Build a private Docker registry warehouse that requires signature verification in Ubuntu

Objective

In a previous blog, "Setting up a Docker registry private warehouse in Ubuntu" introduces a simple way to build a Docker private repository. But it was used to modify the "--insecure-registry" parameters, which is used in the local area network, but also reluctantly suitable. But if you want to build a private warehouse server for a production environment, there is a big security risk. So, here is a method of using signature authentication, mainly through the Nginx reverse proxy, will not be trusted client requests are refused to achieve security purposes.

Experimental environment

服务端系统： ubuntu 16.04                        docker  17.12.0-ce客户端系统： ubuntu  14.04                       docker  17.12.0-ce

If you want to upgrade the Docker version of your system, please refer to this article: "Update and installation of the Ubuntu Docker version."
or refer to: "Docker Ubuntu 16.04 installs stable version, Community Edition Version".

Start the experiment.

Because we are using the Nginx service as a secure authentication server, we also need to install apache2-utils, which is used to generate user and user passwords. We use docker-compse here to define and run multiple Docker containers. We also need to use the Curl tool, which is primarily used to test experimental results.

Before you start the experiment, make sure you have installed the Docker-ce version.

Let's start with the experiment.

1 Installing the necessary tools

apt-get   install  -y  docker-compose  apache2-utils  curl  

2 Creating some file directories

mkdir  /docker-registrymkdir  /docker-registry/datamkdir  /docker-registry/nginxchown  root:root  /docker-registrycd   /docker-registry

3 Creating a Docker-compose.yml file (for defining Docker container properties)

[email protected]:/docker-registry# cat docker-compose.yml nginx:  image: "nginx:1.9"  ports:    - 443:443  links:    - registry:registry  volumes:    - /docker-registry/nginx/:/etc/nginx/conf.dregistry:  image: registry:2  ports:    - 127.0.0.1:5000:5000  environment:    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data  volumes:    - /docker-registry/data:/data

Description
The Docker-compose.yml file first creates a registry container, its 5000 port and the host's 5000 port mappings. It stores the mirrored directory as a/data directory, bound to the/docker-registry/data of the host.

Then, the Nginx container will also be created, Nginx container through the-link parameters, and registry container connection, so that the Nginx container will know how to communicate with the registry container (in fact, the registry container IP will be bound to the Nginx container of/E Tc/hosts file).

4 Starting the container

docker-compose  up

Note: This command docker-compose will generate two containers from the docker-compose.yml script that was just written, normally the following output
If you want to stop, you can only use (Ctrl + C).

If you want to run in the background, you can use

docker-compose   up   -d

Create a Docker-registry.service file

Because Ubuntu versions prior to 14.01 only support upstart, if you want to use SYSTEMD management, you need to use Ubuntu 15.01 or more. So, I'm using the Ubuntu 16.04 system version, which comes with the SYSTEMD service.

vi     /etc/systemd/system/docker-registry.service   :[Unit]Description=Starting docker registry[Service]Environment= MY_ENVIRONMENT_VAR = /docker-registry/docker-compose.ymlWorkingDirectory=/docker-registryExecStart=/usr/bin/docker-compose upRestart=always[Install]WantedBy=multi-user.target

Description: Now, we can use the service docker-registry start/stop/restart command to manage Nginx and registry containers, very convenient.

Test:

Show that everything is fine.

Well, from here on, we can use the service docker-registry restart to restart the container.

5 Setting the configuration file for Nginx service

Vi/docker-registry/nginx/registry.conf

Upstream Docker-registry {server registry:5000;}  server {Listen 443;  server_name myregistrydomain.com;  # SSL # SSL on;  # SSL_CERTIFICATE/ETC/NGINX/CONF.D/DOMAIN.CRT;  # ssl_certificate_key/etc/nginx/conf.d/domain.key;  # Disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411:see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on  ; location/v2/{# does not allow connections from Docker 1.5 and earlier # Docker pre-1.6.0 does not properly set the U Ser agent on Ping, catch "Go *" user agents if ($http _user_agent ~ "^ (docker\/1\. ( 3|4|5 (?! \. [0-9]-dev)] |    Go). *$ ") {return 404;    } # To add Basic Authentication to v2 use Auth_basic setting plus Add_header # auth_basic "Registry.localhost";    # Auth_basic_user_file/etc/nginx/conf.d/registry.password;    # add_header ' docker-distribution-api-version ' registry/2.0 ' always; Proxy_pass httP://docker-registry;   Proxy_set_header Host $http _host; # Required for Docker client ' s sake proxy_set_header x-real-ip $remote _addr;    # Pass on real client ' s IP proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;    Proxy_set_header X-forwarded-proto $scheme;  Proxy_read_timeout 900; }}

