匿名的在artifactory中的docker回购
我在工厂版本4.6上,并在dockerregistry上有以下要求。
允许匿名拉取docker仓库在SAMEdocker仓库上强制authentication
我知道这在artifactory的后续版本中是可以使用的。 然而升级不是我们一段时间的select。
下面的工作是否有效?
- 在端口8443上创build一个虚拟docker库,不要强制authentication,称之为docker-virtual
- 创build一个本地docker仓库并强制authentication,在端口8444上调用docker-local
-
configuration默认的部署目录“docker-virtual”为“docker-local”
docker pull docker-virtual should work docker push docker-virtual should ask for credentials
一旦失败,我应该能够dockerlogin docker-virtual和docker push docker-virtual/myImage
不知道artifactory的一面,但也许下面的Dockerbuild议帮助。
在Docker中,您可以开始运行两个registry,一个RW用身份validation,另一个RO没有任何身份validation。
docker run -d -p 5000:5000 --restart=always --name registry \ -v `pwd`/certs:/certs:ro \ -v `pwd`/auth/htpasswd:/auth/htpasswd:ro \ -v `pwd`/registry:/var/lib/registry \ -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \ -e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=My Registry" \ -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ -e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \ registry:2 docker run -d -p 5001:5000 --restart=always --name registry-ro \ -v `pwd`/certs:/certs:ro \ -v `pwd`/auth/htpasswd:/auth/htpasswd:ro \ -v `pwd`/registry:/var/lib/registry:ro \ -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \ -e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \ -e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \ registry:2
请注意每个容器中/ var / lib / registry的卷设置。 然后从匿名registry拉,你只需要改变端口。 由于文件系统是RO,任何尝试推送到5001都将失败。
你可以实现的最接近的function是没有凭证的docker push失败(同时拉动成功)。
不知道这是否与artifactory对不起….你可以尝试这个方便的项目dockerregistryvalidation。
configurationregistry以使用此https://hub.docker.com/r/cesanta/docker_auth/
# registry config.yml ... auth: token: # can be the same as your docker registry if you use nginx to proxy /auth to docker_auth # https://docs.docker.com/registry/recipes/nginx/ realm: "example.com:5001/auth" service: "Docker registry" issuer: "Docker Registry auth server" rootcertbundle: /certs/domain.crt
并允许匿名与相应的ACL
# cesanta/docker_auth auth_config.yml ... users: # Password is specified as a BCrypt hash. Use htpasswd -B to generate. "admin": password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin "": {} # Allow anonymous (no "docker login") access. ldap_auth: # See: https://github.com/cesanta/docker_auth/blob/master/examples/ldap_auth.yml acl: # See https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml#L178 - match: {account: "/.+/"} actions: ["*"] comment: "Logged in users do anything." - match: {account: ""} actions: ["pull"] comment: "Anonymous users can pull anything." # Access is denied by default.