Friday, 19 July 2019

Docker Command Part-23 By Raj Gupta

How to access private  repository/registry insecure(HTTP) way without any issue

When you are going to create your own private repository then only secure repository(HTTPS) are allowed by docker, expect for 127.0.0.0/8 this is insecure but by default it allowed by docker.

 Other then this you can allow by doing below 

 [root@ip-172-31-93-16 ~]# cd /etc/docker/
[root@ip-172-31-93-16 docker]# vi daemon.json
[root@ip-172-31-93-16 docker]# cat daemon.json
{
  "insecure-registries" : ["10.0.2.15:5000"]
}
[root@ip-172-31-93-16 docker]# service docker restart
Stopping docker:                                           [  OK  ]
Starting docker:        .                                  [  OK  ]
[root@ip-172-31-93-16 docker]#


Now this will allow this also



------------------------------------------------------------------------------------------------------------

How to make private  repository/registry secure(HTTPS) in other word how to add certificate to private repository/registry to make secure access

[root@ip-172-31-93-16 ~]# mkdir certs
[root@ip-172-31-93-16 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
..................................++
...............................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:repo.docker.local
Email Address []:
[root@ip-172-31-93-16 ~]#

[root@ip-172-31-93-16 ~]# ls
certs
[root@ip-172-31-93-16 ~]# cd certs/
[root@ip-172-31-93-16 certs]# ls
domain.crt  domain.key
[root@ip-172-31-93-16 certs]# cd /etc/docker/
[root@ip-172-31-93-16 docker]# ls
key.json
[root@ip-172-31-93-16 docker]# mkdir certs.d
[root@ip-172-31-93-16 docker]# ls
certs.d  key.json
[root@ip-172-31-93-16 docker]# cd certs.d/
[root@ip-172-31-93-16 certs.d]# mkdir repo.docker.local:5000
[root@ip-172-31-93-16 certs.d]# cd .
[root@ip-172-31-93-16 certs.d]# cd
[root@ip-172-31-93-16 ~]# ls
certs
[root@ip-172-31-93-16 ~]# cp certs/domain.crt /etc/docker/certs.d/repo.docker.local\:5000/ca.crt
[root@ip-172-31-93-16 ~]# service docker restart
Stopping docker:                                           [  OK  ]
Starting docker:        .                                  [  OK  ]
[root@ip-172-31-93-16 ~]#

Now create repository with secure 

[root@ip-172-31-93-16 ~]# docker container run -d -p 5000:5000 --name secure_registry -v $(pwd)/certs/:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e  REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry
7bfd9f1aea673a98f37a211c37bc727b92c1ab3aae613103eb897613c9cd0de6
[root@ip-172-31-93-16 ~]#

Now we are going to push one image

[root@ip-172-31-93-16 ~]# docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
mariadb             latest              f55f3a2a2d81        3 days ago          354MB
registry            latest              f32a97de94e1        4 months ago        25.8MB
[root@ip-172-31-93-16 ~]#


[root@ip-172-31-93-16 ~]# docker image tag mariadb repo.docker.local:5000/mariadb
[root@ip-172-31-93-16 ~]# docker image ls
REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
mariadb                          latest              f55f3a2a2d81        3 days ago          354MB
repo.docker.local:5000/mariadb   latest              f55f3a2a2d81        3 days ago          354MB
registry                         latest              f32a97de94e1        4 months ago        25.8MB
[root@ip-172-31-93-16 ~]#

[root@ip-172-31-93-16 ~]# docker image push repo.docker.local:5000/mariadb
The push refers to repository [repo.docker.local:5000/mariadb]
An image does not exist locally with the tag: repo.docker.local:5000/mariadb
[root@ip-172-31-93-16 ~]#


To resolve above we need to add repo.docker.local in path /etc/hosts

[root@ip-172-31-93-16 ~]# vi /etc/hosts
[root@ip-172-31-93-16 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost6 localhost6.localdomain6
172.31.93.16 repo.docker.local
[root@ip-172-31-93-16 ~]#

Now we are able to push the image to private repository in secure away

[root@ip-172-31-93-16 ~]# docker image push repo.docker.local:5000/mariadb
The push refers to repository [repo.docker.local:5000/mariadb]
0a9738aacc8d: Pushed
189fe2319039: Pushed
0aff0ac22d66: Pushed
6c7632269b32: Pushed
829531ae5233: Pushed
69faac9fc0dc: Pushed
3419e6db06bd: Pushed
00f4fc732ccd: Pushed
68ed6b608570: Pushed
38d8a1d432cd: Pushed
75e70aa52609: Pushed
dda151859818: Pushed
fbd2732ad777: Pushed
ba9de9d8475e: Pushed
latest: digest: sha256:86bbf5dffd86bca75ba91cec9a3e08ae3efbef1af233fc19d6b4924079e83f33 size: 3240
[root@ip-172-31-93-16 ~]#


                       Now our Secure docker repository setup are done

----------------------------------------------------------------------------------------------------------------


                                        Docker Registry with basic authentication 


[root@ip-172-31-93-16 ~]# mkdir auth
[root@ip-172-31-93-16 ~]# docker container run --entrypoint htpasswd registry -bnB raj password >auth/htpasswd
[root@ip-172-31-93-16 ~]# cat auth/htpasswd
raj:$2y$05$rIV1sexUtv8yPsLZFxEd.uTENSP6Ik95S/y0MZpIiXVu6LGQ44JrO

[root@ip-172-31-93-16 ~]# docker container run -d \
>  -p 5000:5000 \
>  --name registry_basic \
>  -v "$(pwd)"/auth:/auth \
>  -v "$(pwd)"/certs:/certs \
>  -e "REGISTRY_AUTH=htpasswd" \
>  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
>  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
>  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
>  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
>  registry

Now our privite repositry is scure so to access it we need to logging into it

[root@ip-172-31-93-16 ~]# docker login repo.docker.local:5000
Username: raj
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@ip-172-31-93-16 ~]#
[root@ip-172-31-93-16 ~]# docker image push repo.docker.local:5000/mariadb
The push refers to repository [repo.docker.local:5000/mariadb]
0a9738aacc8d: Layer already exists
189fe2319039: Layer already exists
0aff0ac22d66: Layer already exists
6c7632269b32: Layer already exists
829531ae5233: Layer already exists
69faac9fc0dc: Layer already exists
3419e6db06bd: Layer already exists
00f4fc732ccd: Layer already exists
68ed6b608570: Layer already exists
38d8a1d432cd: Layer already exists
75e70aa52609: Layer already exists
dda151859818: Layer already exists

Now we are able to push our image to secure repository 
on
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)