Docker私有仓库权限设置
文章目录
基于nexus,可以做到docker的仓库隔离和权限控制,本文假设有两类仓库需求:
-
合作伙伴共享仓库(权限:半公开)
-
公司自有仓库(权限:私有)
仓库设计
-
docker-central 同步官方仓库
-
docker-protect-hosted 共享正式版本部署仓库,仓库类型:hosted,http:8082,Storage:docker-protect(限额30G),部署策略:Allow redeploy
-
docker-private-hosted 公司内部访问部署仓库,仓库类型:hosted,http:8083,Storage:docker-private(限额30G),部署策略:Allow redeploy
角色设计
-
docker-protect-pull
-
nx-repository-view-docker-docker-protect-hosted-browse
-
nx-repository-view-docker-docker-protect-hosted-read
-
nx-repository-view-docker-docker-central-browse
-
nx-repository-view-docker-docker-central-browse
-
-
docker-protect-push
-
nx-repository-view-docker-docker-protect-hosted-add
-
nx-repository-view-docker-docker-protect-hosted-edit
-
nx-repository-view-docker-docker-protect-hosted-read
-
|
Note
|
docker-protect-pull、docker-protect-push设计类似 |
用户设置:
Security→Users→Create User:xxx,授予角色:docker-protect-pull、docker-protect-push
开启Docker验证
配置位置: Administratio → Security → Realms → Docker Bearer Token realm
前端nginx转发
server {
listen 443 ssl;
server_name docker.liming.pub;
root /usr/share/nginx/html;
index index.html index.htm;
ssl_certificate cert/liming.pem;
ssl_certificate_key cert/liming.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
proxy_redirect http:// $scheme://;
port_in_redirect on;
location / {
proxy_pass http://192.168.x.xx:8082;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
client_max_body_size 1000m;
}
}客户端使用
-
登录
docker login docker.liming.pub
-
上传下载镜像
docker pull docker.liming.pub/nginx docker push docker.liming.pub/nginx