Linux之Docker 添加使用者認證
私有倉庫的TLS加密
以上倉庫使用明文的方式,并且沒有認證。存在較大的安全隐患,下面介紹使用TLS加密以及使用者認證。
為docker倉庫添加證書加密功能
docker遠端主機通路私有倉庫,預設必須使用TLS加密
1 生成證書
[root@toto6 ~]# mkdir -p certs
[root@toto6 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/toto.com.key -x509 -days 365 -out certs/toto.com.crt
Generating a 4096 bit RSA private key
…++
writing new private key to ‘certs/toto.com.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi’an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server’s hostname) []:toto.com
Email Address []:[email protected]
[root@toto6 ~]# ls certs/
toto.com.crt toto.com.key # 成功生成證書
1
2、重新啟動registry容器:
需要先删除之前開啟的容器“
[root@toto6 ~]# docker rm -f registry
registry
重新加密開啟容器:
root@toto6 ~]# docker run -d ##-d:打入背景
–restart=always > --name registry \
-v “$(pwd)”/certs:/certs
-v:手動指定資料卷的挂載
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 ##-e:編輯registry的參數;監聽443端口
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/toto.com.crt ##使用證書為生成的證書
-e REGISTRY_HTTP_TLS_KEY=/certs/toto,com.key ##使用的私鑰
-p 443:443 ##端口映射
registry:2 ##倉庫名
檢視容器運作情況以及端口開啟情況:
[root@toto6 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d3063593b314 registry:2 “/entrypoint.sh /etc…” 33 seconds ago Up 31 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@toto6 ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 656/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 778/master
tcp 0 0 172.25.13.160:22 172.25.13.250:59964 ESTABLISHED 20132/sshd: root@pt
tcp6 0 0 :::22 :: LISTEN 656/sshd
tcp6 0 0 ::1:25 :: LISTEN 778/master
tcp6 0 0 :::443 :: LISTEN 21555/docker-proxy
到次registry服務端的TLS加密已經設定好了,但是diocker用戶端需要連接配接這個倉庫,也就需要相同的證書才能進行通路。
docker用戶端的設定。
設定docker用戶端的證書
[root@toto6 ~]# mkdir -p /etc/docker/certs.d/toto.com # 建立該目錄,名稱和證書域名一緻
[root@toto6 ~]# cd /etc/docker/certs.d/toto.com
[root@toto6 toto.com]# cp /root/certs/toto.com.crt ca.crt # 将生成的證書拷貝到該目錄中ca.crt
[root@toto6 toto.com]# ls
ca.crt
證書域名解析的更改
[root@toto6 toto.com]# vim /etc/hosts
172.25.13.160 toto6 toto.com
2
3 驗證部署是否成功
修改本地鏡像标簽為固定格式:域名/進行名稱
[root@toto6 toto.com]# docker tag nginx:v4 toto.com/nginx
上傳鏡像:
[root@toto6 toto.com]# docker push toto.com/nginx
The push refers to repository [toto.com/nginx]
49cb414524e0: Pushed
668afdbd4462: Pushed
latest: digest: sha256:a3e3cbec11f49a4fdebedf975fadbe6dc8cd9e26835fc3018353d7d7f3bdf93b size: 739
作者:若無其事的蘋果
來源:CSDN
原文:
https://blog.csdn.net/qq_36016375/article/details/96048239版權聲明:本文為部落客原創文章,轉載請附上博文連結!
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)