Private Registry 2020(1)No auth in registry Nginx AUTH for UI
程序员文章站
2022-03-30 19:21:04
...
Private Registry 2020(1)No auth in registry Nginx AUTH for UI
Deploy basic registry server
> docker run -d -p 5000:5000 --name registry registry:2
Have it running
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5676dd2a19e0 registry:2 "/entrypoint.sh /etc…" 12 seconds ago Up 11 seconds 0.0.0.0:5000->5000/tcp registry
It is running basic config, verify that
> docker pull ubuntu:16.04
Tag the ubuntu to point to our own registry
> docker tag ubuntu:16.04 localhost:5000/c-ubuntu
Push to localhost
> docker push localhost:5000/c-ubuntu
Remove local images
> docker image remove ubuntu:16.04
> docker rmi localhost:5000/c-ubuntu
Finally, we can pull from the remote
> docker pull localhost:5000/c-ubuntu
We can enable the UI https://github.com/Joxit/docker-registry-ui
Run the Docker UI
> docker run -d -p 80:80 -e URL=http://localhost:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
It will not work because I run 2 docker and use localhost, they can not find each other. Try on my rancher-home virtual box.
>docker run -d -p 5000:5000 --name registry registry:2
>docker run -d -p 80:80 -e URL=http://rancher-home:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
It is not working because of the CORS. Try add settings for registry
Prepare the Password configuration
> docker run --entrypoint htpasswd registry:2 -Bbn sillycat ‘password' > conf/htpasswd
Try this
> docker run -d -p 80:80 -e REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin="*" -e URL=http://rancher-home:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
Visit page with username and password is working fine
http://admin:admin~!%40@rancher-home:5000/v2/_catalog?n=100000
Try this
> docker tag ubuntu:16.04 192.168.56.110:5000/a-ubuntu
> docker push 192.168.56.110:5000/a-ubuntu
The push refers to repository [192.168.56.110:5000/a-ubuntu]
Get https://192.168.56.110:5000/v2/: http: server gave HTTP response to HTTPS client
Solution:
https://github.com/docker/distribution/issues/1874
Check this file and add our website there
> cat /etc/docker/daemon.json
{
"insecure-registries": [
"192.168.56.110:8088",
"192.168.56.111:8088",
"192.168.56.112:8088",
"rancher-worker1:8088",
"rancher-worker2:8088",
"rancher-home:8088",
"159.89.253.84:80",
"10.132.242.85:8088"
]
}
Restart the service
> sudo systemctl restart docker.service
It works pretty well now
> docker tag ubuntu:16.04 rancher-home:5000/b-ubuntu
> docker push rancher-home:5000/b-ubuntu
Make it working with Nginx Authentication
>docker run -d -p 5001:80 -e REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin="*" -e URL=http://rancher-home:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
> docker run -d -p 5001:80 -e REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin="*" -e URL=http://rancher-home:5000 -e REGISTRY_URL=http://rancher-home:5000 -e NGINX_PROXY_HEADER_X_Forwarded_For=$$proxy_add_x_forwarded_for -e DELETE_IMAGES=true joxit/docker-registry-ui
NGINX_PROXY_HEADER_Authorization=Basic cmVnaXN0cnk6dWk=
We can try this as well.
upstream registry {
server localhost:5001;
}
location /registry/ {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://registry/;
}
Working Makefile for registry
PORT=5000
IMAGE=registry
TAG=2
NAME=docker-registry-$(PORT)
#-v $(shell pwd)/conf/htpasswd:/etc/docker/registry/htpasswd \
run:
docker run \
-d \
-p $(PORT):5000 \
-v $(shell pwd)/registry:/var/lib/registry \
-v $(shell pwd)/conf/config.yml:/etc/docker/registry/config.yml \
--name $(NAME) \
$(IMAGE):$(TAG)
clean:
docker stop ${NAME}
docker rm ${NAME}
Configuration for no auth registry in conf/config.yml
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['*']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Expose-Headers: ['Docker-Content-Digest']
#Access-Control-Allow-Origin: ['http://rancher-home']
#Access-Control-Allow-Headers: ['Authorization']
#Access-Control-Max-Age: [1728000]
#Access-Control-Allow-Credentials: [true]
#auth:
# htpasswd:
# realm: basic-realm
# path: /etc/docker/registry/htpasswd
References:
https://docs.docker.com/registry/deploying/
https://github.com/Quiq/docker-registry-ui
https://github.com/mkuchin/docker-registry-web
https://github.com/Joxit/docker-registry-ui
https://github.com/Joxit/docker-registry-ui/blob/master/examples/proxy-headers/docker-compose.yml
Deploy basic registry server
> docker run -d -p 5000:5000 --name registry registry:2
Have it running
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5676dd2a19e0 registry:2 "/entrypoint.sh /etc…" 12 seconds ago Up 11 seconds 0.0.0.0:5000->5000/tcp registry
It is running basic config, verify that
> docker pull ubuntu:16.04
Tag the ubuntu to point to our own registry
> docker tag ubuntu:16.04 localhost:5000/c-ubuntu
Push to localhost
> docker push localhost:5000/c-ubuntu
Remove local images
> docker image remove ubuntu:16.04
> docker rmi localhost:5000/c-ubuntu
Finally, we can pull from the remote
> docker pull localhost:5000/c-ubuntu
We can enable the UI https://github.com/Joxit/docker-registry-ui
Run the Docker UI
> docker run -d -p 80:80 -e URL=http://localhost:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
It will not work because I run 2 docker and use localhost, they can not find each other. Try on my rancher-home virtual box.
