现在想想,可以使用cert-manager 以及 Let’ encrypt去做,这样就不用再去配置cert trust in OS以及可以自动更新certificate~ 唉,当时完全不知道!
This post is about configuring your own secure docker registry in the form of docker container, check this to set up a secured docker registry in K8s.
More about SSL please check my blog
SSL Demystify
. It contains the theory, workflow and practice.
Securing access to your docker images is paramount, the docker registry natively supports TLS
and basic authentication
, let’s do it.
Generate Self-signed Certificate
See document from docker.
1 | mkdir -p /root/certs |
Notice that the
CN=chengdol.registry.com
must be the registry access url, no port number suffix needed.
Parameters explanation from here:
1 | openssl req: |
There are mutli-way to do the same thing,一步一步的构造self-signed certificate: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs
Setup Secure Docker Registry
see document from docker.
We have the certs
folder with crt and key created by openssl.
Start the docker registry container, using TLS certificate:
1 | docker run -d \ |
Here we overwrite some env variables to change the default configuration.
Also follow the instruction in docker web, instruct every
docker daemon to trust that certificate. The way to do this depends on your OS, for Linux:
1 | mkdir -p /etc/docker/certs.d/<docker registry domain>/ |
注意,Docker官方文档中用的是
<docker registry domain>:5000/
文件夹名,但如果你配置的是443端口,则会出错,通过Docker daemon中的log,发现对于443端口,这里不需要:5000
. 但如果设置了basic authentication且用的是5000端口,则需要了。
当时还发生了奇怪的事情,我发现不需要这个trust操作居然也能进行push,后来才发现原来是旧配置在docker daemon json 文件中设置了insecure registry,这样一来根本就不会检查证书了。
If you don’t do this, when run docker push you will get this error:
1 | Error response from daemon: Get https://chengdol.registry.com/v2/: x509: certificate signed by unknown authority |
If docker still complains about the certificate when using authentication? When using authentication, some versions of Docker also require you to trust the certificate at the OS level.
For RedHat, do:
1 | cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt |
Now you can push and pull like below, no need to specify port number, it will use 443 port:
1 | docker pull ubuntu |
So far, secure configuration is done, now the docker registry will use HTTPS
in 443
port to communciate with docker client. If you want to setup basic authentication, see below:
Setup Basic Authrntication
Warning: You cannot enable authentication that send credentials as clear text. You must configure
TLS
first for authentication to work.
Use htpasswd
to create the user info:
1 | mkdir -p /root/auth |
Then, we switch back to 5000
port: (注意这里没用443端口)
1 | docker run -d \ |
Do the same trust thing in every
docker host, under /etc/docker/certs.d/
directory, we create a folder <docker registry domain>:5000
and put domain.crt in it:
1 | mkdir -p /etc/docker/certs.d/<docker registry domain>:5000/ |
Then, you need to first login to push or pull:
1 | docker login <docker registry domain>:5000 -u demo -p demo |
Conclusion
OK, now a secure docker registry container with basic authentication is up and running. You can push and pull after docker login.