com:5000

• 输入用户名和密码

Username (reader): Password: Login Succeeded

• 根据前面的权限配置，reader用户只有pull权限，无法push操作

$ docker tag nginx registry.sky.com:5000/nginx$ docker push registry.sky.com:5000/nginxThe push refers to a repository [registry.sky.com:5000/nginx]5f70bf18a086: Preparing bbf4634aee1a: Preparing 64d0c8aee4b0: Preparing 4dcab49015d4: Preparing unauthorized: authentication required

测试成功，无法提交

• 重新采用admin用户登录

docker push registry.sky.com:5000/nginx     The push refers to a repository [registry.sky.com:5000/nginx]5f70bf18a086: Pushed bbf4634aee1a: Pushed 64d0c8aee4b0: Pushed 4dcab49015d4: Pushed latest: digest: sha256:e2ba8f461c877d3bbe0294dcce6398b085a19117d73e0ae1d75f9b412cab8c2e size: 1978

关于"Docker如何搭建基于Token认证的的Registry服务"这篇文章就分享到这里了，希望以上内容可以对大家有一定的帮助，使各位可以学到更多知识，如果觉得文章不错，请把它分享出去让更多的人看到。