DOCKER CONCEPT FOR DBA– PART 10 : How to secure docker private repository using openssl certificate key

This document explains how to secure private repository using openssl key

Before we can use a private repository, we will need to secure it and offer user authentication. Let’s create a self-signed certificate, use the ‘registry’ container by Docker to create basic user authentication, and then copy the files where they need to go on the hosting server.

root@deb-VirtualBox:~# mkdir certs
root@deb-VirtualBox:~# mkdir auth

Make entry in /etc/hosts with your host IP

169.254.156.101 myregistrydomain.com

Now let me create directory where certificate will reside

root@deb-VirtualBox:~# mkdir -p /etc/docker/certs.d/myregistrydoman.com:5000

Please install openssl if it is not installed

root@deb-VirtualBox:~/certs# apt-get install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssl is already the newest version (1.0.2g-1ubuntu13.5).
0 upgraded, 0 newly installed, 0 to remove and 113 not upgraded.

Now let me create self signed certificate and pull registry docker image

root@deb-VirtualBox:~/certs# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /root/certs/dockerrepo.key -x509 -days 365 -out /root/certs/dockerrepo.crt -subj /CN=myregistrydomain.com
Generating a 4096 bit RSA private key
................................................................................................................................................................++
.....................................................................................................................................................................................................++
writing new private key to '/root/certs/dockerrepo.key'


root@deb-VirtualBox:~/certs# cd /etc/docker/certs.d/myregistrydoman.com:5000

root@deb-VirtualBox:/etc/docker/certs.d/myregistrydoman.com:5000# cp /root/certs/dockerrepo.crt ca.crt


root@deb-VirtualBox:/etc/docker/certs.d/myregistrydoman.com:5000# docker pull registry:2
2: Pulling from library/registry
81033e7c1d6a: Pull complete
b235084c2315: Pull complete
c692f3a6894b: Pull complete
ba2177f3a70e: Pull complete
a8d793620947: Pull complete
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2

Let me create password and user

cd /root

root@deb-VirtualBox:~# docker run --entrypoint htpasswd registry:2 -Bbn test password > auth/htpasswd

Now that we have the security work done for our private registry, we can deploy and configure it for use. We will test it locally, and then log in and test via a remote system.

root@deb-VirtualBox:~# docker run -d -p 5000:5000 -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dockerrepo.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dockerrepo.key -v `pwd`/auth:/auth -e REGISTRY_AUTH=htpasswd -e REGISTRY_AUTH_HTPASSWD_RELM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
0d007ea4f85da395b2de25b6a6c5c1178c06e4df8cf859bf5ef5808b655c30a2

Let me pull demo docker image for securing it and test

root@deb-VirtualBox:~# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
f70adabe43c0: Pull complete
Digest: sha256:58ac43b2cc92c687a32c8be6278e50a063579655fe3090125dcb2af0ff9e1a64
Status: Downloaded newer image for busybox:latest

The image is now downloaded

root@deb-VirtualBox:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mywebserver latest 1d666b38b200 2 days ago 330MB
mywebserver v1 d749c49988b5 2 days ago 330MB
mywebserver1 v1 a23dab42b0ee 2 days ago 321MB
optimized v1 dd055168eb91 2 days ago 301MB
customimage v1 9528f83769a3 2 days ago 301MB
hello-world latest e38bc07ac18e 3 weeks ago 1.85kB
centos 6 70b5d81549ec 3 weeks ago 195MB
centos latest e934aafc2206 3 weeks ago 199MB
busybox latest 8ac48589692a 4 weeks ago 1.15MB
registry 2 d1fd7d86a825 3 months ago 33.3MB

Now let me tag with my new docker name and push with self signed password protected

root@deb-VirtualBox:~# docker tag busybox myregistrydomain.com:5000/my-busybox

root@deb-VirtualBox:~# docker push myregistrydomain.com:5000/my-busybox

root@deb-VirtualBox:~# docker login myregistrydomain.com:5000/my-busybox
Username: test
Password:

Now let me test how we can push the private docker image in another host

Make same entry in /etc/hosts in the host you want to pull private docker.

copy ca.crt from first host to this server in the location /etc/docker/certs.d/myregistrydomain.com\:5000/

root@deb-VirtualBox2:~# cd /etc/docker
root@deb-VirtualBox2:~# mkdir certs.d
root@deb-VirtualBox2:~# cd /etc/docker/certs.d
root@deb-VirtualBox2:~# mkdir myregistrydomain.com\:5000/

root@deb-VirtualBox2:~# chown root:root ca.crt

Now we are good to test if we can pull the image from hub

root@deb-VirtualBox2:~# docker login myregistrydomain.com:5000

root@deb-VirtualBox2:~# docker pull myregistrydomain.com:5000/my-busybox

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>