docker registry + basic auth
DESCRIPTION
Docker Registry + Basic Auth 10월 15일 Docker Korea Casual Talk #1 안수찬 님 발표자료TRANSCRIPT
![Page 1: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/1.jpg)
Docker Registry + Basic Auth
@dobestan
![Page 2: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/2.jpg)
빌드빌드
![Page 3: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/3.jpg)
개꿀
![Page 4: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/4.jpg)
미래창조과학부 대략 3000만원 지원금
![Page 5: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/5.jpg)
개꿀
![Page 6: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/6.jpg)
화려한시작
![Page 7: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/7.jpg)
최소한 [Deis] 정도는 만들겠지...
![Page 8: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/8.jpg)
[Mesosphere] 를 만들어볼까?
![Page 9: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/9.jpg)
잘하면 [Kubernetes] 정도는 만들어야지...
![Page 10: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/10.jpg)
현재
![Page 11: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/11.jpg)
흐긓그느ㅡㅎ그흑느흐그흐느흐ㅡㄲ느흐느ㅡㅎㄱ
![Page 12: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/12.jpg)
제발 빌드만이라도 가능하길 ...
![Page 13: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/13.jpg)
제발 빌드만이라도 되길 ...
빌드빌드
![Page 14: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/14.jpg)
Docker Registry + Basic Auth
@dobestan
![Page 15: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/15.jpg)
Docker RegistryDocker Registry is
Private Docker Repository
![Page 16: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/16.jpg)
로컬
![Page 17: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/17.jpg)
Pulling repository registry e42d15ec8417: Download complete 3511136a3c5a: Download complete ...
docker pull registry
$ docker pull registry
Result
CMD
![Page 18: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/18.jpg)
$ docker run \ -‐-‐name local-‐registry -‐d -‐p 5000:5000 registry
docker run registry
d530e2564a47a8d5d42a6e2aa65dc9ab6975e5ff48d5602bfb9f6c524 Result
CMD
![Page 19: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/19.jpg)
$ docker ps
docker ps
IMAGE PORTS NAMES registry:0.8.1 0.0.0.0:5000-‐>5000/tcp local-‐registry
Result
CMD
![Page 20: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/20.jpg)
curl localhost:5000
HTTP/1.1 200 OK Server: gunicorn/18.0 Content-‐Type: application/json X-‐Docker-‐Registry-‐Version: 0.8.1 X-‐Docker-‐Registry-‐Config: dev !"docker-‐registry server (dev) (v0.8.1)"
$ curl localhost:5000 -‐i
Result
CMD
![Page 21: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/21.jpg)
FROM busybox MAINTAINER dobestan <[email protected]> CMD /bin/echo "hello world"
hello world
Dockerfile
![Page 22: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/22.jpg)
Sending build context to Docker daemon 2.56 kB Sending build context to Docker daemon Step 0 : FROM busybox -‐-‐-‐> a9eb17255234 Step 1 : MAINTAINER dobestan <[email protected]> -‐-‐-‐> Running in 28d0d8946c86 -‐-‐-‐> 1ca10bda6835 Removing intermediate container 28d0d8946c86 Step 2 : CMD /bin/echo "hello world" -‐-‐-‐> Running in 1d1c96781eae -‐-‐-‐> 82bdf77324c2 Removing intermediate container 1d1c96781eae Successfully built 82bdf77324c2
docker build$ docker build -‐t dobestan/hello_world .
Result
CMD
![Page 23: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/23.jpg)
docker run
$ docker run dobestan/hello_world
hello world Result
CMD
![Page 24: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/24.jpg)
docker push
The push refers to a repository [localhost:5000/hello_world] Sending image list Pushing repository localhost:5000/hello_world (1 tags) 511136ea3c5a: Image successfully pushed 42eed7f1bf2a: Image successfully pushed 120e218dd395: Image successfully pushed a9eb17255234: Image successfully pushed 1ca10bda6835: Image successfully pushed 82bdf77324c2: Image successfully pushed Pushing tag for rev [82bdf77324c2] on {http://localhost:5000/v1/repositories/hello_world/tags/latest}
$ docker push localhost:5000/hello_world
Result
CMD
![Page 25: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/25.jpg)
curl
$ curl http://localhost:5000/v1/repositories/hello_world/tags/
"82bdf77324c2f24758372d4bc36c72be41718d10503495139968" Result
CMD
![Page 26: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/26.jpg)
docker run
Unable to find image 'localhost:5000/hello_world' locally Pulling repository localhost:5000/hello_world 82bdf77324c2: Download complete 511136ea3c5a: Download complete 42eed7f1bf2a: Download complete 120e218dd395: Download complete a9eb17255234: Download complete 1ca10bda6835: Download complete hello world
$ docker run localhost:5000/hello_world
Result
CMD
![Page 27: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/27.jpg)
로컬끝
![Page 28: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/28.jpg)
AWSEC2 + S3
![Page 29: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/29.jpg)
로컬과 거의 동일함
![Page 30: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/30.jpg)
거의 같으니 빠르게 ...
