Docker - Setup a secure private
2021-01-09 本文已影响0人
红薯爱帅
1. Setup a private docker registry
1.1. Setup Server
- Init environment
mkdir /u/devops/docker_repo
cd /u/devops/docker_repo
mkdir certs auth registry
- Generating a 2048 bit RSA private key
Confirm Common Name should be domain name, such as myrepo.com
openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/myrepo.com.key -x509 -days 365 -out certs/myrepo.com.crt
- Create htpasswd file
htpasswd -Bbn test 123123 > ./auth/htpasswd
- Create ./docker-compose.yml
version: "2.3"
services:
my-repo:
container_name: my-repo
restart: always
image: registry:2.7
ports:
- 5443:443
environment:
- REGISTRY_HTTP_ADDR=0.0.0.0:443
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.com.crt
- REGISTRY_HTTP_TLS_KEY=/certs/myrepo.com.key
- REGISTRY_AUTH=htpasswd
- REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
volumes:
- ./registry:/var/lib/registry
- ./certs:/certs
- ./auth:/auth
- Start Service
docker-compose up -d
1.2. Setup Node
1.2.1. 准备环境,并登陆registry
- 创建docker tls证书目录
cd /etc/docker && sudo mkdir -p certs.d/myrepo.com:5443
-
复制
./certs/myrepo.com.crt到node:/etc/docker/certs.d/myrepo.com:5443/ca.crt -
追加一个host记录
echo "10.10.72.189 myrepo.com" >> /etc/hosts
- 登陆registry
docker login myrepo.com:5443 -u test -p 123123
1.2.2. pull images from private registry
docker pull myrepo.com:5443/project/mongo:4.2.0
docker pull myrepo.com:5443/project/redis:5.0
1.2.3. ansible palybook for #1.2.1 and #1.2.2
- 可以批量完成node的setup,并批量login
ansible-playbook playbook-setup-node.yml -e "remotehost=wave1"
- playbook-setup-node.yml
# ansible-playbook playbook-setup-node.yml -e "remotehost=wave1"
- hosts: "{{ remotehost }}"
gather_facts: False
vars:
repo_host: "myrepo.com:5443"
tasks:
- name: Add mappings to /etc/hosts
blockinfile:
path: /etc/hosts
block: |
{{ item.ip }} {{ item.name }}
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.name }}"
loop:
- { name: myrepo.com, ip: 10.10.72.189 }
become: yes
- name: Create docker certs folder
file:
path: "/etc/docker/certs.d/{{repo_host}}"
state: directory
mode: '0755'
become: yes
- name: Copy ca.crt to docker daemon config path
copy:
src: /u/devops/docker_repo/certs/myrepo.com.crt
dest: "/etc/docker/certs.d/{{repo_host}}/ca.crt"
mode: 0644
become: yes
- name: Login docker registry and pull some images
shell: |
docker login {{repo_host}} -u test -p 123123
docker pull {{repo_host}}/project/mongo:4.2.0
docker pull {{repo_host}}/project/redis:5.0
2. 常用操作和规范建议
2.1. 查看私有仓库内image列表和所有tag
$ curl -u 'test:123123' localhost:5443/v2/_catalog
{"repositories":["redis","ubuntu"]}
$ curl -u 'test:123123' localhost:5443/v2/redis/tags/list
{"name":"redis","tags":["5.0"]}
2.2. 镜像命名规范
- 建议:
<registry-host>/<project-name>/<image-name>:<image-tag> - 例如:
myrepo.com:5443/project-a/service-xxx:0.12.0
myrepo.com:5443/project-b/prom/prometheus:v2.23.0
myrepo.com:5443/project-b/nginx:1.19.5
3. 总结
- 加入domain访问功能,提高服务隐蔽性,且为加入tls证书做前提
- 加入tls证书,可通过https协议login,不用配置
insecure-registries,避免重启node端docker daemon,减少对服务的影响 - 加入basic auth,进一步提高registry的安全性
