curl 访问 private registry 的 api 获取所有镜像
司用 harbar(版本 v1.2.2, v2.x 的版本没有这个问题,v2.3.4 上面测试过滴) 搭建了 docker 的 registry,想一目了然的知道有哪些镜像,但是又不想登录到 harbar 的 ui 在 n 个项目中一个一个看 , 故采用 curl 命令来参看所有的镜像,结果告知 UNAUTHORIZED, 用户名和密码不用怀疑,肯定对的哈。
$ curl -s --user "$U" 172.30.3.149/v2/_catalog | jq
{
"errors": [
{
"code": "UNAUTHORIZED",
"message": "authentication required",
"detail": [
{
"Type": "registry",
"Class": "",
"Name": "catalog",
"Action": "*"
}
]
}
]
}
查阅了 Token Authentication Specification ,终找到解决之道。
$ curl -i -s --user "$U" 172.30.3.149/v2/_catalog
HTTP/1.1 401 Unauthorized
Server: nginx/1.11.13
Date: Thu, 28 Oct 2021 10:04:39 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 145
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
Set-Cookie: beegosessionID=430baef41ded23499b5147002b854089; Path=/; HttpOnly
Www-Authenticate: Bearer realm="http://172.30.3.149/service/token",service="harbor-registry",scope="registry:catalog:*"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
原来认证的地址是 Www-Authenticate: Bearer realm="http://172.30.3.149/service/token",service="harbor-registry",scope="registry:catalog:*",那重新拼接一下 URL 呗。
url="http://172.30.3.149/service/token?service=harbor-registry&scope=registry:catalog:*"
# 重新拼接 url
$ url="http://172.30.3.149/service/token?service=harbor-registry&scope=registry:catalog:*"
# 获取 token
$ curl -s --user "$U" $url
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBMWE06V0tSSDpJNVVHOkJNSDU6WUgyRjpSQlNIOlJYQVY6SzRCRjpXWVhOOkpJSzY6RjRRRjpJQzNSIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoiYWRtaW4iLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2MzU0MTc2OTcsIm5iZiI6MTYzNTQxNTg5NywiaWF0IjoxNjM1NDE1ODk3LCJqdGkiOiJXRExPZmJhOHdFUkdmM0prIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.kzkUPLEp2t0m9_ZA8v7JvrJBJTg51s6JqqqLnpOlnLss4U4HwO0nUzV-0nxTTMl8yddihNl2_C2QKN3K0kVgfKGfaJxaP9BEiC6P579PRA5aVp3XlBJScm2GRFfHlgMMABHl3nV5snPNdA0x-uF7eCWZZTicjkzaJ9AfBTVcV6eWOnCfh57d_Y7z_m1jIZX8cFI3oHTVWfLBt506gB4TOWsgP4RDFG6sVfRbE0tLu5rvfwRSWDusZ2C9h3W8-7RfWyq-FIXsGYJZ5NsFsoqsNhHTUSKk6FksoQHeMqfcE3RiAWaOmymD9yqLcglTC1hP694JZT2NAuI9UprC5l4lU4JM_TGfI6NWRJqJv8qvnpF199exw_ZR004h2FRXVDPduml4-hVkZnLU1ay_G_OW8_mEOFqkoVNI36Ad_gbK4O8GZEG6B2qV8ogRpQedTkaGrzOK-imcfDqgoGx8Rs_W1nQepXUJuBZ9XrEBitY2CE14MhnxfpC_UM4OHN_PpCzGfbkyKUsRQAPz3EcRUgnSDju7SQOR3XVZaQ3t2r1g67fO_XExGJJiHvY33gsGGzF5huiiLBdLqCmu8p3NnD9dyPb4TYK_l7wQE1K9ejbjBY7AKaI2pQBg1kgyfX2ZoU1bZInixSGVVhF06Z4G11-2tby5Liu_AI5mP59_TI3mtd0",
"expires_in": 1800,
"issued_at": "2021-10-28T10:11:37Z"
}
$ curl -s --user "$U" $url | jq -r .token
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBMWE06V0tSSDpJNVVHOkJNSDU6WUgyRjpSQlNIOlJYQVY6SzRCRjpXWVhOOkpJSzY6RjRRRjpJQzNSIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoiYWRtaW4iLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2MzU0MTc3MTgsIm5iZiI6MTYzNTQxNTkxOCwiaWF0IjoxNjM1NDE1OTE4LCJqdGkiOiJrVTJBV1N6MEFiMEF3SU1FIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.FIgZeQfh6x5vocEQgmDQwwvGo1hvf-djzbaIIHZ6CBhCmHx0SSzXH3IQMBjF7WppOb4iggyTegp8nHi7RmTAPhqsP4axnDVpQjxJ8iTXEw_SiLOwsepyFLtk0VQVfxg8YLj1mf3sR4AXlD1C_kS4ltYNbGBc94HpM1vllzZAjvp3_e4R2Tex--4dbWYM39sr4qcvU8xdT1LfjoI0PvKjhxMjeAUGhzzt9P1l3bnqSKNZNEuCerWJ1A3n0hIttw3b3PjX8rJ8LMCiWxCzFefLmaem4-llIk66EvqALK7fd2fBF4WWkTm4tsasjnYMU3OLsPFREWJDhxvOHsf58OIvtb8VKyjmN-TmzXNGD8VBL7yHkZ_uXHrvv-EtzMqkXdMl_uU5XZo6DCSbKrGoykLF_JsefdB925G46QI4iWmDgDr1xuJJutqwss6QMBvG8Y-389PSY9mXZsLrMIFqRLMBT8pQhXF-BKwn2K7GQRlHq5uHTNQV-0QJoI2hyiUapNOEy_Pk6KG67Q9ow9gtOV3WFmYpiamd4rhKUlukPoThwplMpayIQnhW_v5y4K1lZybRQb0yNme14zuZHlklrEQ0N4_kHBCWL9Mq9Y5bAG1H0Ncbmb2PZ3wDLaujwhVxdPlVq-N26PllZYv5NfR0NQJIwqzZj4ccMPDcdXyPD9_g29Y
$ T=$(curl -s --user "$U" $url | jq -r .token)
$ echo $T
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBMWE06V0tSSDpJNVVHOkJNSDU6WUgyRjpSQlNIOlJYQVY6SzRCRjpXWVhOOkpJSzY6RjRRRjpJQzNSIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoiYWRtaW4iLCJhdWQiOiJoYXJib3ItcmVnaXN0cnkiLCJleHAiOjE2MzU0MTc3NTAsIm5iZiI6MTYzNTQxNTk1MCwiaWF0IjoxNjM1NDE1OTUwLCJqdGkiOiJFNWsyVmVxSWtBM1lrQzNWIiwiYWNjZXNzIjpbeyJ0eXBlIjoicmVnaXN0cnkiLCJuYW1lIjoiY2F0YWxvZyIsImFjdGlvbnMiOlsiKiJdfV19.iX9gOG2G7nirBnO7FNDQRkp0PRm2YtjuIUIdvWVUSQL4zRuttYtCusFGK_rvnn8as2gMTLqlIAApurdj7IRPdNsatxy8NZTtUT3VWRXQYIZN9IM6KDplKQ2itWNX--szN9iDWmraEQaKpUXsd4EbL4W33Xj-r_Wv1N6bpGKJNBL53GhLC6kQJkSaFBvInY6FR8yvp7_DBuW6vczH-JXBnOfyjuzMBQF06gV3HB7L8cW4h7eqreREMpjZ9DmCbfnvkUJtD7IU3YqMm4q-5T6GmAZkpCBqUrjOE8M1hmKuEURgHXE_mJK46t0it92ZvK6guUXkvKU6chnvh-kwFczxETldc7yo-E0VCb1Qu_rIRTgKMVmwKr5I6lMpUmNNGxmgflahn_0e3KZc0YLuAyDBSozxO1rr1MJEgLg1Sp5Iq9dqa2-qwky4LQRF-H_7o4CVVZcwveBLMqWOTnjuokch7yY8d1PbUQvt8GBTf6bwTvhKZsl5vH5p7eZDQl9K_7dvxLoeoMLfY1b-13S8YgaPGmLUwtVRNKMpEG6SC5dkQn7l4negDt7O4ZrrDCD5nFnugp4Es_VE8qbpEQRhtX3_GnmKwp8rxGSjMhie5uVmwVXA8VEFZmlyJlmF1UhAdjq65473aYvBLUR2nguz3Ut0LtkzbU71r5Q-lUbWB0ekYa8
token 在手, registry 的一切我有。
$ curl -s -H "Authorization: Bearer $T" 172.30.3.149/v2/_catalog
### 此处省略镜像输出,但是可以看到肯定是有镜像的。
$ curl -s -H "Authorization: Bearer $T" 172.30.3.149/v2/_catalog | jq | wc -l
100啊哈。到此为止了吧,目的已经达到了,也可以用获取到的 token 去访问任意的 registry api 哟。