October 26, 2020

Out Here In The Fields

…of musings and ramblings

Insecure Local Private Docker Registry

4 min read

Certainly the kind of deployment explained on my previous article does not suit certain type of deployment. While Let’s Encrypt makes it easier for anybody who own a domain to obtain ssl certificate, you will still need to have a domain, Public IP, and a DNS server to complete the process

For development purposes, or on properly secured environment, you can get by with insecure local private registry. The “insecure” bit refers to either the use of http instead of https, or the usage of self-signed certificate, the configuration on each node on a swarm to force them to trust it. this article will cover both

Insecure Registry with http

The easiest way to provide registry server to a swarm is by providing http-only registry. By default the docker daemon on each node only trust 127.0.0.1 or localhost to provide insecure registry. To instruct the docker daemon to trust other addresses, open or create /etc/docker/daemon.json

surfer@AWN1:~$ sudo nano /etc/docker/daemon.json

And add the following lines

{
"insecure-registries":["regs.mach5.web.id:5000" ]
}

Replace “regs.mach5.web.id” with your own domain, and make sure it is reachable from every nodes on the swarm. Save the file, and restart the docker service.

surfer@AWN1:~$ sudo systemctl restart docker

Repeat these steps on all members of the swarm. To see whether the address has been trusted, do this on any member of the swarm:

surfer@AWN1:~$ sudo docker info

On “Insecure Registries” it should say

Insecure Registries:
 regs.mach5.web.id:5000
 127.0.0.0/8

Let’s test it out by pulling out something from public image registry such as

sudo docker pull php:apache

Tag the image

sudo docker tag php:apache regs.mach5.web.id:5000/php-apache

Push it to the local image server

sudo docker push regs.mach5.web.id:5000/php-apache

The image should now be available on the local repository, and we should be able to deploy them to the swarm by doing something like this

sudo docker service create --name php regs.mach5.web.id:5000/php-apache

 

Insecure Registry with self-signed SSL certificate

We can, however use HTTPS and self-signed SSL certificate by forcing the nodes to trust the certificate that we created and signed.

First, create a self-signed certificate

openssl req -newkey rsa:4096 -nodes -sha256 -keyout privkey.key -x509 -days 365 -out domain.crt

Put the name of the server when asked:

Common Name (e.g. server FQDN or YOUR name) []:regs.mach5.web.id

At the end of the process, we should have “privkey.key” file which contain your private key, and “domain.crt” which contain the self-signed SSL certificate. Put it on a directory, let say /data/docker/certs

The second part is to create the htpasswd file for authentication purpose. Do

sudo docker run --entrypoint htpasswd registry:2 -Bbn reg1 securePassReg1 > /data/docker/auth/htpasswd

..And startup our docker registry container

sudo docker run -d --restart=always --name regs -v /data/docker/auth:/auth  -v /data/docker/certs:/certs -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:8442 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.key -p 8442:8442 registry:2

Test logging in to the registry by doing:

sudo docker login regs.mach5.web.id:8442

And you’ll probably greeted with this:

Username: regs
Password:
Error response from daemon: Get https://regs.mach5.web.id:8442/v2/: x509: certificate signed by unknown authority

Which obviously is due to the registry container using self-signed certificate. To get around this, we can instruct docker to trust the certificate. To do that, create these directories:

sudo mkdir /etc/docker/certs.d
sudo mkdir /etc/docker/certs.d/regs.mach5.web.id:8442

Replace regs.mach5.web.id with your own domain address, and copy the domain’s SSL certificate to the directory we have just created.

sudo cp /data/docker/certs/domain.crt /etc/docker/certs.d/regs.mach5.web.id\:8442/

And restart the docker daemon

sudo systemctl restart docker

Copy and transfer the certificate to all member of the swarm, and repeat the rest of the these steps, and you should now be able to log into the registry server.

After we have logged in to the server, we can start pushing images to the registry and creating services from images stored in the registry. To do that, modify the service creation command to look like this:

sudo docker service create --with-registry-auth --name php regs.mach5.web.id:5000/php-apache

Each member of the swarm should be able to pull images from the private local registry on service creation

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © All rights reserved. | Newsphere by AF themes.