Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker Registry + Basic Auth

3,029 views

Published on

Docker Registry + Basic Auth

10월 15일 Docker Korea Casual Talk #1 안수찬 님 발표자료

Published in: Technology
  • They added -insecure-registry to the docker daemon so theoretically you could now use http + auth, however I still can't make it work (login works, but when I try to push the image to the repo it fails)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • very nice, it will be excellent if you can write in blog/slides in English
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Docker Registry + Basic Auth

  1. 1. Docker Registry + Basic Auth @dobestan
  2. 2. 빌드빌드
  3. 3. 개꿀
  4. 4. 미래창조과학부 대략 3000만원 지원금
  5. 5. 개꿀
  6. 6. 화려한시작
  7. 7. 최소한 [Deis] 정도는 만들겠지...
  8. 8. [Mesosphere] 를 만들어볼까?
  9. 9. 잘하면 [Kubernetes] 정도는 만들어야지...
  10. 10. 현재
  11. 11. 흐긓그느ㅡㅎ그흑느흐그흐느흐ㅡㄲ느흐느ㅡㅎㄱ
  12. 12. 제발 빌드만이라도 가능하길 ...
  13. 13. 빌드빌드 제발 빌드만이라도 되길 ...
  14. 14. Docker Registry + Basic Auth @dobestan
  15. 15. Docker Registry Docker Registry is Private Docker Repository
  16. 16. 로컬
  17. 17. docker pull registry $ docker pull registry Pulling repository registry e42d15ec8417: Download complete 3511136a3c5a: Download complete ... CMD Result
  18. 18. docker run registry $ docker run -­‐-­‐name local-­‐registry -­‐d -­‐p 5000:5000 registry d530e2564a47a8d5d42a6e2aa65dc9ab6975e5ff48d5602bfb9f6c524 CMD Result
  19. 19. $ docker ps docker ps IMAGE PORTS NAMES registry:0.8.1 0.0.0.0:5000-­‐>5000/tcp local-­‐registry CMD Result
  20. 20. curl localhost:5000 $ curl localhost:5000 -­‐i HTTP/1.1 200 OK Server: gunicorn/18.0 Content-­‐Type: application/json X-­‐Docker-­‐Registry-­‐Version: 0.8.1 X-­‐Docker-­‐Registry-­‐Config: dev ! "docker-­‐registry server (dev) (v0.8.1)" CMD Result
  21. 21. hello world FROM busybox MAINTAINER dobestan <dobestan@gmail.com> CMD /bin/echo "hello world" Dockerfile
  22. 22. docker build $ docker build -­‐t dobestan/hello_world . Sending build context to Docker daemon 2.56 kB Sending build context to Docker daemon Step 0 : FROM busybox -­‐-­‐-­‐> a9eb17255234 Step 1 : MAINTAINER dobestan <dobestan@gmail.com> -­‐-­‐-­‐> Running in 28d0d8946c86 -­‐-­‐-­‐> 1ca10bda6835 Removing intermediate container 28d0d8946c86 Step 2 : CMD /bin/echo "hello world" -­‐-­‐-­‐> Running in 1d1c96781eae -­‐-­‐-­‐> 82bdf77324c2 Removing intermediate container 1d1c96781eae Successfully built 82bdf77324c2 CMD Result
  23. 23. docker run $ docker run dobestan/hello_world hello world CMD Result
  24. 24. docker push $ docker push localhost:5000/hello_world Result The push refers to a repository [localhost:5000/hello_world] Sending image list Pushing repository localhost:5000/hello_world (1 tags) 511136ea3c5a: Image successfully pushed 42eed7f1bf2a: Image successfully pushed 120e218dd395: Image successfully pushed a9eb17255234: Image successfully pushed 1ca10bda6835: Image successfully pushed 82bdf77324c2: Image successfully pushed Pushing tag for rev [82bdf77324c2] on {http://localhost:5000/v1/ repositories/hello_world/tags/latest} CMD
