Running the Docker Registry on localhost with an SSL certificate

In this section, we will emulate the concept of running Docker Registry securely using SSL. In the current scenario of running Docker Registry on localhost, Docker Engine needs to be secured using TLS.

Follow these steps to run Docker Registry securely:

  1. Getting certificates: We will be using self-signed certificates for TLS certificates. First create the certs directory, then run the openssl command:
      $ mkdir certs
      $ openssl req -newkey rsa:4096 -nodes -sha256  
      -keyout certs/domain.key -x509 -days 365 -out  
      certs/domain.crt 
      Generating a 4096 bit RSA private key 
      .....................++  
      ........................................
      .........++ 
      writing new private key to 'certs/domain.key' 
      -----  
      You are about to be asked to enter information 
      that will be incorporated into your certificate 
      request. 
      What you are about to enter is what is called a     
      Distinguished Name or a DN. 
      There are quite a few fields but you can leave 
      some blank 
      For some fields there will be a default value, 
      If you enter '.', the field will be left blank. 
      ----- 
      Country Name (2 letter code) [AU]:US 
      State or Province Name (full name) [Some-State]: 
      Locality Name (eg, city) []: 
      Organization Name (eg, company) 
      [Internet Widgits Pty Ltd]: 
      Organizational Unit Name (eg, section) []: 
      Common Name (e.g. server FQDN or YOUR name)    
      []:myregistrydomain.com 
      Email Address []: 
      $
  1. Copy the certs directory to the certificates directory of Ubuntu 16.o4 in the /usr/local/share/ca-certificates path. This path is specific to Ubuntu (Debian) systems and you may need to use a different path if using Red Hat systems:
      $ sudo cp certs/domain.crt 
      /usr/local/share/ca-certificates/myregistrydomain.com.crt 
      $ sudo update-ca-certificates

Also copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt.

Ensure to create the certs.d and myregistrydomain.com:5000 directories before running the preceding command.
  1. Restart Docker Engine:
      $ sudo service docker restart
  1. Docker Registry can be started, as follows, in the secure mode:
      $ sudo docker run -d -p 5000:5000    
      --restart=always --name registry  
      >   -v `pwd`/certs:/certs  
      >   -e REGISTRY_HTTP_TLS_CERTIFICATE=
      /certs/domain.crt  
      >   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key    
      >   registry:2 
      Unable to find image 'registry:2' locally 
      2: Pulling from library/registry 

      c0cb142e4345: Pull complete  
      a5002dfce871: Pull complete  
      df53ce740974: Pull complete  
      Digest: sha256:1cfcd718fd8a49fec9ef16496940b962e30e
      3927012e851f99905db55f1f4199 
      Status: Downloaded newer image for registry:2 
      d7c41de81343313f6760c2231c037008581adf07acceea
      0b3372ec2c05a5a321 
      $
  1. Now you should be able to push the images from the remote Docker host:
      docker pull ubuntu 
      docker tag ubuntu myregistrydomain.com:5000/ubuntu

Point your myregistrydomain.com to localhost (127.0.0.1) by updating /etc/hosts  by adding 127.0.0.1 myregistrydomain.com.

      docker push myregistrydomain.com:5000/ubuntu 
      docker pull myregistrydomain.com:5000/ubuntu
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset