我使用以下指令将注册表作为组合容器启动:https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
然而,我想区分访问权限,这样任何没有登录的人都可以从存储库中提取图像,但不能推送。
在第一种方法中,我试图通过在nginx中设置来实现这一点(因为我像教程中那样将其用于前端)limit_except
limit_except GET HEAD {
auth_basic "Docker Registry";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
}
不幸的是,pull操作很顺利,但docker login命令不起作用。
$ docker login myhost.example.net
Username: myuser
Password:
Email:
Error response from daemon: no successful auth challenge for https://myhost.example.net/v2/ - errors: []
看起来,docker pull和docker login都发送相同的HTTP GET请求,很难区分它们。
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
现在让我们看看不同的请求并进行分析
Docker登录(在上打开http basic):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic eHh4Onh4eAo=
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:40:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
Docker登录(http基本功能关闭)
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 10:09:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
在接收到200 OK之后,该命令如上所述失败。
Dockerpull(http基本关闭):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{}GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:53:54 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
{
... (truncated) ...
Dockerpull(在上打开http basic,在crendentials上打开):
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/my-ubuntu-image/manifests/latest HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Authorization: Basic cmZzY206d2llbGJyZnNjbXBvd3N6ZWN6YXN5
Accept-Encoding: gzip
HTTP/1.1 200 OK
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:52:00 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 39196
Connection: keep-alive
Docker-Content-Digest: sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:8b6bef1314e51d06ab2f89af1f1d2c486245d4c2b1b3c169812b479c12f5410e"
X-Content-Type-Options: nosniff
Docker-Distribution-Api-Version: registry/2.0
... (truncated) ...
Dockerpull
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v2/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Accept-Encoding: gzip
HTTP/1.1 401 Unauthorized
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
WWW-Authenticate: Basic realm="Docker Registry"
Docker-Distribution-Api-Version: registry/2.0
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
GET /v1/repositories/my-ubuntu-image/images HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
X-Docker-Token: true
Accept-Encoding: gzip
HTTP/1.1 404 Not Found
Server: nginx/1.9.9
Date: Tue, 05 Jan 2016 09:39:54 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.9.9</center>
</body>
</html>
通过查看最后一个例子,我们可以清楚地看到,当pull没有凭据时,它会尝试两次访问url/v2/,所以当客户端连续两次请求/v2/url时,我们也许可以以某种方式区分请求?
我还听说最新的注册表(我认为版本>=2.1)内置了对HTTP Basic Auth的支持,但我在文档中找不到。
我希望我把这个案子解释清楚了。
我自己回答,因为我在Docker的github上发现了问题线程。这个这个案子看起来很复杂。因为注册表规范是开放的,所以很难判断谁是罪魁祸首,是docker工具还是注册表。
请查看此处的问题和其他相关问题:https://github.com/docker/distribution/issues/1230
Portus似乎是一个有趣的选择。谢谢,@{乔纳森·莱因哈特}!我稍后再试试。
现在,我只将POST请求和PUT请求限制为来自本地地址或localhost的请求(您可以推送提交nginx)。
POST /v2/superpartia/blobs/uploads/ HTTP/1.1
Host: myhost.example.net
User-Agent: docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/4.2.0-19-generic os/linux arch/amd64
Content-Length: 0
Authorization: Basic eHh4Onh4eA==
Content-Type:
Accept-Encoding: gzip
ked from local address
所以我只限制除GET和HEAD之外的所有内容(HEAD是GET所暗示的,请参阅nginx手册)
location /v2/ {
...
limit_except GET {
allow 172.x.x.x;
deny all;
}
...
此方式推送被阻止:
Error parsing HTTP response: invalid character '<' looking for beginning of value: "<html>rn<head><title>403 Forbidden</title></head>rn<body bgcolor="white">rn<center><h1>403 Forbidden</h1></center>rn<hr><center>nginx/1.9.9</center>rn</body>rn</html>rn"