>docker run -d -p 5000:5000 --name registry registry:2
>docker run -d -p 80:80 -e URL=http://rancher-home:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
It is not working because of the CORS. Try add settings for registry
Prepare the Password configuration
> docker run --entrypoint htpasswd registry:2 -Bbn sillycat ‘password' > conf/htpasswd
Try this
> docker run -d -p 80:80 -e REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin="*" -e URL=http://rancher-home:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
Visit page with username and password is working fine
http://admin:admin~!%40@rancher-home:5000/v2/_catalog?n=100000
Try this
> docker tag ubuntu:16.04 192.168.56.110:5000/a-ubuntu
> docker push 192.168.56.110:5000/a-ubuntu
The push refers to repository [192.168.56.110:5000/a-ubuntu]
Get https://192.168.56.110:5000/v2/: http: server gave HTTP response to HTTPS client
Solution:
https://github.com/docker/distribution/issues/1874
Check this file and add our website there
> cat /etc/docker/daemon.json
{
"insecure-registries": [
"192.168.56.110:8088",
"192.168.56.111:8088",
"192.168.56.112:8088",
"rancher-worker1:8088",
"rancher-worker2:8088",
"rancher-home:8088",
"159.89.253.84:80",
"10.132.242.85:8088"
]
}
Restart the service
> sudo systemctl restart docker.service
It works pretty well now
> docker tag ubuntu:16.04 rancher-home:5000/b-ubuntu
> docker push rancher-home:5000/b-ubuntu
Make it working with Nginx Authentication
>docker run -d -p 5001:80 -e REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin="*" -e URL=http://rancher-home:5000 -e DELETE_IMAGES=true joxit/docker-registry-ui
> docker run -d -p 5001:80 -e REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin="*" -e URL=http://rancher-home:5000 -e REGISTRY_URL=http://rancher-home:5000 -e NGINX_PROXY_HEADER_X_Forwarded_For=$$proxy_add_x_forwarded_for -e DELETE_IMAGES=true joxit/docker-registry-ui
NGINX_PROXY_HEADER_Authorization=Basic cmVnaXN0cnk6dWk=
We can try this as well.
upstream registry {
server localhost:5001;
}
location /registry/ {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://registry/;
}
Working Makefile for registry
PORT=5000
IMAGE=registry
TAG=2
NAME=docker-registry-$(PORT)
#-v $(shell pwd)/conf/htpasswd:/etc/docker/registry/htpasswd \
run:
docker run \
-d \
-p $(PORT):5000 \
-v $(shell pwd)/registry:/var/lib/registry \
-v $(shell pwd)/conf/config.yml:/etc/docker/registry/config.yml \
--name $(NAME) \
$(IMAGE):$(TAG)
clean:
docker stop ${NAME}
docker rm ${NAME}
Configuration for no auth registry in conf/config.yml
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['*']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Expose-Headers: ['Docker-Content-Digest']
#Access-Control-Allow-Origin: ['http://rancher-home']
#Access-Control-Allow-Headers: ['Authorization']
#Access-Control-Max-Age: [1728000]
#Access-Control-Allow-Credentials: [true]
#auth:
# htpasswd:
# realm: basic-realm
# path: /etc/docker/registry/htpasswd
References:
https://docs.docker.com/registry/deploying/
https://github.com/Quiq/docker-registry-ui
https://github.com/mkuchin/docker-registry-web
https://github.com/Joxit/docker-registry-ui
https://github.com/Joxit/docker-registry-ui/blob/master/examples/proxy-headers/docker-compose.yml
上一篇: 架构师之mybatis-----大于小于号最好加cdata
下一篇: 尚志篇