Secure Docker Registry Architecture Guide

# Secure Docker Registry Architecture Guide [toc] ## Objective > This topic provides basic information about deploying and configuring a secure registry. ## System Specification - Hostname - rhel7.misc.local - IP Address - 10.0.100.7/24 - Software - docker-distribution 2.6.2 - rhel 7.7 - skopeo 0.1.37 ## Installation Guide ```bash # Install docker-distribution yum -y install docker-distribution # Setup configuration cat << EOF > /etc/docker-distribution/registry/config.yml --- version: 0.1 log: fields: service: registry storage: cache: layerinfo: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: 0.0.0.0:5000 host: https://rhel7.misc.local:5000 tls: certificate: /etc/docker-distribution/my_self_signed_cert.crt key: /etc/docker-distribution/my_self_signed.key EOF # Create certificate for docker-registry openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/docker-distribution/my_self_signed.key -out /etc/docker-distribution/my_self_signed_cert.crt # Sample Out Generating a 2048 bit RSA private key ......+++ .................+++ writing new private key to '/etc/docker-distribution/my_self_signed.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: TW State or Province Name (full name) []: Taipei Locality Name (eg, city) [Default City]: Taipei City Organization Name (eg, company) [Default Company Ltd]: Red Hat Organizational Unit Name (eg, section) []: Solution Architect Common Name (eg, your name or your server\'s hostname) []: rhel7.misc.local Email Address []: root@rhel7.misc.local # Enable and start docker distribution service systemctl enable docker-distribution --now systemctl status docker-distribution ``` ### Configure RHEL to trust the self-signed certificate ```bash # Create PEM formmatted version of my_self_signed_cert.crt that was created openssl x509 \ -in /etc/docker-distribution/my_self_signed_cert.crt \ -out /etc/pki/ca-trust/source/anchors/workstation.pem \ -outform PEM # Update the system's trust store update-ca-trust ``` ### Validation Container Images ```bash yum install -y skopeo skopeo copy docker://docker.io/library/centos:7.7.1908 docker://rhel7.misc.local:5000/library/centos:7.7.1908 skopeo inspect docker://rhel7.misc.local:5000/library/centos:7.7.1908 ``` ![](https://i.imgur.com/7yq5pz6.png) ## Appendix ### Bill of Materials (BOM) - Red Hat Enterprise Linux * 1 ### Information - Phil Huang <phil.huang@redhat.com> - Updated: 20191120 ###### tags: `ag`