1 min read

Containerd 配置带认证容器镜像仓库

Containerd 配置带认证容器镜像仓库

背景

企业内部的容器镜像仓库服务带凭证是再正常不过了,正好containerd支持带认证的容器镜像仓库。

环境

  • 容器镜像仓库地址:http://hub.vqiu.cn
  • 用户名:vqiu
  • 密码:vqiu

实现步骤

docker-registy

为docker-registry服务实现简单的认证

  • 生成一个Basic认证类型的用户
USERNAME=vqiu
PASSWORD=vqiu
htpasswd -Bnb $USERNAME $PASSWORD > /etc/docker-registry/.htpasswd
chmod 0600 !$

  • 启动认证
auth:
  htpasswd:
    realm: registry
    path: /etc/docker-registry/.htpasswd

  • 使用crictl 来拉取镜像
# curl hub.vqiu.cn/v2/_catalog
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
提示需要凭证,已达到我们的目的。

Containerd 配置

生成Token

# USERNAME=vqiu
# PASSWORD=vqiu
# echo -n "${USERNAME}:${PASSWORD}" | base64
dnFpdTp2cWl1

添加配置

cat> /etc/containerd/certs.d/hub.vqiu.cn<<EOF
server = "http://hub.vqiu.cn"

[host."http://hub.vqiu.cn"]
  capabilities = ["pull", "resolve", "push"]

[host."http://hub.vqiu.cn".header]
  authorization = "Basic dnFpdTp2cWl1"
EOF

重启containerd服务

# systemctl restart containerd

镜像拉取测试

# crictl pull hub.vqiu.cn/prometheus:v3.2.1
Image is up to date for sha256:503e04849f1c820b73ed19f348cb8da0c9728f38b6a4f68eb68d8c3eb0e1869f
妙哉妙哉!