Deploy a Docker registry with enabling ‘Secured’ and ‘Authenticated’

This page shows how you can create a self-signed certificate and authentications. With them, you can deploy a Docker registry with ‘secured’, ‘authenticated’, and externally accessible.

Steps

  1. Create a base directory for a Docker registry and move to it
    • mkdire ~/docker_registry
  2. Create a self-signed certificate for a registry
      • command
        • mkdir certs #Make a directory where you store certificate and key
        • openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt -subj "/C=KR/ST=Seoul/L=Seongbuk/O=Korea University, Inc/CN=ie.korea.ac.kr/emailAddress=all4dich@gmail.com"
      • Change CN‘s value as a hostname that you want
  3. After creating them, copy ‘certs/domain.crt’ to a client host as /etc/docker/certs.d/HOST_NAME:PORT/ca.crt
  4. Create a basic authentication information
    • Command
      • docker run --entrypoint htpasswd registry:2 -Bbn john.doe john.password >> auth/htpasswd
  5. Start the docker registry
    • Command
      • REG_NAME="registry_auth"
        docker rm -f $REG_NAME
        docker run -d -p 5001:5001 --restart=always --name $REG_NAME \
        -v `pwd`/certs:/certs \
        -v `pwd`/auth:/auth \
        -v `pwd`/data_nontls:/var/lib/registry \
        -e REGISTRY_HTTP_ADDR="0.0.0.0:5001" \
        -e "REGISTRY_AUTH=htpasswd" \
        -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
        -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
        -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt\
        -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
        registry:2
    • REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY use certificate and key file’s absolute path within the container
    • REGISTRY_HTTP_ADDR use IP and port number within the container
    • You can use ‘-p’ parameter to map a docker’s internal port as a host’s external port

Comments

  • If you want to restrict an access, you have to use ‘authentication mechanism’ with TLS-enabled Docker registry
    • TLS encrypt/decrypt data between a registry and Docker daemon, not restrict access itself
  • ‘insecured-repositories’ can be used for plain http and https protocol
  • You have to use a domain name on ‘CN=*’ when creating a self-signed certificate.

Reference

Common

Docker for Mac

Others

  • memo

 

Advertisements

Docker file to make Gnome environment

FROM ubuntu:12.04.5
MAINTAINER Sunjoo Park 

RUN cat /etc/apt/sources.list |sed 's/archive.ubuntu.com/ftp.daum.net/g' > /tmp/sources.list
RUN cat /tmp/sources.list |sed 's/archive.ubuntu.com/ftp.daum.net/g' > /tmp/sources.list.1
RUN cp /etc/apt/sources.list /etc/apt/sources.list.backup
RUN cp /tmp/sources.list.1 /etc/apt/sources.list 

RUN apt-get update
RUN apt-get install -y --force-yes --fix-missing htop vim git wget gcc g++ autoconf make bzip2 gzip tar sudo time net-tools openssh-server openssh-client ctags groovy sshpass diffstat texinfo gawk chrpath build-essential
RUN apt-get install -y --force-yes --fix-missing cifs-utils smbclient nfs-common
RUN useradd -s /bin/bash -b /home -m soyul
RUN echo "soyul:lge123" |chpasswd 
RUN echo "root:lge123" |chpasswd 
RUN usermod -aG sudo soyul 
RUN chmod 777 /tmp/*
RUN sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN mkdir -p /var/run/sshd
RUN apt-get install -y --force-yes language-pack-ko language-pack-ko-base
#RUN apt-get install -y --force-yes gitg
#RUN apt-get install -y --force-yes gnome
#RUN apt-get install -y --force-yes firefox
#RUN apt-get install -y --force-yes terminator

#RUN echo "\ndaemon off;" >> /etc/nginx/nginx.conf 
#RUN chown -R www-data:www-data /var/lib/nginx


WORKDIR /


EXPOSE 80
EXPOSE 8080
EXPOSE 8000 
EXPOSE 22
EXPOSE 443

CMD ["/usr/sbin/sshd", "-D"]