logo标签列表

如何在Docker Registry v2中使拉取公开,推送需要登录?

nginxdockerprivilegesbasic-authenticationdocker-registry
3
我使用以下指令启动了注册表,作为组合容器: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04 然而,我希望能够区分访问权限,这样没有登录的用户可以访问仓库中的镜像,但无法进行推送。
在第一次尝试中,我尝试通过在nginx中设置limit_except来实现(因为我像教程中一样将其用于前端)。
limit_except GET HEAD {
    auth_basic "Docker Registry";
    auth_basic_user_file /etc/nginx/conf.d/registry.password;
}

很遗憾,虽然拉取过程顺利,但docker login命令无法正常工作。
$ docker login myhost.example.net
Username: myuser
Password: 
Email: 
Error response from daemon: no successful auth challenge for https://myhost.example.net/v2/ - errors: []

似乎,docker pulldocker login都发送相同的HTTP GET请求,很难区分它们。
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

现在让我们看一下不同的请求并进行分析。
Docker登录(启用HTTP基本身份验证):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0

<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic eHh4Onh4eAo=
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0

Docker 登录 (关闭http basic认证)

GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 10:09:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0

收到200 OK后,命令像上面提到的那样失败。
Docker拉取(关闭http基本身份验证):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0

{}GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0

{
 ... (truncated) ...

Docker pull(使用http基本身份验证,启用凭据):

GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0

<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic cmZzY206d2llbGJyZnNjbXBvd3N6ZWN6YXN5
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
... (truncated) ...

使用http基本身份验证(有开启)(无凭据)拉取Docker镜像:

GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0

<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip

HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0

<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v1/repositories/my-ubuntu-image/images HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
X-Docker-Token: true
Accept-Encoding: gzip

HTTP/1.1 404 Not Found
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>

通过查看上面的示例,我们可以清楚地看到当pull没有凭据时,尝试两次访问url /v2/,因此也许我们可以在客户端连续两次请求/v2/ url时以某种方式区分请求?
我还听说最新的注册表(我认为版本>= 2.1)具有内置的HTTP Basic Auth支持,但我在文档中找不到相关内容。
希望我已经详细解释了这个问题。
1
我会看一下Portus - undefined
好的,我之前还没见过这个工具,看起来很有潜力,谢谢。 - undefined
是的。它还很年轻。但我和你一样,也在寻找一个好的身份验证和前端工具,而它正满足我的需求。 - undefined
1个回答
2
我发现了Docker的Github上的问题线程,因此我自己回答一下。这个案例似乎非常复杂。由于注册表规范是开放的,很难说是Docker工具还是注册表的责任。
请查看这里的问题和其他相关问题:https://github.com/docker/distribution/issues/1230 Portus似乎是一个有趣的替代选择。感谢@{Jonathon Reinhart}!我稍后会试试它。
目前,我只会将POST请求和PUT请求限制为来自本地地址或localhost(您可以忽略nginx进行推送)。
POST /v2/superpartia/blobs/uploads/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Content-Length: 0
Authorization: Basic eHh4Onh4eA==
Content-Type: 
Accept-Encoding: gzip
ked from local address

所以我仅限制除GET和HEAD之外的所有内容(HEAD由GET隐含,参见nginx手册)

location /v2/ {
...
    limit_except GET {
        allow 172.x.x.x;
        deny all;
    }
...

这种方式会被阻止推送:

Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.9.9</center>\r\n</body>\r\n</html>\r\n"
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接