An Enthusiastic Programmer

Add User and Password Authentification

|

At present, through the previous two articles, you have a public and SSL secured registry for against network sniff attack. However, this is not enough for private registries. Any private registries should have some kind of authentification and restrict access, and only authorized users can access the registry. The authentification and restrict access mitigates the risk of abuse.

This article leads you to achieve basic authentification most simply through htpasswd. You can distribute users and their passwords, and users must do authentification first before do any registry operation.

Prerequisites

  1. An open and SSL protected registry is running up. If you don’t know how to set up, please review the previous two articles.

Generate a htpasswd file

It’s easy to set up a user and password authentification through the htpasswd module, which is the Apache’s constituent. There are two steps for setting up authentification, first is to generate your password file, and then apply your password file to your registry container.

Generate a password file(aka htpasswd file)

$ mkdir auth
$ docker run \
  --entrypoint htpasswd \
  registry:2.7.0 -Bbn youruser yourpassword > auth/htpasswd

The above snippet created a user youruser and password yourpassword in the file auth/htpasswd in the registry:2.7 image.

NOTE:

All docker args come before the docker image. Whose args are for htpasswd, which is the -Bbn.

The -Bbn represents to use bcrypt, run in bash, and standard output. See the htpasswd - Manage user files for basic authentication for more information.

Don't use registry:2.7 for the password file generate, because htpasswd doesn't exist in the registry:2.7 image. You should use registry:2.0, registry:2.7.0, or others instead.

Once you finished. It’ll create a htpasswd file in your local machine, view here to explore more details about the working mechanism of the above snippet.

$ ls auth
htpasswd
$ cat auth/htpasswd
youruser:$2y$05$EmtDysYM8i42jUWp6qXg1.nSENd/b.A2ytile0TVETWzTfP4N/mp6

Apply the htpasswd file

Apply the htpasswd file when running up a Registry Container.

You can use the following snippet to apply your password file on your registry:2.7.0 container.

$ docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v /etc/letsencrypt:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/live/registry.vigourwu.xyz/fullchain.pem \
  -e REGISTRY_HTTP_TLS_KEY=/certs/live/registry.vigourwu.xyz/privkey.pem \
  -p 5050:5000 \
  registry:2.7.0

Access your private registry with username and password

Now, finally. A password secured registry is running up.

Here, my domain is registry.vigourwu.xyz:5050, you should use your own instead.

$ docker login registry.vigourwu.xyz:5050
$ docker tag ubuntu registry.vigourwu.xyz:5050/ubuntu
$ docker push registry.vigourwu.xyz:5050/ubuntu
$ docker pull registry.vigourwu.xyz:5050/ubuntu
$ docker logout registry.vigourwu.xyz:5050/ubuntu

When you execute doker login my_registry_domain, it will prompt out to let you to input username and password. You can specifiy them in the command line as well with:

$ docker login --username my_name --password my_password my_registry_domain

Conclusion

At this point, you know how to set up a password secured registry. I have mentioned all the details in the process. By the way, in the previous article Set up a docker registry on debian 4.6, we built up a public registry without SSL and password, it should only be used in the testing environment. However, now our registry secured over SSL and password fits for the production environment.

If you have any questions, please feel free to comments.

Comments