Additional fixes
Couples of nits that where not addressed. Signed-off-by: Olivier Gambier <olivier@docker.com>
This commit is contained in:
parent
1d5b311fc4
commit
c198f8f279
4 changed files with 41 additions and 39 deletions
|
@ -49,7 +49,7 @@ Typically, create a new configuration file from scratch, and call it `config.yml
|
|||
-v `pwd`/config.yml:/etc/docker/registry/config.yml \
|
||||
registry:2
|
||||
|
||||
You can (and probably should) use [this a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml).
|
||||
You can (and probably should) use [this as a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml).
|
||||
|
||||
## List of configuration options
|
||||
|
||||
|
|
|
@ -78,6 +78,12 @@ You should now be able to access your registry from another docker host:
|
|||
docker push myregistrydomain.com:5000/ubuntu
|
||||
docker pull myregistrydomain.com:5000/ubuntu
|
||||
|
||||
#### Gotcha
|
||||
|
||||
A certificate issuer may supply you with an *intermediate* certificate. In this case, you must combine your certificate with the intermediate's to form a *certificate bundle*. You can do this using the `cat` command:
|
||||
|
||||
cat server.crt intermediate-certificates.pem > certs/domain.crt
|
||||
|
||||
### Alternatives
|
||||
|
||||
While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md).
|
||||
|
@ -90,7 +96,7 @@ Except for registries running on secure local networks, registries should always
|
|||
|
||||
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism).
|
||||
|
||||
> :warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work.
|
||||
:warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work.
|
||||
|
||||
First create a password file with one entry for the user "testuser", with password "testpassword":
|
||||
|
||||
|
|
|
@ -38,11 +38,9 @@ This basically tells Docker to entirely disregard security for your registry.
|
|||
|
||||
Generate your own certificate:
|
||||
|
||||
```
|
||||
mkdir -p certs && openssl req \
|
||||
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
|
||||
-x509 -days 365 -out certs/domain.crt
|
||||
```
|
||||
|
||||
Be sure to use the name `myregistrydomain.com` as a CN.
|
||||
|
||||
|
|
|
@ -130,16 +130,14 @@ That's certainly because you are using a self-signed certificate, despite the wa
|
|||
If you really insist on using these, you have to trust it at the OS level.
|
||||
|
||||
Usually, on Ubuntu this is done with:
|
||||
```
|
||||
|
||||
cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
|
||||
update-ca-certificates
|
||||
```
|
||||
|
||||
... and on RedHat with:
|
||||
```
|
||||
|
||||
cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
|
||||
update-ca-trust
|
||||
```
|
||||
|
||||
Now:
|
||||
|
||||
|
|
Loading…
Reference in a new issue