From c198f8f279cc9dd929581f1cb87305c70c4c6310 Mon Sep 17 00:00:00 2001 From: Olivier Gambier Date: Fri, 12 Jun 2015 01:10:03 -0700 Subject: [PATCH] Additional fixes Couples of nits that where not addressed. Signed-off-by: Olivier Gambier --- docs/configuration.md | 8 +++---- docs/deploying.md | 50 ++++++++++++++++++++++++------------------- docs/insecure.md | 8 +++---- docs/nginx.md | 14 ++++++------ 4 files changed, 41 insertions(+), 39 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 6aeb1e86..cbbc1001 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -45,11 +45,11 @@ If the default configuration is not a sound basis for your usage, or if you are Typically, create a new configuration file from scratch, and call it `config.yml`, then: - docker run -d -p 5000:5000 --restart=always --name registry \ - -v `pwd`/config.yml:/etc/docker/registry/config.yml \ - registry:2 + docker run -d -p 5000:5000 --restart=always --name registry \ + -v `pwd`/config.yml:/etc/docker/registry/config.yml \ + registry:2 -You can (and probably should) use [this a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml). +You can (and probably should) use [this as a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml). ## List of configuration options diff --git a/docs/deploying.md b/docs/deploying.md index 8a74297b..bf007148 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -43,9 +43,9 @@ By default, your registry data is persisted as a [docker volume](https://docs.do Specifically, you might want to point your volume location to a specific place in order to more easily access your registry data. To do so you can: - docker run -d -p 5000:5000 --restart=always --name registry \ - -v `pwd`/data:/var/lib/registry \ - registry:2 + docker run -d -p 5000:5000 --restart=always --name registry \ + -v `pwd`/data:/var/lib/registry \ + registry:2 ### Alternatives @@ -65,11 +65,11 @@ Move and/or rename your crt file to: `certs/domain.crt` - and your key file to: Make sure you stopped your registry from the previous steps, then start your registry again with TLS enabled: - docker run -d -p 5000:5000 --restart=always --name registry \ - -v `pwd`/certs:/certs \ - -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ - -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ - registry:2 + docker run -d -p 5000:5000 --restart=always --name registry \ + -v `pwd`/certs:/certs \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ + -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ + registry:2 You should now be able to access your registry from another docker host: @@ -78,6 +78,12 @@ You should now be able to access your registry from another docker host: docker push myregistrydomain.com:5000/ubuntu docker pull myregistrydomain.com:5000/ubuntu +#### Gotcha + +A certificate issuer may supply you with an *intermediate* certificate. In this case, you must combine your certificate with the intermediate's to form a *certificate bundle*. You can do this using the `cat` command: + + cat server.crt intermediate-certificates.pem > certs/domain.crt + ### Alternatives While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md). @@ -90,27 +96,27 @@ Except for registries running on secure local networks, registries should always The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism). -> :warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work. +:warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work. First create a password file with one entry for the user "testuser", with password "testpassword": - mkdir auth - docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd + mkdir auth + docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd Make sure you stopped your registry from the previous step, then start it again: - docker run -d -p 5000:5000 --restart=always --name registry \ - -v `pwd`/auth:/auth \ - -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ - -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ - -v `pwd`/certs:/certs \ - -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ - -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ - registry:2 + docker run -d -p 5000:5000 --restart=always --name registry \ + -v `pwd`/auth:/auth \ + -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ + -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ + -v `pwd`/certs:/certs \ + -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ + -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ + registry:2 You should now be able to: - docker login myregistrydomain.com:5000 + docker login myregistrydomain.com:5000 And then push and pull images as an authenticated user. @@ -120,9 +126,9 @@ And then push and pull images as an authenticated user. 2. Alternatively, the Registry also supports delegated authentication, redirecting users to a specific, trusted token server. That approach requires significantly more investment, and only make sense if you want to fully configure ACLs and more control over the Registry integration into your global authorization and authentication systems. - You will find [background information here](spec/auth/token.md), and [configuration information here](configuration.md#auth). +You will find [background information here](spec/auth/token.md), and [configuration information here](configuration.md#auth). - Beware that you will have to implement your own authentication service for this to work. +Beware that you will have to implement your own authentication service for this to work. ## Managing with Compose diff --git a/docs/insecure.md b/docs/insecure.md index 76f6c4dd..2245a910 100644 --- a/docs/insecure.md +++ b/docs/insecure.md @@ -38,11 +38,9 @@ This basically tells Docker to entirely disregard security for your registry. Generate your own certificate: -``` -mkdir -p certs && openssl req \ - -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ - -x509 -days 365 -out certs/domain.crt -``` + mkdir -p certs && openssl req \ + -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ + -x509 -days 365 -out certs/domain.crt Be sure to use the name `myregistrydomain.com` as a CN. diff --git a/docs/nginx.md b/docs/nginx.md index 93cf8548..f8d1eeda 100644 --- a/docs/nginx.md +++ b/docs/nginx.md @@ -130,16 +130,14 @@ That's certainly because you are using a self-signed certificate, despite the wa If you really insist on using these, you have to trust it at the OS level. Usually, on Ubuntu this is done with: -``` -cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt -update-ca-certificates -``` + + cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt + update-ca-certificates ... and on RedHat with: -``` -cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt -update-ca-trust -``` + + cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt + update-ca-trust Now: