docker registry + basic auth
DESCRIPTION
Docker Registry + Basic Auth 10월 15일 Docker Korea Casual Talk #1 안수찬 님 발표자료TRANSCRIPT
Docker Registry + Basic Auth
@dobestan
빌드빌드
개꿀
미래창조과학부 대략 3000만원 지원금
개꿀
화려한시작
최소한 [Deis] 정도는 만들겠지...
[Mesosphere] 를 만들어볼까?
잘하면 [Kubernetes] 정도는 만들어야지...
현재
흐긓그느ㅡㅎ그흑느흐그흐느흐ㅡㄲ느흐느ㅡㅎㄱ
제발 빌드만이라도 가능하길 ...
제발 빌드만이라도 되길 ...
빌드빌드
Docker Registry + Basic Auth
@dobestan
Docker RegistryDocker Registry is
Private Docker Repository
로컬
Pulling repository registry e42d15ec8417: Download complete 3511136a3c5a: Download complete ...
docker pull registry
$ docker pull registry
Result
CMD
$ docker run \ -‐-‐name local-‐registry -‐d -‐p 5000:5000 registry
docker run registry
d530e2564a47a8d5d42a6e2aa65dc9ab6975e5ff48d5602bfb9f6c524 Result
CMD
$ docker ps
docker ps
IMAGE PORTS NAMES registry:0.8.1 0.0.0.0:5000-‐>5000/tcp local-‐registry
Result
CMD
curl localhost:5000
HTTP/1.1 200 OK Server: gunicorn/18.0 Content-‐Type: application/json X-‐Docker-‐Registry-‐Version: 0.8.1 X-‐Docker-‐Registry-‐Config: dev !"docker-‐registry server (dev) (v0.8.1)"
$ curl localhost:5000 -‐i
Result
CMD
FROM busybox MAINTAINER dobestan <[email protected]> CMD /bin/echo "hello world"
hello world
Dockerfile
Sending build context to Docker daemon 2.56 kB Sending build context to Docker daemon Step 0 : FROM busybox -‐-‐-‐> a9eb17255234 Step 1 : MAINTAINER dobestan <[email protected]> -‐-‐-‐> Running in 28d0d8946c86 -‐-‐-‐> 1ca10bda6835 Removing intermediate container 28d0d8946c86 Step 2 : CMD /bin/echo "hello world" -‐-‐-‐> Running in 1d1c96781eae -‐-‐-‐> 82bdf77324c2 Removing intermediate container 1d1c96781eae Successfully built 82bdf77324c2
docker build$ docker build -‐t dobestan/hello_world .
Result
CMD
docker run
$ docker run dobestan/hello_world
hello world Result
CMD
docker push
The push refers to a repository [localhost:5000/hello_world] Sending image list Pushing repository localhost:5000/hello_world (1 tags) 511136ea3c5a: Image successfully pushed 42eed7f1bf2a: Image successfully pushed 120e218dd395: Image successfully pushed a9eb17255234: Image successfully pushed 1ca10bda6835: Image successfully pushed 82bdf77324c2: Image successfully pushed Pushing tag for rev [82bdf77324c2] on {http://localhost:5000/v1/repositories/hello_world/tags/latest}
$ docker push localhost:5000/hello_world
Result
CMD
curl
$ curl http://localhost:5000/v1/repositories/hello_world/tags/
"82bdf77324c2f24758372d4bc36c72be41718d10503495139968" Result
CMD
docker run
Unable to find image 'localhost:5000/hello_world' locally Pulling repository localhost:5000/hello_world 82bdf77324c2: Download complete 511136ea3c5a: Download complete 42eed7f1bf2a: Download complete 120e218dd395: Download complete a9eb17255234: Download complete 1ca10bda6835: Download complete hello world
$ docker run localhost:5000/hello_world
Result
CMD
로컬끝
AWSEC2 + S3
로컬과 거의 동일함
거의 같으니 빠르게 ...
CloudInit* cloud-‐init is the Ubuntu package that
handles early initialization of a
cloud instance.
S3 Bucket
Pulling repository registry e42d15ec8417: Download complete 3511136a3c5a: Download complete ...
docker pull registry
$ docker pull registry
Result
CMD
$ docker run \ -‐-‐name local-‐registry -‐d -‐p 5000:5000 -‐e SETTINGS_FLAVOR=s3 \ -‐e AWS_BUCKET=dobestan-‐docker-‐registry \ -‐e STORAGE_PATH=/registry \ -‐e AWS_KEY=QWERASCBCRTUN46NHTA \ -‐e AWS_SECRET=GXzD8MWdh6KdYaB2wWkJJ9PcUENK3a \ registry
docker run registry
d530e2564a47a8d5d42a6e2aa65dc9ab6975e5ff48d5602bfb9f6c524 Result
CMD
Pulling repository registry 61e8f94e1d65: Download complete 511136ea3c5a: Download complete ...
