Build a docker registry for custom authorization

Posted by OpSiS on Sat, 05 Mar 2022 02:58:36 +0100

1. Introduction to authentication

The self built docker registry is relatively simple, but how the authentication of docker registry can be combined with the existing system is very elegant. We can customize some rules to allow / reject certain account pull and push or only push Basic idea of realization:

Customize a docker registry image. You can specify the authentication service address in the definition image based on the existing official image
Customize an authentication image, which can contain user-defined authentication logic and ACL of the warehouse
Deploy the above two services

2. Customize docker registry

FROM centos:7.6.1810

RUN mkdir -p /var/lib/registry

EXPOSE 5000

ENV REGISTRY_AUTH token
ENV REGISTRY_AUTH_TOKEN_REALM https://${DOMAIN}/auth
ENV REGISTRY_AUTH_TOKEN_SERVICE "Docker registry"
ENV REGISTRY_AUTH_TOKEN_ISSUER "Auth Service"
ENV REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE /ssl/domain.crt
ENV REGISTRY_HTTP_TLS_CERTIFICATE /ssl/domain.crt
ENV REGISTRY_HTTP_TLS_KEY /ssl/domain.key
ENV REGISTRY_HTTP_SECRET w87reoqweifgqoe

COPY config/config.yml /etc/docker/registry/config.yml
COPY ssl/ /ssl/
COPY ./cert/digicert-ng.pem.trust /etc/pki/ca-trust/source/anchors/digicert-ng.pem
RUN update-ca-trust extract

CMD ["/bin/registry", "serve", "/etc/docker/registry/config.yml"]

Custom image permission (3. Key)

3.1 mirroring

An open source basic image with full functions is used here: cesanta/docker_auth , in order to understand the image configuration, you need to learn the basic knowledge of the image

FROM cesanta/docker_auth as cesanta
FROM python:2.7.18-alpine
COPY --from=cesanta /docker_auth/ /docker_auth/

ARG CICD_SECRET
ENV CICD_SECRET=${CICD_SECRET}

ENTRYPOINT ["/docker_auth/auth_server"]
CMD ["-alsologtostderr=true", "-log_dir=/logs", "/config/extAuth.yml"]
EXPOSE 5001

COPY config/ /config/
COPY ssl/ /ssl/
COPY extensions/ /extensions/

3.2 image configuration

In the above image, there are two configurations config/extensions

config configuration parameters , the auth and registry communication are configured as https certificate, token issuer and extended authorization method ext_auth and acl are key configurations

server: # Server settings.
  addr: ":5001"

  certificate: "/ssl/domain.crt"
  key: "/ssl/domain.key"

token: # Settings for the tokens.
  issuer: "Auth Service" # Must match issuer in the Registry config.
  expiration: 900
ext_auth:
  command: "/extensions/ext_auth.sh" # Can be a relative path too; $PATH works.
  args: [""]
acl:
  - match: { ip: "127.0.0.0/8" }
    actions: ["*"]
    comment: "Allow everything from localhost (IPv4)"
  - match: { account: "/.+/", type: "registry", name: "catalog" }
    actions: ["*"]
    comment: "Logged in users can query the catalog."
  - match: { labels: { "group": "CICD" } }
    actions: ["*"]
    comment: "User assigned to group 'CICD' is able to push"
  - match: { account: "/.+/" }
    actions: ["pull"]
    comment: "Logged in users can pull all images."

The extensions configuration is based on the EXT configuration above_ Auth, for example, is a script:

read u p

if [ "$u" == "cicd" ]; then
  if [ "$p" == "$CICD_SECRET" ]; then
    echo '{"labels": {"group": ["CICD"]}}'
    exit 0
  fi
  exit 1
fi

python /extensions/boxlogin.py "$u" "$p"

exit $?

3.3 authentication image project directory

.
├── Dockerfile
├── build.sh
├── config
│   └── extAuth.yml
├── extensions
│   ├── boxlogin.py
│   └── ext_auth.sh
└── ssl
    ├── domain.crt
    ├── domain.csr
    └── domain.key

ext_auth.sh is the shell script required for configuration. The script does not need to configure standard output. The exit code is 0 or 1 boxlogin. Py Python script can customize more flexible logic, such as sending a Restful request to an existing service to judge whether the login is successful. If successful, exit(0), otherwise exit(1)

4. Deployment

With image deployment, it is simple:

Deploy registry and expose an access address
Deploy auth and expose an access address
The two access addresses have the same IP or domain name, but the port of auth is 5001. After deployment, ensure that the two services can be accessed respectively. You can check whether the two services are normal through the following commands:

curl https://my.registory.cn/v2/
curl https://my.registory.cn:5001/auth

5. Troubleshooting

docker login returns 400 Bad Request If load balancing or proxy is used, it should be noted that the back end of the proxy must be https. You can refer to issue
auth failure You can raise the log level of auth service, Show more logs

Programmer Think