Deploy a Docker registry with enabling ‘Secured’ and ‘Authenticated’

This page shows how you can create a self-signed certificate and authentications. With them, you can deploy a Docker registry with ‘secured’, ‘authenticated’, and externally accessible.

Steps

  1. Create a base directory for a Docker registry and move to it
    • mkdire ~/docker_registry
  2. Create a self-signed certificate for a registry
      • command
        • mkdir certs #Make a directory where you store certificate and key
        • openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt -subj "/C=KR/ST=Seoul/L=Seongbuk/O=Korea University, Inc/CN=ie.korea.ac.kr/emailAddress=all4dich@gmail.com"
      • Change CN‘s value as a hostname that you want
  3. After creating them, copy ‘certs/domain.crt’ to a client host as /etc/docker/certs.d/HOST_NAME:PORT/ca.crt
  4. Create a basic authentication information
    • Command
      • docker run --entrypoint htpasswd registry:2 -Bbn john.doe john.password >> auth/htpasswd
  5. Start the docker registry
    • Command
      • REG_NAME="registry_auth"
        docker rm -f $REG_NAME
        docker run -d -p 5001:5001 --restart=always --name $REG_NAME \
        -v `pwd`/certs:/certs \
        -v `pwd`/auth:/auth \
        -v `pwd`/data_nontls:/var/lib/registry \
        -e REGISTRY_HTTP_ADDR="0.0.0.0:5001" \
        -e "REGISTRY_AUTH=htpasswd" \
        -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
        -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
        -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt\
        -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
        registry:2
    • REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY use certificate and key file’s absolute path within the container
    • REGISTRY_HTTP_ADDR use IP and port number within the container
    • You can use ‘-p’ parameter to map a docker’s internal port as a host’s external port

Comments

  • If you want to restrict an access, you have to use ‘authentication mechanism’ with TLS-enabled Docker registry
    • TLS encrypt/decrypt data between a registry and Docker daemon, not restrict access itself
  • ‘insecured-repositories’ can be used for plain http and https protocol
  • You have to use a domain name on ‘CN=*’ when creating a self-signed certificate.

Reference

Common

Docker for Mac

Others

  • memo

 

Advertisements

Author: all4dich

http://webchat.freenode.net/?channels=node.js

One thought on “Deploy a Docker registry with enabling ‘Secured’ and ‘Authenticated’”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s