Try   HackMD

Secure Docker Registry Architecture Guide

Objective

This topic provides basic information about deploying and configuring a secure registry.

System Specification

  • Hostname - rhel7.misc.local
  • IP Address - 10.0.100.7/24
  • Software
    • docker-distribution 2.6.2
    • rhel 7.7
    • skopeo 0.1.37

Installation Guide

# Install docker-distribution
yum -y install docker-distribution

# Setup configuration
cat << EOF > /etc/docker-distribution/registry/config.yml
---
version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
http:
    addr: 0.0.0.0:5000
    host: https://rhel7.misc.local:5000
    tls:
      certificate: /etc/docker-distribution/my_self_signed_cert.crt
      key: /etc/docker-distribution/my_self_signed.key
EOF

# Create certificate for docker-registry
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/docker-distribution/my_self_signed.key -out /etc/docker-distribution/my_self_signed_cert.crt

# Sample Out
Generating a 2048 bit RSA private key
......+++
.................+++
writing new private key to '/etc/docker-distribution/my_self_signed.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: TW
State or Province Name (full name) []: Taipei
Locality Name (eg, city) [Default City]: Taipei City
Organization Name (eg, company) [Default Company Ltd]: Red Hat
Organizational Unit Name (eg, section) []: Solution Architect
Common Name (eg, your name or your server\'s hostname) []: rhel7.misc.local
Email Address []: root@rhel7.misc.local

# Enable and start docker distribution service
systemctl enable docker-distribution --now
systemctl status docker-distribution

Configure RHEL to trust the self-signed certificate

# Create PEM formmatted version of my_self_signed_cert.crt that was created
openssl x509 \
-in /etc/docker-distribution/my_self_signed_cert.crt \
-out /etc/pki/ca-trust/source/anchors/workstation.pem \
-outform PEM

# Update the system's trust store
update-ca-trust

Validation Container Images

yum install -y skopeo

skopeo copy docker://docker.io/library/centos:7.7.1908 docker://rhel7.misc.local:5000/library/centos:7.7.1908

skopeo inspect docker://rhel7.misc.local:5000/library/centos:7.7.1908

Appendix

Bill of Materials (BOM)

  • Red Hat Enterprise Linux * 1

Information

tags: ag