• 猿创征文|docker本地私人仓库快速搭建后的安全优化(用户鉴权和简易的web界面开启)

    前言

    docker的本地仓库其实要说随便一用,也确实简单,两三条命令就搞定了。但,如果想有一定的安全性,那么,还是比较复杂的一个事情。比如,用户权限,鉴权和web可视化管理界面的开启。

    上一个博文大略的讲了一下如何搭建一个简单的本地私人docker仓库,并有两种方式,一个是最为简单的无任何安全性的本地仓库,人人都可随意上传下载的,一个是有证书的,使用https验证的本地私人docker仓库。博文地址是:猿创征文|docker本地仓库的搭建(简易可快速使用的本地仓库)_zsk_john的博客-CSDN博客

     现在就接着上面的博文,继续优化这个本地docker仓库。

    一,

    前情回顾+安全验证配置

    HTTP类型的本地仓库,容器启动命令:

    docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registry -v /opt/data/config.yml:/etc/docker/registry/config.yml  --name registry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1

    此时的开启web界面的容器启动命令:

    docker run -it -d --name registry-web -e REGISTRY_URL=http://192.168.217.17:5000/v2 -e REGISTRY_NAME=192.168.217.17 -p 9055:8080 registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web

    登录地址 

    这个时候启动的本地仓库是可以随意的push的,只要知道本地仓库的地址,这是很危险的,如果是有别有用心的人,那么,指不定push上传到服务器里什么文件呢,对吧,非常危险。那么,设置一个密码,在push操作之前我们对push的人做一个密码验证就可以大大提高本地仓库的安全性了。

    (1)建立目录存放密码文件

    先建立一个目录,mkdir /opt/auth/

    (2)生成密码 文件,下面这个命令是生成的用户名是linkcm,密码是123456

    1. docker run --entrypoint htpasswd \
    2. registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1  \
    3. -Bbn linkcm 123456 \
    4. >>/opt/auth/htpasswd

    添加第二个用户,用户名是zsk,密码是qwerasdf:

     

    1. docker run --entrypoint htpasswd \
    2. registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1  \
    3. -Bbn zsk qwerasdf \
    4. >>/opt/auth/htpasswd

     (3)查看文件内容,确定是加密的

    1. [root@slave1 ~]# cat /opt/auth/htpasswd 
    2. linkcm:$2y$05$ImH24JuZ0NnsOHnwjUF9oeDO/F.t6JF3FHEYKaoomDa5327v/7YSC

    (4) 启动本地开启了5000端口的http仓库,此时的私有仓库不管是推送还是拉取动作都需要登录才可以进行

    1. docker run -d -p 5000:5000 \
    2. -v /opt/registry/data:/var/lib/registry \
    3. -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \
    4. -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    5. -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \
    6. -v /opt/auth:/auth \
    7. --name localregistry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1

    主要是启动镜像命令增加了以下这些内容:

    1. -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
    2. -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm
    3. -v /opt/auth:/auth

     (5)验证:

    第一次没有登录的push,结果失败:

    1. [root@slave1 auth]# docker push 192.168.217.17:5000/pause
    2. The push refers to repository [192.168.217.17:5000/pause]
    3. ba0dae6243cc: Preparing 
    4. unauthorized: authentication required

    登录后的push,结果成功(账号是linkcm,密码是123456):

    1. [root@slave1 auth]# docker login 192.168.217.17:5000
    2. Authenticating with existing credentials...
    3. Login did not succeed, error: Error response from daemon: login attempt to http://192.168.217.17:5000/v2/ failed with status: 401 Unauthorized
    4. Username (test): linkcm
    5. Password: 
    6. WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    7. Configure a credential helper to remove this warning. See
    8. https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    9.  
    10. Login Succeeded
    11. [root@slave1 auth]# docker push 192.168.217.17:5000/pause
    12. The push refers to repository [192.168.217.17:5000/pause]
    13. ba0dae6243cc: Layer already exists 
    14. 3.2: digest: sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108 size: 526

    https容器启动(在16服务器上启动,这个端口是443的):

    1. docker run -d --restart=always --name registry \
    2. -v /opt/ssl:/certs \
    3. -v /opt/registry/data:/var/lib/registry \
    4. -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \
    5. -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
    6. -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myssl.pem \
    7. -e REGISTRY_HTTP_TLS_KEY=/certs/myssl.key \
    8. -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    9. -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \
    10. -v /opt/auth:/auth \
    11. -p 443:443 \
    12.  registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1