  25. 25. curl $ curl http://localhost:5000/v1/repositories/hello_world/tags/ "82bdf77324c2f24758372d4bc36c72be41718d10503495139968" CMD Result
  26. 26. docker run $ docker run localhost:5000/hello_world Unable to find image 'localhost:5000/hello_world' locally Pulling repository localhost:5000/hello_world 82bdf77324c2: Download complete 511136ea3c5a: Download complete 42eed7f1bf2a: Download complete 120e218dd395: Download complete a9eb17255234: Download complete 1ca10bda6835: Download complete hello world CMD Result
  27. 27. 로컬끝
  28. 28. AWSEC2 + S3
  29. 29. 로컬과 거의 동일함
  30. 30. 거의 같으니 빠르게 ...
  31. 31. CloudInit * cloud-­‐init is the Ubuntu package that handles early initialization of a cloud instance.
  32. 32. S3 Bucket
  33. 33. docker pull registry $ docker pull registry Pulling repository registry e42d15ec8417: Download complete 3511136a3c5a: Download complete ... CMD Result
  34. 34. docker run registry $ docker run -­‐-­‐name local-­‐registry -­‐d -­‐p 5000:5000 -­‐e SETTINGS_FLAVOR=s3 -­‐e AWS_BUCKET=dobestan-­‐docker-­‐registry -­‐e STORAGE_PATH=/registry -­‐e AWS_KEY=QWERASCBCRTUN46NHTA -­‐e AWS_SECRET=GXzD8MWdh6KdYaB2wWkJJ9PcUENK3a registry d530e2564a47a8d5d42a6e2aa65dc9ab6975e5ff48d5602bfb9f6c524 CMD Result
  35. 35. docker pull nginx $ docker pull nginx Pulling repository registry 61e8f94e1d65: Download complete 511136ea3c5a: Download complete ... CMD Result
  36. 36. http { ... server { listen 80; server_name registry.dobestan.com; location { proxy_pass http://docker-­‐registry:5000; } ... } ... } nginx.conf nginx.conf https://gist.github.com/dobestan/953b146f324f1a1e46fa
  37. 37. docker run nginx $ docker run -­‐-­‐name nginx-­‐registry -­‐d -­‐v ~/nginx.conf:/etc/nginx.conf # 설정 파일 -­‐-­‐link docker-­‐registry:docker-­‐registry # 컨테이너 링킹 -­‐p 80:80 nginx 1fa1eeaa48975680315d73b1499883bc416bdbba63adf4a94b913e377 CMD Result
  38. 38. docker push $ docker push registry.dobestan.com/hello_world CMD The push refers to a repository [registry.dobestan.com:5000/ Result hello_world] Sending image list Pushing repository registry.dobestan.com/hello_world (1 tags) 511136ea3c5a: Image successfully pushed 42eed7f1bf2a: Image successfully pushed 120e218dd395: Image successfully pushed a9eb17255234: Image successfully pushed 1ca10bda6835: Image successfully pushed 82bdf77324c2: Image successfully pushed Pushing tag for rev [82bdf77324c2] on {http://registry.dobestan.com/ v1/repositories/hello_world/tags/latest}
  39. 39. S3 Bucket
  40. 40. AWS끝 EC2 + S3
  41. 41. AUTH
  42. 42. HTTP + User Auth
  43. 43. htpasswd .htpasswd is a flat-­‐file used to store usernames and password for basic authentication on an Apache HTTP Server $ sudo apt-­‐get -­‐y install apache2-­‐utils CMD
  44. 44. htpasswd $ htpasswd -­‐c .htpasswd dobestan New password: Re-­‐type new password: Adding password for user dobestan CMD Result $ cat .htpasswd dobestan:$apr1$mtXLPDLn$YXdZDqy8Rrbtq39iieV2B0 CMD Result