![Page 31: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/31.jpg)
CloudInit* cloud-‐init is the Ubuntu package that
handles early initialization of a
cloud instance.
![Page 32: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/32.jpg)
S3 Bucket
![Page 33: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/33.jpg)
Pulling repository registry e42d15ec8417: Download complete 3511136a3c5a: Download complete ...
docker pull registry
$ docker pull registry
Result
CMD
![Page 34: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/34.jpg)
$ docker run \ -‐-‐name local-‐registry -‐d -‐p 5000:5000 -‐e SETTINGS_FLAVOR=s3 \ -‐e AWS_BUCKET=dobestan-‐docker-‐registry \ -‐e STORAGE_PATH=/registry \ -‐e AWS_KEY=QWERASCBCRTUN46NHTA \ -‐e AWS_SECRET=GXzD8MWdh6KdYaB2wWkJJ9PcUENK3a \ registry
docker run registry
d530e2564a47a8d5d42a6e2aa65dc9ab6975e5ff48d5602bfb9f6c524 Result
CMD
![Page 35: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/35.jpg)
Pulling repository registry 61e8f94e1d65: Download complete 511136ea3c5a: Download complete ...
docker pull nginx
$ docker pull nginx
Result
CMD
![Page 36: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/36.jpg)
http { ... server { listen 80; server_name registry.dobestan.com; location { proxy_pass http://docker-‐registry:5000; } ... } ... }
nginx.confnginx.conf
https://gist.github.com/dobestan/953b146f324f1a1e46fa
![Page 37: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/37.jpg)
$ docker run \ -‐-‐name nginx-‐registry -‐d -‐v ~/nginx.conf:/etc/nginx.conf \ # 설정 파일 -‐-‐link docker-‐registry:docker-‐registry \ # 컨테이너 링킹 -‐p 80:80 nginx
docker run nginx
1fa1eeaa48975680315d73b1499883bc416bdbba63adf4a94b913e377 Result
CMD
![Page 38: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/38.jpg)
docker push
The push refers to a repository [registry.dobestan.com:5000/hello_world] Sending image list Pushing repository registry.dobestan.com/hello_world (1 tags) 511136ea3c5a: Image successfully pushed 42eed7f1bf2a: Image successfully pushed 120e218dd395: Image successfully pushed a9eb17255234: Image successfully pushed 1ca10bda6835: Image successfully pushed 82bdf77324c2: Image successfully pushed Pushing tag for rev [82bdf77324c2] on {http://registry.dobestan.com/v1/repositories/hello_world/tags/latest}
$ docker push registry.dobestan.com/hello_world
Result
CMD
![Page 39: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/39.jpg)
S3 Bucket
![Page 40: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/40.jpg)
AWS끝EC2 + S3
![Page 41: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/41.jpg)
![Page 42: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/42.jpg)
AUTH
![Page 43: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/43.jpg)
HTTP + User Auth
![Page 44: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/44.jpg)
htpasswd.htpasswd is a flat-‐file used to store usernames and password for basic authentication on an Apache HTTP Server
$ sudo apt-‐get -‐y install apache2-‐utils CMD
![Page 45: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/45.jpg)
htpasswd
New password: Re-‐type new password: Adding password for user dobestan
$ htpasswd -‐c .htpasswd dobestan
Result
CMD
dobestan:$apr1$mtXLPDLn$YXdZDqy8Rrbtq39iieV2B0
$ cat .htpasswd
Result
CMD
![Page 46: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/46.jpg)
... location / { proxy_pass http://docker-‐registry:5000; proxy_set_header Host $host; proxy_read_timeout 900; ! auth_basic "Restricted"; auth_basic_user_file ~/.htpasswd; } ...
nginx.conf
nginx.conf
https://gist.github.com/dobestan/953b146f324f1a1e46fa
![Page 47: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/47.jpg)
docker push
The push refers to a repository [54.64.158.154/hello_world] Sending image list Pushing repository 54.64.158.154/hello_world (1 tags) 511136ea3c5a: Pushing 2014/09/20 23:36:39 HTTP code 401, Docker will not send auth headers over HTTP.
$ docker push 54.64.158.154/hello_world
Result
CMD
![Page 48: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/48.jpg)
Docker will not send auth headers over HTTP.
![Page 49: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/49.jpg)
HTTP + User AuthHTTPS
![Page 50: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/50.jpg)
Self Signed Certi
$ openssl genrsa -‐out private_key.pem 2048 CMD
1. 개인키 생성하기
![Page 51: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/51.jpg)
Self Signed Certi
Country Name (2 letter code) [AU]:KO State or Province Name (full name) [Some-‐State]:Seoul Locality Name (eg, city) []:Seoul Organization Name (eg, company):Dreampic Organizational Unit Name (eg, section) []:Dev Common Name (e.g. server FQDN or YOUR name) []:54.64.158.154 Email Address []:[email protected]
$ openssl req -‐new -‐key private_key.pem -‐out server.csr
Result
CMD
2. CSR 생성하기
![Page 52: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/52.jpg)
Self Signed Certi
Signature ok subject=/C=KO/ST=Seoul/L=Seoul/O=Dreampic/OU=Dev/CN=54.64.158.154/[email protected] Getting Private key
$ openssl x509 -‐req -‐days 365 -‐in server.csr \ -‐signkey private_key.pem \ -‐out server.crt
Result
CMD
3. 인증서 발급하기
![Page 53: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/53.jpg)
Self Signed Certi
$ echo "server.crt" | sudo tee -‐a /etc/ca-‐certificates.conf
4. 인증서 설치하기
$ sudo cp server.crt /usr/share/ca-‐certificates/ CMD
!Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-‐certificates/update.d....done.
CMD
$ sudo update-‐ca-‐certificates CMD
Result
![Page 54: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/54.jpg)
docker login
Username: dobestan Password: Email: [email protected] 2014/09/25 14:16:25 Error response from daemon: Invalid Registry endpoint: Get https://54.64.158.154/v1/_ping: x509: cannot validate certificate for 54.64.158.154 because it doesn't contain any IP SANs
$ docker login 54.64.158.154
Result
CMD
![Page 55: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/55.jpg)
Error response from daemon: Invalid Registry endpoint x509: cannot validate certificate for it doesn't contain any IP SANs
![Page 56: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/56.jpg)
HTTP + User AuthHTTPS
+ Domain Name
![Page 57: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/57.jpg)
/etc/hosts
... 127.0.0.1 localhost 54.64.158.154 registry.dobestan.com ...
/etc/hosts
![Page 58: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/58.jpg)
Self Signed Certi
Country Name (2 letter code) [AU]:KO State or Province Name (full name) [Some-‐State]:Seoul Locality Name (eg, city) []:Seoul Organization Name (eg, company):Dreampic Organizational Unit Name (eg, section) []:Dev Common Name : registry.dobestan.com Email Address []:[email protected]
$ openssl req -‐new -‐key private_key.pem -‐out server.csr
Result
CMD
2. CSR 생성하기 : 도메인 이름으로
![Page 59: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/59.jpg)
docker login
Username: dobestan Password: Email: [email protected] Login Succeeded
$ docker login https://registry.ansuchan.com
Result
CMD
![Page 60: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/60.jpg)
AUTH끝진짜끝
![Page 61: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/61.jpg)
결론열심히 사설 인증서 만들고 가짜 도메인도 추가하고 해서 무조건 인증을 받도록 하자.
![Page 62: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/62.jpg)
결론열심히 사설 인증서 만들고 도메인도 추가하고 해서 인증하자
공인 SSL인증서를 구매하거나...
접속 IP 제한을 걸던가 ...
더 편한 방법을 찾자
![Page 63: Docker Registry + Basic Auth](https://reader034.vdocuments.mx/reader034/viewer/2022051411/547e86ac5806b5cc5e8b4684/html5/thumbnails/63.jpg)
감사합니다