    在18服务器上登录私服:

    1. [root@k8s-node1 ~]# docker login master.com.cn
    2. Username: linkcm
    3. Password: 
    4. WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    5. Configure a credential helper to remove this warning. See
    6. https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    7.  
    8. Login Succeeded

     退出私服登录:

    1. [root@k8s-node2 ~]# docker logout master.com.cn
    2. Removing login credentials for master.com.cn

    此时的docker私服不管是上传还是下载都需要先登录才可以下一步了。 

    以上仅仅是本地仓库的用户安全加固,也就是必须登录私有仓库后才可以进行推拉操作,还没有开启web界面。 

     配合web端的全面安全加固,web端和命令行都有登录验证,上传,下载都有密码登录验证。

    本地仓库的容器启动(这个本地仓库是没有密码验证的):

    docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registry -v /opt/data/config.yml:/etc/docker/registry/config.yml  --name registry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1

    此时的web界面开启(web端也是没有密码验证的,两个容器是一对的哦):

    docker run -it -d --name registry-web -e REGISTRY_URL=http://192.168.217.17:5000/v2 -e REGISTRY_NAME=192.168.217.17:5000 -p 9055:8080 registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web

    登录地址是:http://192.168.217.17:9055/ 

    以上是没有用户认证的,那么,下面开启强制用户认证,也就是说web端,必须要输入密码验证后才可以上传镜像。

    证书生成的命令:

    openssl req  -newkey rsa:4096 -nodes -sha256 -keyout /opt/ssl/myssl.key -x509 -days 365 -out /opt/ssl/myssl.pem

    相关证书的存放路径: 

    1. [root@master conf]# ll /opt/ssl/
    2. total 8
    3. -rw------- 1 root root 3272 Sep  2 20:59 myssl.key
    4. -rw-r--r-- 1 root root 2009 Sep  2 21:00 myssl.pem

    建立证书另一个存放路径并拷贝证书到相应路径:

    1. mkdir -p /etc/docker/registry
    2. cp /opt/ssl/myssl.pem /etc/docker/registry

     

    私有仓库的配置文件:

    1. [root@master conf]# cat /opt/registry/conf/config.yml
    2. version: 0.1
    3. log:
    4.   fields:
    5.     service: registry
    6. storage:
    7.     cache:
    8.         blobdescriptor: inmemory
    9.     filesystem:
    10.         rootdirectory: /var/lib/registry
    11. http:
    12.     addr: 0.0.0.0:5000
    13.     headers:
    14.         X-Content-Type-Options: [nosniff]
    15. health:
    16.   storagedriver:
    17.     enabled: true
    18.     interval: 10s
    19.     threshold: 4
    20. auth:
    21.   token:
    22.     realm: http://192.168.217.16:9055/api/auth
    23.     service: 192.168.217.16:5000
    24.     issuer: 'my issuer'
    25.     rootcertbundle: /etc/docker/registry/myssl.pem

    启动本地仓库容器的命令:

    1. docker run -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml:ro \
    2. -v /opt/registry/data:/var/lib/registry  \
    3. -v /opt/ssl/myssl.pem:/etc/docker/registry/myssl.pem:ro \
    4. -p 5000:5000  \
    5. -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    6. -e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \
    7. -v /opt/auth:/auth \
    8. --name registry-srv \
    9. -d  registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1

    建立私有仓库web界面的配置文件存放路径,并编写配置文件:

    mkdir -p /opt/registry-web/conf/

     

    registry-web的配置文件内容:

    1. [root@master conf]# cat /opt/registry-web/conf/config.yml 
    2. registry:
    3.   url: http://192.168.217.16:5000/v2
    4.   name: 192.168.217.16:5000
    5.   readonly: false
    6.   auth:
    7.     enabled: true
    8.     issuer: 'my issuer'
    9.     key: /conf/myssl.key

    启动web界面容器的命令:

    1. docker run -it -d -v /opt/registry-web/conf/config.yml:/conf/config.yml:ro \
    2. -v /opt/ssl/myssl.key:/conf/myssl.key   \
    3. -p 9055:8080 \
    4. --name registry-web \
    5. registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web

    web端登录地址和界面(192.168.217.16:9055):

     