  45. 45. ... location / { proxy_pass http://docker-­‐registry:5000; proxy_set_header Host $host; proxy_read_timeout 900; ! auth_basic "Restricted"; auth_basic_user_file ~/.htpasswd; } ... nginx.conf nginx.conf https://gist.github.com/dobestan/953b146f324f1a1e46fa
  46. 46. docker push $ docker push 54.64.158.154/hello_world CMD Result The push refers to a repository [54.64.158.154/hello_world] Sending image list Pushing repository 54.64.158.154/hello_world (1 tags) 511136ea3c5a: Pushing 2014/09/20 23:36:39 HTTP code 401, Docker will not send auth headers over HTTP.
  47. 47. Docker will not send auth headers over HTTP.
  48. 48. HTTPS HTTP + User Auth
  49. 49. Self Signed Certi $ openssl genrsa -­‐out private_key.pem 2048 CMD 1. 개인키 생성하기
  50. 50. Self Signed Certi $ openssl req -­‐new -­‐key private_key.pem -­‐out server.csr Country Name (2 letter code) [AU]:KO State or Province Name (full name) [Some-­‐State]:Seoul Locality Name (eg, city) []:Seoul Organization Name (eg, company):Dreampic Organizational Unit Name (eg, section) []:Dev Common Name (e.g. server FQDN or YOUR name) []:54.64.158.154 Email Address []:dobestan@gmail.com CMD Result 2. CSR 생성하기
  51. 51. Self Signed Certi 3. $ openssl x509 -­‐req -­‐days 365 -­‐in server.csr -­‐signkey private_key.pem -­‐out server.crt CMD Result 인증서 발급하기 Signature ok subject=/C=KO/ST=Seoul/L=Seoul/O=Dreampic/OU=Dev/CN=54.64.158.154/ emailAddress=dobestan@gmail.com Getting Private key
  52. 52. Self Signed Certi 4. 인증서 설치하기 $ sudo cp server.crt /usr/share/ca-­‐certificates/ CMD $ echo "server.crt" | sudo tee -­‐a /etc/ca-­‐certificates.conf CMD $ sudo update-­‐ca-­‐certificates CMD Result ! Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-­‐certificates/update.d....done.
  53. 53. docker login $ docker login 54.64.158.154 CMD Result Username: dobestan Password: Email: dobestan@gmail.com 2014/09/25 14:16:25 Error response from daemon: Invalid Registry endpoint: Get https://54.64.158.154/v1/_ping: x509: cannot validate certificate for 54.64.158.154 because it doesn't contain any IP SANs
  54. 54. Error response from daemon: Invalid Registry endpoint x509: cannot validate certificate for it doesn't contain any IP SANs
  55. 55. HTTPS HTTP + User Auth + Domain Name
  56. 56. /etc/hosts ... 127.0.0.1 localhost 54.64.158.154 registry.dobestan.com ... /etc/hosts
  57. 57. Self Signed Certi $ openssl req -­‐new -­‐key private_key.pem -­‐out server.csr Country Name (2 letter code) [AU]:KO State or Province Name (full name) [Some-­‐State]:Seoul Locality Name (eg, city) []:Seoul Organization Name (eg, company):Dreampic Organizational Unit Name (eg, section) []:Dev Common Name : registry.dobestan.com Email Address []:dobestan@gmail.com CMD Result 2. CSR 생성하기 : 도메인 이름으로
  58. 58. docker login $ docker login https://registry.ansuchan.com Username: dobestan Password: Email: dobestan@gmail.com Login Succeeded CMD Result
  59. 59. AUTH끝 진짜끝
  60. 60. 결론 열심히 사설 인증서 만들고 가짜 도 메인도 추가하고 해서 무조건 인증을 받도록 하자.
  61. 61. 결론 열심히 사설 인증서 만들고 도메인도 추가하고 해서 인증하자 공인 SSL인증서를 구매하거나... 접속 IP 제한을 걸던가 ... 더 편한 방법을 찾자
  62. 62. 감사합니다

×