How to add secure registry to docker configuration - docker

I'm trying to use registry.centos.org with docker.
I've tried the add the below to /etc/docker/daemon.json as, intuitively this would seem like the obvious place to add it, and the logical variable name.
{
"insecure-registries": ["172.30.0.0/16"],
"secure-registries": ["registry.centos.org"]
}
I then tried to restart the docker service, but it failed to restart.
Google provides lots of links on how to setup a secure registry, but I couldnt find any info on how to add new secure registries to docker configuration.
Likewise the website for registry.centos.org also doesnt provide any info on how to do this.

If you are able to pull the image, then there's nothing further to do. All external registries by default are secure, which means docker will require a TLS connection and valid certificate for the registry server. The insecure registry section is to allow exceptions to this rule.
There is also the option to override the CA certificate for a registry server, which is useful if you have a self hosted registry server, with TLS, but an unknown CA. For this, you would place the CA certificate, and any intermediate certificates, in /etc/docker/certs.d/${hostname}:${port}/ca.crt e.g. /etc/docker/certs.d/registry.example.com:5000/ca.crt.

Related

How to Configure TLS Certs for Signing Container Images With Cosign

I'm trying to use cosign to sign container images in a local docker registry. However, when I try I keep getting the error remote error: tls: bad certificate. I'm fairly sure this is because cosign doesn't know where to find the cert files for the registry - I can push and pull from the registry just fine, and I've verified the cert chain using openssl. However, I've looked through the Github documentation and the --help info for cosign, and I can't see how to tell it which certs to use. There are the --cert and --cert-chain options, which I have tried, but as far as I can tell those basically include the certs as part of the signature rather than using them to connect to the server. Any help is appreciated!

What is the proper way of adding trust certificates to confluent kafka connect docker image

I have a kafka connect cluster (cp_kafka_connect_base) on docker, and I need to include a .pem file in order to connect to a source over TLS. It seems there are already a number of trusted certificates included in connect, so how would I add a new trusted certificate without invalidating the old ones?
Specific problem
I want to use MongoDB Source Connector, alongside a number of other connectors. As per documentation, I have imported my .pem certificate in a .jks store, and added the following envvars to my kafka connect containers:
KAFKA_OPTS="
-Djavax.net.ssl.trustStore=mystore.jks
-Djavax.net.ssl.trustStorePassword=mypass
This lets me connect to my data source, but invalidates other TLS connections, unless I add them all to my .jks. Since all other TLS connections work out of the box, I shouldn't need to manually import every single one of them to a .jks, just to make one connector implementation happy.
I have also tried setting:
CONNECT_SSL_TRUSTSTORE_TYPE: "PEM"
CONNECT_SSL_TRUSTSTORE_LOCATION: "myloc"
but the truststore location config isn't known, and TLS doesn't work:
WARN The configuration 'ssl.truststore.location' was supplied but isn't a known config. (org.apache.kafka.clients.consumer.ConsumerConfig:384)

docker registry v2 ui with docker_auth

I have the registry v2 container and docker_auth up and running. The registry uses self sign certificate which was created with my CA. I can pull and push images without any problem so the configuration is working properly.
I would like to have a UI for this registry to browse images. I have tried many of them:
https://github.com/kwk/docker-registry-frontend not support token based auth
https://shipyard-project.com only supports v1 registries
https://github.com/SUSE/Portus looks quite heavy weight for me
https://github.com/mkuchin/docker-registry-web i configure it with my keyfile and set the issuer. But i couldn't add my repo, it always returns 401. In the docker registry i found "token intended for another audience: \"mydockerrepo:5000\"". I tried with different names but none of them worked. I check the crt and key files and i use the correct crt-key pair.
Is there any other UI i should try?
Can somebody help me with the "audience" error message?

Publisher Public key for docker notary

I am using docker notary to establish a trust in the images I download from my private docker registry. While I am able to work out all(push, pull) quite well while I am running on one single host. However in a multi-node(server/client) situation I am just wondering how to get the publishers public key. This publisher key will be than run alongside docker engine pull from a client host. Here the server host has the registry as well as docker-notary server/signer.
Regards
Ashish
Docker Content Trust (powered by Notary) by default will perform TOFUs when downloading trust data for an image - the "s" for indicating this is over HTTPS.
If you're using standalone Notary, you can provide trust-pinning configuration to pin to a specific public key or CA against a publisher's TUF root key (though importing certs to Notary repos is WIP, and scheduled for next point release).
I encourage you to check out the relevant Notary client config information and this PR for more information about how to set this up in Notary -- Docker Content Trust integration is WIP.
I am also new to Notary and coming up to speed. My understanding of Notary (which is built on TUF) is TOFU (trust on first use). So what you need is to be able to connect over SSL to the Notary server, which will then download the publisher certs automatically. You trust what you get the first time (hence, TOFU) and then after that the publisher certs are used to validate all future verification / key updates / etc.

How to fix insecure-registry error on clients by updating the docker registry server

When upgrading to docker 1.3 the docker client produced the following error:
...
If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry <my registry>` to the daemon's arguments.
...
This registry is behind our company's firewall, so I do not wish to add any security. Is there a way to remove this error at the registry server? What is the simplest way to do this? Is it enabling https or is there a simpler trick?
I do not want to update the config for all the registry clients
You have to use https if you want to to avoid this warning. Also you need a certificate signed by a known CA. Docker is trying to force security by this.
The other possibility is to use --insecure-registry when using the client.

Resources