     用户鉴权这些都在web端操作了,初始登录账户和密码是admin/admin

    测试拉取镜像,可以看到,如果没有登录,将会报错:

    1. [root@slave2 ~]# docker pull 192.168.217.16:5000/nginx:1.8
    2. Error response from daemon: Head http://192.168.217.16:5000/v2/nginx/manifests/1.8: unauthorized: authentication required

     当然,上传文件如果不登录也是会报错的,就不演示了。用户登录是这样的:

    1. [root@slave2 ~]# docker login 192.168.217.16:5000
    2. Username: zsk
    3. Password: 
    4. WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    5. Configure a credential helper to remove this warning. See
    6. https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    7.  
    8. Login Succeeded

    输入正确的密码后,zsk用户登录成功,并且上传和下载镜像都正常了,例如上传:

    1. [root@slave2 ~]# docker push 192.168.217.16:5000/registry-web
    2. Using default tag: latest
    3. The push refers to repository [192.168.217.16:5000/registry-web]
    4. 8779b4998d0c: Layer already exists 
    5. 9eb22ef427e2: Layer already exists 
    6. 64d1c65ea33e: Layer already exists 
    7. d6c3b0e63834: Layer already exists 
    8. 1315f14832fa: Layer already exists 
    9. d16096ccf0bb: Layer already exists 
    10. 463a4bd8f8c1: Layer already exists 
    11. be44224e76b9: Layer already exists 
    12. d96a8038b794: Layer already exists 
    13. f469fc28e82e: Layer already exists 
    14. 8418a42306ef: Layer already exists 
    15. 03457c5158e2: Layer already exists 
    16. 7ef05f1204ee: Layer already exists 
    17. f7049feabf0b: Layer already exists 
    18. 5ee52271b8b7: Layer already exists 
    19. 8b1153b14d3a: Layer already exists 
    20. 367b9c52c931: Layer already exists 
    21. 3567b2f05514: Layer already exists 
    22. 292a66992f77: Layer already exists 
    23. 641fcd2417bc: Layer already exists 
    24. 78ff13900d61: Layer already exists 
    25. latest: digest: sha256:2c4f88572e1626792d3ceba6a5ee3ea99f1c3baee2a0e8aad56f0e7c3a6bf481 size: 4695

    命令行退出登录;

    1. [root@slave2 ~]# docker logout 192.168.217.16:5000
    2. Removing login credentials for 192.168.217.16:5000

    完美达到预期,用户鉴权功能非常好,如果没有登录,push镜像会是这样的,(pull也是一样的):

    1. [root@master conf]# docker push 192.168.217.16:5000/registry-web
    2. The push refers to repository [192.168.217.16:5000/registry-web]
    3. 8779b4998d0c: Preparing 
    4. 9eb22ef427e2: Preparing 
    5. 64d1c65ea33e: Preparing 
    6. d6c3b0e63834: Preparing 
    7. 1315f14832fa: Preparing 
    8. d16096ccf0bb: Waiting 
    9. 463a4bd8f8c1: Waiting 
    10. be44224e76b9: Waiting 
    11. d96a8038b794: Waiting 
    12. f469fc28e82e: Waiting 
    13. 8418a42306ef: Waiting 
    14. 03457c5158e2: Waiting 
    15. 7ef05f1204ee: Waiting 
    16. f7049feabf0b: Waiting 
    17. 5ee52271b8b7: Waiting 
    18. 8b1153b14d3a: Waiting 
    19. 367b9c52c931: Waiting 
    20. 3567b2f05514: Waiting 
    21. 292a66992f77: Waiting 
    22. 641fcd2417bc: Waiting 
    23. 78ff13900d61: Waiting 
    24. unauthorized: authentication required

  • 相关阅读:
    【Linux】WSL安装的Ubuntu不支持POSIX消息队列(已解决)
    关于三维布尔运算的几点思考
    微信小程序的数据保存更新问题
    分布式微服务 - 3.服务调用 - 1.概念
    @Value的注入与静态注入 与 组件中静态工具类的注入
    edu cf #137 Div.2(A~D)
    java-php-net-python-基于ssh的酒店客房在线预定计算机毕业设计程序
    在 Spring Boot2.7.1 中如何使用 Swagger3 指南
    深入解析Web前端三大主流框架:Angular、React和Vue
    PCL 计算一条射线与一个球的相交点
  • 原文地址:https://blog.csdn.net/alwaysbefine/article/details/126659267