An Enthusiastic Programmer

Add User and Password Authentification

|

At present, through the previous two articles, you have a public and SSL secured registry for against network sniff attack. However, this is not enough for private registries. Any private registries should have some kind of authentification and restrict access, and only authorized users can access the registry. The authentification and restrict access mitigates the risk of abuse.

This article leads you to achieve basic authentification most simply through htpasswd. You can distribute users and their passwords, and users must do authentification first before do any registry operation.

Prerequisites

  1. An open and SSL protected registry is running up. If you don’t know how to set up, please review the previous two articles.

Let’s start

It’s easy to set up a user and password authentification through the htpasswd module, which is the Apache’s constituent. There are two steps for setting up authentification, first is to generate your password file, and then apply your password file to your registry container.

  1. Generate a password file
    $ mkdir auth
    $ docker run \
      --entrypoint htpasswd \
      registry:2.7.0 -Bbn youruser yourpassword > auth/htpasswd
    

    The above snippet created a user youruser and password yourpassword in the file auth/htpasswd in the registry:2.7 image.

NOTE:

All docker args come before the docker image. Whose args are for htpasswd, which is the -Bbn.

The -Bbn represents to use bcrypt, run in bash, and standard output. See the htpasswd - Manage user files for basic authentication for more information.

Don't use registry:2.7 for the password file generate, because htpasswd doesn't exist in the registry:2.7 image. You should use registry:2.0, registry:2.7.0, or others instead.

Once you finished. It’ll create a htpasswd file in your local machine, view here to explore more details about the working mechanism of the above snippet.

$ ls auth
htpasswd
$ cat auth/htpasswd
youruser:$2y$05$EmtDysYM8i42jUWp6qXg1.nSENd/b.A2ytile0TVETWzTfP4N/mp6
  1. Apply your password file to the registry container You can use the following snippet to apply your password file on your registry:2.7.0 container.
    $ docker run -d \
      --restart=always \
      --name registry \
      -v "$(pwd)"/auth:/auth \
      -e "REGISTRY_AUTH=htpasswd" \
      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
      -v /etc/letsencrypt:/certs \
      -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/live/registry.vigourwu.xyz/fullchain.pem \
      -e REGISTRY_HTTP_TLS_KEY=/certs/live/registry.vigourwu.xyz/privkey.pem \
      -p 5050:5000 \
      registry:2.7.0
    

    Now, finally. A password secured registry is running up.

    $ docker login registry.vigourwu.xyz:5050
    $ docker tag ubuntu registry.vigourwu.xyz:5050/ubuntu
    $ docker push registry.vigourwu.xyz:5050/ubuntu
    $ docker pull registry.vigourwu.xyz:5050/ubuntu
    $ docker logout registry.vigourwu.xyz:5050/ubuntu
    

Conclusion

At this point, you know how to set up a password secured registry. I have mentioned all the details in the process. By the way, in the previous article Set up a docker registry on debian 4.6, we built up a public registry without SSL and password, it should only be used in the testing environment. However, now our registry secured over SSL and password fits for the production environment.

If you have any questions, please feel free to comments.

Comments