1,与前边一篇步骤一样,只是将auth_config.yml中加点配置,在里边改吧改吧,即
# . See reference.yml for explanation for explanation of all options. |
|
# realm: "https://127.0.0.1:5001/auth" |
|
# service: "Docker registry" |
|
# issuer: "Acme auth server" |
|
# rootcertbundle: "/path/to/server.pem" |
|
certificate: "/certs/auth.crt" |
|
issuer: "Acme auth server" # Must match issuer in the Registry config. |
|
# Authentication is performed by first binding to the server, looking up the user entry |
|
# by using the specified filter, and then re-binding using the matched DN and the password provided. |
|
# In case bind DN and password is required for querying user information, |
|
# specify them here. Plain text password is read from the file. |
|
bind_dn: "uid=serviceaccount,ou=it,dc=example,dc=com" |
|
# Make sure you remove newlines and carriage returns from the password file. |
|
bind_password_file: /tmp/ldap_password.txt.clean |
|
# User query settings. ${account} is expanded from auth request |
|
base: "ou=musicians,dc=example,dc=com" |
|
filter: "(&(uid=${account})(objectClass=organizationalPerson))" |
|
# Password is specified as a BCrypt hash. Use htpasswd -B to generate. |
|
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin |
|
password: "$2y$05$WuwBasGDAgr.QCbGIjKJaep4dhxeai9gNZdmBnQXqpKly57oNutya" # 123 |
|
# Admin has full access to everything. |
|
- match: {account: "admin"} |
|
# User "user" can pull stuff. |
|
- match: {account: "test"} |
|
# This will allow authenticated users to pull/push |
|
# The user "serviceaccount" (from LDAP) may not perform any docker actions |
|
- match: {account: "serviceaccount"} |
|
actions:
[]
2,运行命令:
1,docker run -d --name docker_auth -p 5001:5001 \
-v /data/192.168.111.128/config:/config:ro \
--restart=always \
-v /data/192.168.111.128/ssl:/ssl cesanta/docker_auth /config/ldap_auth.yml
3,docker run -d -p 5000:5000 \
-e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry \
-e REGISTRY_AUTH=token \
-e REGISTRY_AUTH_TOKEN_REALM=https://192.168.111.128:5001/auth \
-e REGISTRY_AUTH_TOKEN_SERVICE="Docker registry" \
-e REGISTRY_AUTH_TOKEN_ISSUER="Acme auth server" \
-e REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem \
-v /data/192.168.111.128/ssl:/ssl \
--restart=always \
--name registry registry
4,就可以用ldap中的用户登录,push和pull了。