Add User and Password Authentification30 Sep 2020 | Docker
At present, through the previous two articles, you have a public and SSL secured registry for against network sniff attack. However, this is not enough for private registries. Any private registries should have some kind of authentification and restrict access, and only authorized users can access the registry. The authentification and restrict access mitigates the risk of abuse.
This article leads you to achieve basic authentification most simply through htpasswd. You can distribute users and their passwords, and users must do authentification first before do any registry operation.
- An open and SSL protected registry is running up. If you don’t know how to set up, please review the previous two articles.
It’s easy to set up a user and password authentification through the htpasswd module, which is the Apache’s constituent. There are two steps for setting up authentification, first is to generate your password file, and then apply your password file to your registry container.
- Generate a password file
$ mkdir auth $ docker run \ --entrypoint htpasswd \ registry:2.7.0 -Bbn youruser yourpassword > auth/htpasswd
The above snippet created a user
yourpasswordin the file
All docker args come before the docker image. Whose args are for
htpasswd, which is the
-Bbnrepresents to use bcrypt, run in bash, and standard output. See the htpasswd - Manage user files for basic authentication for more information.
registry:2.7for the password file generate, because
htpasswddoesn't exist in the
registry:2.7image. You should use
registry:2.7.0, or others instead.
Once you finished. It’ll create a htpasswd file in your local machine, view here to explore more details about the working mechanism of the above snippet.
$ ls auth htpasswd $ cat auth/htpasswd youruser:$2y$05$EmtDysYM8i42jUWp6qXg1.nSENd/b.A2ytile0TVETWzTfP4N/mp6
- Apply your password file to the registry container
You can use the following snippet to apply your password file on your
$ docker run -d \ --restart=always \ --name registry \ -v "$(pwd)"/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /etc/letsencrypt:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/live/registry.vigourwu.xyz/fullchain.pem \ -e REGISTRY_HTTP_TLS_KEY=/certs/live/registry.vigourwu.xyz/privkey.pem \ -p 5050:5000 \ registry:2.7.0
Now, finally. A password secured registry is running up.
$ docker login registry.vigourwu.xyz:5050 $ docker tag ubuntu registry.vigourwu.xyz:5050/ubuntu $ docker push registry.vigourwu.xyz:5050/ubuntu $ docker pull registry.vigourwu.xyz:5050/ubuntu $ docker logout registry.vigourwu.xyz:5050/ubuntu
At this point, you know how to set up a password secured registry. I have mentioned all the details in the process. By the way, in the previous article Set up a docker registry on debian 4.6, we built up a public registry without SSL and password, it should only be used in the testing environment. However, now our registry secured over SSL and password fits for the production environment.
If you have any questions, please feel free to comments.