docker pull nginx
$ docker pull nginx
Result
CMD
http { ... server { listen 80; server_name registry.dobestan.com; location { proxy_pass http://docker-‐registry:5000; } ... } ... }
nginx.confnginx.conf
https://gist.github.com/dobestan/953b146f324f1a1e46fa
$ docker run \ -‐-‐name nginx-‐registry -‐d -‐v ~/nginx.conf:/etc/nginx.conf \ # 설정 파일 -‐-‐link docker-‐registry:docker-‐registry \ # 컨테이너 링킹 -‐p 80:80 nginx
docker run nginx
1fa1eeaa48975680315d73b1499883bc416bdbba63adf4a94b913e377 Result
CMD
docker push
The push refers to a repository [registry.dobestan.com:5000/hello_world] Sending image list Pushing repository registry.dobestan.com/hello_world (1 tags) 511136ea3c5a: Image successfully pushed 42eed7f1bf2a: Image successfully pushed 120e218dd395: Image successfully pushed a9eb17255234: Image successfully pushed 1ca10bda6835: Image successfully pushed 82bdf77324c2: Image successfully pushed Pushing tag for rev [82bdf77324c2] on {http://registry.dobestan.com/v1/repositories/hello_world/tags/latest}
$ docker push registry.dobestan.com/hello_world
Result
CMD
S3 Bucket
AWS끝EC2 + S3
AUTH
HTTP + User Auth
htpasswd.htpasswd is a flat-‐file used to store usernames and password for basic authentication on an Apache HTTP Server
$ sudo apt-‐get -‐y install apache2-‐utils CMD
htpasswd
New password: Re-‐type new password: Adding password for user dobestan
$ htpasswd -‐c .htpasswd dobestan
Result
CMD
dobestan:$apr1$mtXLPDLn$YXdZDqy8Rrbtq39iieV2B0
$ cat .htpasswd
Result
CMD
... location / { proxy_pass http://docker-‐registry:5000; proxy_set_header Host $host; proxy_read_timeout 900; ! auth_basic "Restricted"; auth_basic_user_file ~/.htpasswd; } ...
nginx.conf
nginx.conf
https://gist.github.com/dobestan/953b146f324f1a1e46fa
docker push
The push refers to a repository [54.64.158.154/hello_world] Sending image list Pushing repository 54.64.158.154/hello_world (1 tags) 511136ea3c5a: Pushing 2014/09/20 23:36:39 HTTP code 401, Docker will not send auth headers over HTTP.
$ docker push 54.64.158.154/hello_world
Result
CMD
Docker will not send auth headers over HTTP.
HTTP + User AuthHTTPS
Self Signed Certi
$ openssl genrsa -‐out private_key.pem 2048 CMD
1. 개인키 생성하기
Self Signed Certi
Country Name (2 letter code) [AU]:KO State or Province Name (full name) [Some-‐State]:Seoul Locality Name (eg, city) []:Seoul Organization Name (eg, company):Dreampic Organizational Unit Name (eg, section) []:Dev Common Name (e.g. server FQDN or YOUR name) []:54.64.158.154 Email Address []:[email protected]
$ openssl req -‐new -‐key private_key.pem -‐out server.csr
Result
CMD
2. CSR 생성하기
Self Signed Certi
Signature ok subject=/C=KO/ST=Seoul/L=Seoul/O=Dreampic/OU=Dev/CN=54.64.158.154/[email protected] Getting Private key
$ openssl x509 -‐req -‐days 365 -‐in server.csr \ -‐signkey private_key.pem \ -‐out server.crt
Result
CMD
3. 인증서 발급하기
Self Signed Certi
$ echo "server.crt" | sudo tee -‐a /etc/ca-‐certificates.conf
4. 인증서 설치하기
$ sudo cp server.crt /usr/share/ca-‐certificates/ CMD
!Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-‐certificates/update.d....done.
CMD
$ sudo update-‐ca-‐certificates CMD
Result
docker login
Username: dobestan Password: Email: [email protected] 2014/09/25 14:16:25 Error response from daemon: Invalid Registry endpoint: Get https://54.64.158.154/v1/_ping: x509: cannot validate certificate for 54.64.158.154 because it doesn't contain any IP SANs
$ docker login 54.64.158.154
Result
CMD
Error response from daemon: Invalid Registry endpoint x509: cannot validate certificate for it doesn't contain any IP SANs
HTTP + User AuthHTTPS
+ Domain Name
/etc/hosts
... 127.0.0.1 localhost 54.64.158.154 registry.dobestan.com ...
/etc/hosts
Self Signed Certi
Country Name (2 letter code) [AU]:KO State or Province Name (full name) [Some-‐State]:Seoul Locality Name (eg, city) []:Seoul Organization Name (eg, company):Dreampic Organizational Unit Name (eg, section) []:Dev Common Name : registry.dobestan.com Email Address []:[email protected]
$ openssl req -‐new -‐key private_key.pem -‐out server.csr
Result
CMD
2. CSR 생성하기 : 도메인 이름으로
docker login
Username: dobestan Password: Email: [email protected] Login Succeeded
$ docker login https://registry.ansuchan.com
Result
CMD
AUTH끝진짜끝
결론열심히 사설 인증서 만들고 가짜 도메인도 추가하고 해서 무조건 인증을 받도록 하자.
결론열심히 사설 인증서 만들고 도메인도 추가하고 해서 인증하자
공인 SSL인증서를 구매하거나...
접속 IP 제한을 걸던가 ...
더 편한 방법을 찾자
감사합니다