How to secure private docker registry on Red Hat Enterprise Linux 7 ?
Environment
- Red Hat Enterprise Linux 7
- docker-distribution-2.6.1-1.1.gita25b9ef.el7.x86_64
Issue
- How to secure docker registry on Red Hat Enterprise Linux 7 ?
- docker-distribution needs to be configured with a SSL/TLS certificate. What are the steps required to achieve this
- authentication needs to be enabled for the docker registry configured using docker-distribution. How can it be configured ?
Resolution
Steps to secure docker-registry with self signing certificate and with a basic http authentication. Explanation of all the directives/configuration option used below can be found Content from docs.docker.com is not included.here
1. Generate the required certificate file for the docker-distribution service
mkdir /etc/docker-distribution/certs
cd /etc/docker-distribution/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
Note: Ensure you use the registry FQDN as the CN when generating the certificates.
2. htpasswd based authentication
htpasswd -cB /etc/docker-distribution/registry_passwd registryuser
Note: replace the "registryuser" with the appropriate name
3. Take a backup of the existing configuration file and replace it with the following contents
mv /etc/docker-distribution/registry/config.yml /root/original-docker-distribution-config.xml
Add the below contents to the file /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
environment: development
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /opt/docker-registry
delete:
enabled: true
http:
addr: :5000
tls:
certificate: /etc/docker-distribution/certs/domain.crt
key: /etc/docker-distribution/certs/domain.key
host: https://registry-internal:5000
secret: testsecret
relativeurls: false
auth:
htpasswd:
realm: basic-realm
path: /etc/docker-distribution/registry_passwd
Note
- Replace the "host" line appropriately with the FQDN
- Replace the "secret" with a random value
- Replace the rootdirectory as required
- Indentation should be properly maintained
- The password format of
/etc/docker-distribution/registry_passwdmust bebcrypt
4. Start the docker-distribution service
systemctl start docker-distribution
5. Verify whether the docker registry is up using the curl command
curl -u registryuser:redhat -k https://localhost:5000/v2/_catalog
Note:
- It should list an empty repository
- With -u, pass the appropriate user+password used while following step 2
6. Docker client configuration
mkdir /etc/docker/certs.d/<FQDN>:5000
example
mkdir /etc/docker/certs.d/registry-internal:5000
Copy the domain.crt
cp /etc/docker-distribution/certs/domain.crt /etc/docker/certs.d/registry-internal\:5000/domain.crt [example. replace the registry-internal with the FQDN]
Trust this certificate
cp /etc/docker-distribution/certs/domain.crt /etc/pki/ca-trust/source/anchors/registry-internal.crt [replace registry-internal appropriately with the FQDN]
update-ca-trust
Add the newly created registry to the /etc/containers/registries.conf
registries:
- registry.access.redhat.com
- registry-internal:5000
If the atomic-registries package is the latest one(atomic-registries-1.20.1-9.git436cf5d.el7.x86_64), then use the below one
[registries.search]
registries = ['registry.access.redhat.com', 'registry-internal:5000 ' ]
Note:
-
Create the directory under certs.d depending on the FQDN that you have configured while creating the certificate
-
Replace the registry-internal appropriately
Restart the docker service
systemctl restart docker
7. After making all the changes, execute docker login on the localhost
Example
docker login https://registry-internal:5000
Note:
- Enter the appropriate username and password used at Step 2
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.