How to you setup a private secure docker-registry.
I have installed via helm
Now how can I make it secure(TLS certs), so I can push and pull to the registry from docker and from kubernetes deployment?
I can see that there is a Helm configuration:
tlsSecretName Name of secret for TLS certs
Update - current status:
I was able to get cert-manager working and install with TLS:
helm install stable/docker-registry --set tlsSecretName=example-com-tls
I am not strong in certificates - but I am unclear about the following:
1.
Can I now create an Ingress(with a secret to cert) that will only accept incomming request with that certificate? I will look at the suggested link from #xzesstence tomorrow
2.
I guess I need to tell docker push where to find the certificate?
Maybe this(I will try this tomorrow): https://docs.docker.com/engine/security/certificates/
Check out the official Docker Tutorials
https://docs.docker.com/registry/deploying/
and especially the point
Get a certificate
So overall in short, you need to get a certificate and place it in /certs (or change the folder mount of the following docker run command -v /cert).
Also check the certificate name, either rename to domain.crt or change the filename in the docker run command
then run
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry:2
If you don't have a certificate, you can use letsencrypt
https://letsencrypt.org/
Maybe you want to checkout this startscript with letsencrypt certs. (untested from my side)
The advantage of this is, that you have the letsencrypt service integrated which can renew the license automatically
https://gist.github.com/PieterScheffers/63e4c2fd5553af8a35101b5e868a811e
Edit:
Since you are using Docker on a Kubernetes Cluster checkout this great tutorial
https://medium.com/#jmarhee/in-cluster-docker-registry-with-tls-on-kubernetes-758eecfe8254
Related
I am trying to create a secure docker registry to be used inside a development kind cluster. I am going to use a container for the registry and 3 other containers for kind workers. In order to be consistent with the production environment I want to use TLS, so I created a self signed certificate for the docker registry. I connected the containers using docker network. However, when I create a deployment based on an image from that registry, I get x509 certificate signed by unknown authority error.
I used this tutorial
containerdConfigPatches: # Enable a local image registry, placeholders automatically replaced in bootstrap script -- https://kind.sigs.k8s.io/docs/user/local-registry/
- |-
[plugins."io.containerd.grpc.v1.cri".registry.configs.my-registry.tls]
cert_file = "/etc/docker/certs.d/my-registry/domain.crt"
key_file = "/etc/docker/certs.d/my-registry/domain.key"
But it does not seem to work.
My kind version:
kind v0.17.0 go1.20 linux/amd64
The command I use to create the registry:
docker run -d \
--restart=always \
--name my-registry \
-v `pwd`/auth:/auth \
-v `pwd`/certs:/certs \
-v `pwd`/certs:/certs \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_ADDR=0.0.0.0:80 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 7443:80 \
registry:2
You are using a self-signed certificate for your docker registry instead of a certificate issued by a trusted certificate authority (CA). The docker daemon does not trust the self-signed certificate, which is causing the x509 error.
This may occur due to the expiration of the current certificate, due to a changed hostname, and other changes.
Verify that the $HOME/.kube/config file contains a valid certificate, and regenerate a certificate if necessary. The certificates in a kubeconfig file are base64 encoded. The base64 --decode command can be used to decode the certificate and openssl x509 -text -noout can be used for viewing the certificate information.
Unset the KUBECONFIG environment variable using:
unset KUBECONFIG
Or set it to the default KUBECONFIG location:
export KUBECONFIG=/etc/kubernetes/admin.conf
Another workaround is to overwrite the existing kubeconfig for the "admin" user:
mv $HOME/.kube $HOME/.kube.bak
mkdir $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
For more information refer to the documentation
I am first spinning up a docker container
docker run --rm -it docker:19.03.13
#/
and then run the below commands
apk update
apk add --update openssl
openssl s_client -showcerts -connect registry.somedomain.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
cp ca.crt /usr/local/share/ca-certificates/
update-ca-certificates
systemclt restart docker <--- THIS STEP HOW TO DO IN THE DOCKER CONTAINER
docker login registry.gitlab.com
first of all, why you need docker inside docker.
A pretty good post why you should not do docker in docker link
There are some use cases where we really need. looks like in your case. as its deals with certificates.
There are some good strategies define in this link here.
Also follow this video tutorial if you really wanted to use docker in docker link
I have created a local docker registry. Steps I have followed.
Creating certificate files.
mkdir -p /etc/docker/certs.d/123.456.78.9:5000
cp domain.crt /etc/docker/certs.d/123.456.78.9:5000/ca.crt
cp domain.crt /usr/local/share/ca-certificates/ca.crt
update-ca-certificates
Installed Docker registry, as given in official guide
docker run -d -p 5000:5000 --restart=always --name registry -v $PWD/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e
REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
Pulling and pushing Docker images :
docker pull ubuntu:16.04
docker tag ubuntu:16.04 mydocker_registry/my_ubuntu
docker push mydocker_registry/my-ubuntu
My image push tries to access docker.io, so error is obvious.
The push refers to repository [docker.io/mydocker_registry/my_ubuntu]
03901b4a2ea8: Preparing
denied: requested access to the resource is denied
My /etc/hosts file looks like this
123.456.78.9 mydocker_registry
Here I feel I have missed some small step. I can not figure that out.
Thanks in advance.
Try adding your registry as insecure registries.
If you are using Linux, edit your daemon.json under /etc/docker
Add
{
"insecure-registries" : ["registry-ip:registry-port"]
}
And run in terminal
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
you need to add you your registry url in the tag, if the local registry URL is not part of your Docker image tag, by default it will push to official docker registry.
So that is why you are seeing in the push log
The push refers to a repository [docker.io/mydocker_registry/my_ubuntu]
so All you add to add the full path of your docker registry.
docker tag ubuntu:16.04 123.456.78.9:5000/mydocker_registry/my_ubuntu
docker push 123.456.78.9:5000/mydocker_registry/my_ubuntu
Here 123.456.78.9 refer to your local registry. if it is localhost then just 123.456.78.9 this with localhost
You can verify the registry access in browser if it is accessiable you will able to push.
https://myregistry.com/v2/_catalog
or
http://localhost:5000/v2/_catalog
Ok, after days of reading and trying, I have fixed my problem thanks to the helps given by /r/docker redditters :-)
Please note that this is working for your local domain only
Creating certificate files for your domain.
Here my domain is registry.myregistry.com.
openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry.myregistry.com.key -x509 -days 365 -out registry.myregistry.com.crt
mkdir -p /etc/docker/certs.d/registry.myregistry.com:443
Copy certificates files to appropriate locations.
cp registry.myregistry.com.crt /etc/docker/certs.d/registry.myregistry.com:443/ca.crt
cp registry.myregistry.com /usr/local/share/ca-certificates/ca.crt
update-ca-certificates
Docker registry initialization
docker run -d -p 443:443 --restart=always --name registry -v $PWD/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.myregistry.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry.myregistry.com.key registry:2
Pulling and Pushing docker images to registry
docker pull alpine:latest
docker tag alpine:latest registry.myregistry.com:443/myalpine
docker push registry.myregistry.com:443/myalpine
No errors, its pushing successfully.
To be done is, accepting pull requests from other users in the same network.
I'm new to Tomcat and Docker, and am stuck trying to enable https on my website. First on the server, not in any container:
a) I generated a CSR
b) Acquired a commercial SSL certificate
c) Placed the certificates in a folder on the server /etc/docker/certs
d) Then created my Docker containers with the configuration below
I can use the command docker exec -it <container-id> sh to navigate my container. I can edit server.xml and web.xml but I realize I should install the certificates at the OS level outside the container if I want https configuration to persist past individual containers. In other words, I should be able to remove a container, and create another one without needing to reinstall the ssl.
How can I do this? Any ideas?. Thanks in advance! Below are my configurations:
1.Database
docker run -d --name=example-db --restart=always --net=example-net --mount type=volume,src=mydbdata,target=/example-db --hostname=example-db -e POSTGRES_DB=mydb -e POSTGRES_USER=myuser -e POSTGRES_PASSWORD=secret myapp/db
2.Application
docker run -d --name=example-app --restart=always --mount type=volume,src=mydata,target=/example-app -p 80:8080 --net=example-net -e DB_HOST=example-db -e DB_NAME=mydb -e DB_USER=myuser -e DB_PASSWORD=secret myapp/myapp
Again thanks for your help.
Art
You can map the external certs into a container at docker run time using bind mounts. Assuming your certs are in /etc/docker/certs on the host, and you want them to be at /etc/ssl/certs in the container, then add either of the following:
-v /etc/docker/certs:/etc/ssl/certs:ro
or
--mount type=bind,src=/etc/docker/certs,dst=/etc/ssl/certs,readonly
Your Tomcat config would use /etc/ssl/certs as its path in this case.
Trying to install a gitlab runner on my windows machine inside a docker container
Using
docker run -d --name gitlab-runner --restart always \ -v ${PWD}/gitla
/gitlab-runner \ -v /var/run/docker.sock:/var/run/docker.sock \ gitlab/gitlab-runner:latest
I'm following the official docs but nothing refers to windows
https://docs.gitlab.com/runner/install/docker.html
What's the correct way to set-up a docker container to execute a gitlab runner?
Thanks in advance!
It currently isn't fully supported, however there is an open issue and relevant open merge request to add that functionality!