back to home or DevOps

Overview

Docker normally expects the docker registry to communicate over https As a result the docker registry needs to be installed with an X509 key

Installing Docker Registry and running Insecure

To install the docker registry version 2 (version 1 has been depreciated)

$docker run -d -p 5000:5000 --restart=always -v /reg:/var/lib/registry --name registry registry:2

As mentioned docker expects the registry to support https, however your docker service can be force to use an insecure connection by editing the service start file :

vi /lib/systemd/system/docker.service

Modify the start line to add ‘-insecure-registry ip_address:5000’ at the end of this line e.g.

ExecStart=/usr/bin/dockerd -H fd:// –insecure-registry ip_address:5000

Naturally we should run secure:

Creating a Self signed Certificate

$mkdir -p docker_reg_certs
$openssl req  -newkey rsa:4096 -nodes -sha256 -keyout docker_reg_certs/domain.key -x509 -days 365 -out docker_reg_certs/domain.crt

this generates two files: domain.key and domain.crt

Let’s install the certificates both in the server and the client by running these commands, where the “ip_address” is ip of localhost

sudo mkdir -p /etc/docker/certs.d/<ip_address>:5000
cp docker_reg_certs/domain.crt /etc/docker/certs.d/<ip_address>:5000/ca.crt
cp docker_reg_certs/domain.crt /usr/local/share/ca-certificates/ca.crt
update-ca-certificates

update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt, a concatenated single-file list of certificates.

This should allow the (any) client and and registry to communicate over https .. we can make it more secure by requiring a username and password

 
docker run -d -p 5000:5000 --restart=always --name registry \
-v $PWD/docker_reg_certs:/certs \
-v $PWD/docker_reg_auth:/auth -v /reg:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
registry:2

verify the connection with curl telling it to allow self-signed certs (-k)

curl -k -v https://localhost:5000/v2/

Adding Username and Pw authentication

Use htpasswd to create username and associated password:

$mkdir docker_reg_auth
$docker run -it --entrypoint htpasswd -v $PWD/docker_reg_auth:/auth -w /auth registry:2 -Bbc /auth/htpasswd admin password

Restart docker service: </code> $service docker restart </code>

 
docker_registry.txt · Last modified: 2019/12/15 04:56 by root
 
RSS - 200 © CrosswireDigitialMedia Ltd