This document explains how to secure private repository using openssl key
Before we can use a private repository, we will need to secure it and offer user authentication. Let’s create a self-signed certificate, use the ‘registry’ container by Docker to create basic user authentication, and then copy the files where they need to go on the hosting server.
root@deb-VirtualBox:~# mkdir certs root@deb-VirtualBox:~# mkdir auth
Make entry in /etc/hosts with your host IP
169.254.156.101 myregistrydomain.com
Now let me create directory where certificate will reside
root@deb-VirtualBox:~# mkdir -p /etc/docker/certs.d/myregistrydoman.com:5000
Please install openssl if it is not installed
root@deb-VirtualBox:~/certs# apt-get install openssl Reading package lists... Done Building dependency tree Reading state information... Done openssl is already the newest version (1.0.2g-1ubuntu13.5). 0 upgraded, 0 newly installed, 0 to remove and 113 not upgraded.
Now let me create self signed certificate and pull registry docker image
root@deb-VirtualBox:~/certs# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /root/certs/dockerrepo.key -x509 -days 365 -out /root/certs/dockerrepo.crt -subj /CN=myregistrydomain.com Generating a 4096 bit RSA private key ................................................................................................................................................................++ .....................................................................................................................................................................................................++ writing new private key to '/root/certs/dockerrepo.key' root@deb-VirtualBox:~/certs# cd /etc/docker/certs.d/myregistrydoman.com:5000 root@deb-VirtualBox:/etc/docker/certs.d/myregistrydoman.com:5000# cp /root/certs/dockerrepo.crt ca.crt root@deb-VirtualBox:/etc/docker/certs.d/myregistrydoman.com:5000# docker pull registry:2 2: Pulling from library/registry 81033e7c1d6a: Pull complete b235084c2315: Pull complete c692f3a6894b: Pull complete ba2177f3a70e: Pull complete a8d793620947: Pull complete Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54 Status: Downloaded newer image for registry:2
Let me create password and user
cd /root root@deb-VirtualBox:~# docker run --entrypoint htpasswd registry:2 -Bbn test password > auth/htpasswd
Now that we have the security work done for our private registry, we can deploy and configure it for use. We will test it locally, and then log in and test via a remote system.
root@deb-VirtualBox:~# docker run -d -p 5000:5000 -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key -v `pwd`/auth:/auth -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_RELM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2 0d007ea4f85da395b2de25b6a6c5c1178c06e4df8cf859bf5ef5808b655c30a2
Let me pull demo docker image for securing it and test
root@deb-VirtualBox:~# docker pull busybox Using default tag: latest latest: Pulling from library/busybox f70adabe43c0: Pull complete Digest: sha256:58ac43b2cc92c687a32c8be6278e50a063579655fe3090125dcb2af0ff9e1a64 Status: Downloaded newer image for busybox:latest
The image is now downloaded
root@deb-VirtualBox:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mywebserver latest 1d666b38b200 2 days ago 330MB
mywebserver v1 d749c49988b5 2 days ago 330MB
mywebserver1 v1 a23dab42b0ee 2 days ago 321MB
optimized v1 dd055168eb91 2 days ago 301MB
customimage v1 9528f83769a3 2 days ago 301MB
hello-world latest e38bc07ac18e 3 weeks ago 1.85kB
centos 6 70b5d81549ec 3 weeks ago 195MB
centos latest e934aafc2206 3 weeks ago 199MB
busybox latest 8ac48589692a 4 weeks ago 1.15MB
registry 2 d1fd7d86a825 3 months ago 33.3MB
Now let me tag with my new docker name and push with self signed password protected
root@deb-VirtualBox:~# docker tag busybox myregistrydomain.com:5000/my-busybox root@deb-VirtualBox:~# docker push myregistrydomain.com:5000/my-busybox root@deb-VirtualBox:~# docker login myregistrydomain.com:5000/my-busybox Username: test Password:
Now let me test how we can push the private docker image in another host
Make same entry in /etc/hosts in the host you want to pull private docker.
copy ca.crt from first host to this server in the location /etc/docker/certs.d/myregistrydomain.com\:5000/
root@deb-VirtualBox2:~# cd /etc/docker root@deb-VirtualBox2:~# mkdir certs.d root@deb-VirtualBox2:~# cd /etc/docker/certs.d root@deb-VirtualBox2:~# mkdir myregistrydomain.com\:5000/ root@deb-VirtualBox2:~# chown root:root ca.crt
Now we are good to test if we can pull the image from hub
root@deb-VirtualBox2:~# docker login myregistrydomain.com:5000 root@deb-VirtualBox2:~# docker pull myregistrydomain.com:5000/my-busybox