Try   HackMD

Secure Docker Registry Architecture Guide

Objective

This topic provides basic information about deploying and configuring a secure registry.

System Specification

  • Hostname - rhel7.misc.local
  • IP Address - 10.0.100.7/24
  • Software
    • docker-distribution 2.6.2
    • rhel 7.7
    • skopeo 0.1.37

Installation Guide

# Install docker-distribution
yum -y install docker-distribution

# Setup configuration
cat << EOF > /etc/docker-distribution/registry/config.yml
---
version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
http:
    addr: 0.0.0.0:5000
    host: https://rhel7.misc.local:5000
    tls:
      certificate: /etc/docker-distribution/my_self_signed_cert.crt
      key: /etc/docker-distribution/my_self_signed.key
EOF

# Create certificate for docker-registry
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/docker-distribution/my_self_signed.key -out /etc/docker-distribution/my_self_signed_cert.crt

# Sample Out
Generating a 2048 bit RSA private key
......+++
.................+++
writing new private key to '/etc/docker-distribution/my_self_signed.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: TW
State or Province Name (full name) []: Taipei
Locality Name (eg, city) [Default City]: Taipei City
Organization Name (eg, company) [Default Company Ltd]: Red Hat
Organizational Unit Name (eg, section) []: Solution Architect
Common Name (eg, your name or your server\'s hostname) []: rhel7.misc.local
Email Address []: root@rhel7.misc.local

# Enable and start docker distribution service
systemctl enable docker-distribution --now
systemctl status docker-distribution

Configure RHEL to trust the self-signed certificate

# Create PEM formmatted version of my_self_signed_cert.crt that was created
openssl x509 \
-in /etc/docker-distribution/my_self_signed_cert.crt \
-out /etc/pki/ca-trust/source/anchors/workstation.pem \
-outform PEM

# Update the system's trust store
update-ca-trust

Validation Container Images

yum install -y skopeo

skopeo copy docker://docker.io/library/centos:7.7.1908 docker://rhel7.misc.local:5000/library/centos:7.7.1908

skopeo inspect docker://rhel7.misc.local:5000/library/centos:7.7.1908

Appendix

Bill of Materials (BOM)

  • Red Hat Enterprise Linux * 1

Information

tags: ag
Last changed by 
Phil Huang
0
235

Read more

Swagger 2.4.12 Generator Installtion

Jan 31, 2020
OpenStack Adv. Networking Homework

Dec 13, 2019
Deploying applications on Red Hat OpenShift Service Mesh

Dec 3, 2019
Adv. Storage Homework

Nov 22, 2019
Read more from Phil Huang
Published on HackMD