如何在 docker registry v2 中拉取 public 和推送要求登录?
How to make pull public and push requiring login in docker registry v2?
我使用以下指令将注册表作为组合容器启动:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
但是我想区分访问权限,这样任何没有登录的人都可以从存储库中拉取图像,但不能推送。
在第一种方法中,我尝试通过在 nginx 中进行设置来实现这一点(因为我在教程中将其用于前端)limit_except
limit_except GET HEAD {
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
}
不幸的是,拉动工作顺利,但 docker login 命令不起作用。
$ docker login myhost.example.net
Username: myuser
Password:
Email:
Error response from daemon: no successful auth challenge for https://myhost.example.net/v2/ - errors: []
看起来,docker pull 和 docker login 都发送相同的 HTTP GET 请求,并且很难区分它们。
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
现在让我们看看不同的请求并进行分析。
Docker 登录(http basic 开启):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic eHh4Onh4eAo=
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
Docker 登录(http basic 已关闭)
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 10:09:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
收到 200 OK 后,命令如上文所述失败。
Docker pull(http basic 已关闭):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{}GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{
... (truncated) ...
Docker pull(http 基本打开 on,with 凭证):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic cmZzY206d2llbGJyZnNjbXBvd3N6ZWN6YXN5
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
... (truncated) ...
Docker pull(http basic 开启 on,without 凭证):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v1/repositories/my-ubuntu-image/images HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
X-Docker-Token: true
Accept-Encoding: gzip
HTTP/1.1 404 Not Found
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
通过查看最后一个示例,我们可以清楚地看到何时 pull 没有凭据会尝试两次访问 url /v2/,因此也许我们可以区分以某种方式请求,当客户端连续两次请求 /v2/ url ?
我还听说最新的注册表(我认为版本 >= 2.1)内置了对 HTTP Basic Auth 的支持,但我在文档中找不到。
希望我把案子解释清楚了。
我正在回答自己,因为我在 Docker 的 github 上找到了问题线程。这
案件似乎很复杂。因为注册表规范是开放的,所以很难说谁是罪魁祸首,是 docker 工具还是注册表。
问题请看这里及其他相关:
https://github.com/docker/distribution/issues/1230
Portus 似乎是一个有趣的选择。谢谢,@{Jonathon Reinhart}!稍后我会试一试。
现在我只将 POST 请求和 PUT 请求限制为来自本地地址或本地主机的请求(您可以推送省略 nginx)。
POST /v2/superpartia/blobs/uploads/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Content-Length: 0
Authorization: Basic eHh4Onh4eA==
Content-Type:
Accept-Encoding: gzip
ked from local address
所以我只限制除了GET和HEAD之外的所有内容(HEAD是GET隐含的,看nginx手册)
location /v2/ {
...
limit_except GET {
allow 172.x.x.x;
deny all;
}
...
这种方式推送被阻塞:
Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.9.9</center>\r\n</body>\r\n</html>\r\n"
我使用以下指令将注册表作为组合容器启动: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
但是我想区分访问权限,这样任何没有登录的人都可以从存储库中拉取图像,但不能推送。
在第一种方法中,我尝试通过在 nginx 中进行设置来实现这一点(因为我在教程中将其用于前端)limit_except
limit_except GET HEAD {
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
}
不幸的是,拉动工作顺利,但 docker login 命令不起作用。
$ docker login myhost.example.net
Username: myuser
Password:
Email:
Error response from daemon: no successful auth challenge for https://myhost.example.net/v2/ - errors: []
看起来,docker pull 和 docker login 都发送相同的 HTTP GET 请求,并且很难区分它们。
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
现在让我们看看不同的请求并进行分析。
Docker 登录(http basic 开启):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic eHh4Onh4eAo=
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
Docker 登录(http basic 已关闭)
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 10:09:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
收到 200 OK 后,命令如上文所述失败。
Docker pull(http basic 已关闭):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{}GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{
... (truncated) ...
Docker pull(http 基本打开 on,with 凭证):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic cmZzY206d2llbGJyZnNjbXBvd3N6ZWN6YXN5
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
... (truncated) ...
Docker pull(http basic 开启 on,without 凭证):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v1/repositories/my-ubuntu-image/images HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
X-Docker-Token: true
Accept-Encoding: gzip
HTTP/1.1 404 Not Found
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
通过查看最后一个示例,我们可以清楚地看到何时 pull 没有凭据会尝试两次访问 url /v2/,因此也许我们可以区分以某种方式请求,当客户端连续两次请求 /v2/ url ?
我还听说最新的注册表(我认为版本 >= 2.1)内置了对 HTTP Basic Auth 的支持,但我在文档中找不到。
希望我把案子解释清楚了。
我正在回答自己,因为我在 Docker 的 github 上找到了问题线程。这 案件似乎很复杂。因为注册表规范是开放的,所以很难说谁是罪魁祸首,是 docker 工具还是注册表。
问题请看这里及其他相关: https://github.com/docker/distribution/issues/1230
Portus 似乎是一个有趣的选择。谢谢,@{Jonathon Reinhart}!稍后我会试一试。
现在我只将 POST 请求和 PUT 请求限制为来自本地地址或本地主机的请求(您可以推送省略 nginx)。
POST /v2/superpartia/blobs/uploads/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Content-Length: 0
Authorization: Basic eHh4Onh4eA==
Content-Type:
Accept-Encoding: gzip
ked from local address
所以我只限制除了GET和HEAD之外的所有内容(HEAD是GET隐含的,看nginx手册)
location /v2/ {
...
limit_except GET {
allow 172.x.x.x;
deny all;
}
...
这种方式推送被阻塞:
Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.9.9</center>\r\n</body>\r\n</html>\r\n"