Test

service  docker-registry   restart curl   http://localhost:5000/v2/

The result would be this:
{}[email protected]:/docker-registry#

6 Set security rights authentication, create user

cd   /docker-registry/nginxhtpasswd -c registry.password mydockerNew password:Re-type new password:Adding password for user mydocker

Description: Use Apache2-utils's htpasswd tool to create a file that contains the user name and user password

Open registry.conf file again

vi   /docker-registry/nginx/registry.conf

Remove the comments from the next few lines

auth_basic "registry.localhost";auth_basic_user_file /etc/nginx/conf.d/registry.password;add_header ‘Docker-Distribution-Api-Version‘ ‘registry/2.0‘ always;

Re-Test

service docker-registry restartcurl  http://localhost:443/v2/[email protected]:~/docker-registry/nginx#  curl http://localhost:5043/v2/401 Authorization Required401 Authorization Requirednginx/1.9.15

Test again with user name and user password

curl http://mydocker:[email protected]:443/v2/{}[email protected]:~/docker-registry/nginx#

Description: Here, in fact, we have completed a LAN authentication function, but can not be used as a server. Because, you also need to set up SSL security authentication.

7 Set SSL Security Authentication 7.1 Open the registry.conf file again

vi  /docker-registry/nginx/registry.conf

Uncomment the following lines and fix the domain name:

upstream docker-registry {server registry:5000;}server {listen 443;server_name docker-server.com;# SSLssl on;ssl_certificate /etc/nginx/conf.d/domain.crt;ssl_certificate_key /etc/nginx/conf.d/domain.key;

7.2 Creating certification Authority

cd  /docker-registry/nginx

Create a new root key:

openssl genrsa -out dockerCA.key 2048

Create Root Certificate
Fill in the docker-server.com in the common Name and fill in the rest of the content.

openssl req -x509 -new -nodes -key dockerCA.key -days 10000 -out dockerCA.crt

Create Server key (this is referenced by Nginx Ssl_certificate_key)

openssl genrsa -out domain.key 2048

and create a new certificate.
Common Name continues to fill docker-server.com without setting a password.

openssl req -new -key domain.key -out docker-registry.com.csr

Finally, the signature is:

openssl x509 -req -in docker-registry.com.csr -CA dockerCA.crt -CAkey dockerCA.key -CAcreateserial -out domain.crt -days 10000

Copy DOCKERCA.CRT

cd /docker-registry/nginxcp dockerCA.crt /usr/local/share/ca-certificates/

In order for the server to trust our certification authority certification, we need

update-ca-certificates && service docker restart && service docker-registry restart

Test

curl https://mydocker:[email protected]/v2/#output should be{}[email protected]:/docker-registry/nginx#

8 copying DOCKERCA.CRT to the client

scp dockerCA.crt   [email protected]:/usr/local/share/ca-certificates[email protected]‘s password:dockerCA.crt 100% 1302 1.3KB/s 00:00

If the client does not have a/usr/local/share/ca-certificates directory, you need to create

9 Client Login Server Warehouse

update-ca-certificates && service docker restart#test login to fresh created repository:docker login https://docker-server.comUsername: mydockerPassword:Login Succeeded

Needs to be added in the/etc/hosts file
192.168.188.113 docker-server.com # (This is the IP address of the server where I do the experiment)

9.1 Push mirroring on client

docker  pull    ubuntu    # 尝试在 docker hub 下载镜像docker  tag   ubuntu    docker-server.com/test-ubuntu  #  将镜像打标签，作为区别docker   push  docker-server.com/test-ubuntu   # 推送到 私有 docker registry 仓库

Confirm Test

在客户端将 docker-server.com/test-ubunt 镜像删除：docker   image  rm -f  ubuntu从 docker-server.com 仓库下载 test-ubnutn 镜像：docker   pull   docker-server.com/test-ubuntu

Process:

OK, it's a success.

If you encounter any problems during the experiment, look for Docker log files

Journalctl-u Docker # for Docker logs in the SYSTEMD journal
Journalctl | grep Docker # for system logs, that mention Docker

Summarize

The main use of the function of the reverse proxy server, the implementation of security authentication management, enhanced access to the private warehouse security rights management.

Reference article:
"Private Docker Registry in Ubuntu Server 16.04"

Build a private Docker registry warehouse that requires signature verification in Ubuntu