Skip to content
This repository has been archived by the owner on Sep 15, 2022. It is now read-only.

generate certs if REGISTRY_TLS_VERIFY #31

Merged
merged 18 commits into from
Nov 12, 2014
Merged

Conversation

proppy
Copy link
Member

@proppy proppy commented Nov 7, 2014

Usage:

docker run -e REGISTRY_TLS_VERIFY=1 \
  -v /etc/docker/certs.d:/certs.d -p 5000:5000 \
  -e GCS_BUCKET= -e GCP_OAUTH2_REFRESH_TOKEN= \
  google/docker-registry 

while waiting for docker-archive#693 to be merged.

/cc @tiborvass @dmp42 @dlorenc @ktintc @jbeda

@tiborvass
Copy link

@proppy If possible i'd like to agree on the API before this is merged. At the time of writing, we don't use SECURE=ssl but check for the /ssl directory, we don't use volumes only bind-mounts, and you're not doing the entrypoint and cmd the same way.

I hope to get it all sorted out today.

@proppy
Copy link
Member Author

proppy commented Nov 7, 2014

Hey @tiborvass, didn't meant to cause you more trouble. I'm fine to switching to the upstream convention once yours get merged.

@proppy
Copy link
Member Author

proppy commented Nov 7, 2014

@tiborvass changed the ENTRYPOINT to match yours,

A few comments about the rational behind the other changes:

  • having a separate SECURE variable makes it easy to switch to protocol.
  • having a separate VOLUME for generation the cert and exporting them, makes it so you can only export the CA in certs.d
  • having a separate bind mount for the certs when supplying them, allows you to use a different set of ca/certs for the registry, w/o messing up with certs.d, not sure what is more convenient though.

Sorry I didn't mention those earlier, most of them came up while I was playing with implementing a PoC w/ openssl.

@proppy
Copy link
Member Author

proppy commented Nov 7, 2014

@mmdriley @ewindisch, crypto noob here: is that "cool" to use a self-signed CA cert as the server cert and a CA key as the server key?

@mmdriley
Copy link

mmdriley commented Nov 7, 2014

If you ever need to rev the certificate then you'd have to install a new CA on all clients. Seems poor?

@proppy
Copy link
Member Author

proppy commented Nov 7, 2014

So you'd recommend to maintain a separate server and CA cert?

Note that the CA cert is mount bound in /etc/docker/certs.d/<ip>:<port>, so the client doesn't really need to track it.

@proppy
Copy link
Member Author

proppy commented Nov 7, 2014

@mmdriley generating separate server certs/key, PTAL

@proppy proppy changed the title generate certs if SECURE=ssl generate certs if REGISTRY_TLS_VERIFY Nov 8, 2014
@proppy
Copy link
Member Author

proppy commented Nov 10, 2014

@dlorenc can I get a review?

@tiborvass
Copy link

So the registry certs need to be, not in /etc/docker/certs.d but in /etc/docker/certs.d/$REGISTRY_COMMON_NAME. The problem is that it includes a : and thus makes it impossible to bind mount.

One way to get around that is to bind mount /etc/docker/certs.d, but that would expose other registries's certs to the container.

@proppy
Copy link
Member Author

proppy commented Nov 10, 2014

@tiborvass the upstream "spec" only define the default for GUNICORN_OPTS to /ssl, and it's up to the caller to export the certs in the right place.

So I could imagine it's up to who consume generate_certs output to put the cert in the right place so that the daemon can look it up.

@tiborvass
Copy link

@proppy oh right, i was just reading the documentation that needs to be fixed then :)

EDIT: or rather, docker has to have escaping for : first.

@proppy
Copy link
Member Author

proppy commented Nov 10, 2014

@tiborvass, yes the current docs assume -v /etc/docker/certs.d when "generating certs": when you bring your own certs I'd assume you would have already them in the right place and won't need the /etc/docker/certs.d bind mount.

@@ -53,5 +54,37 @@ else
fi
fi

export GCS_BUCKET BOTO_PATH
exec docker-registry $*
if [ -n "${REGISTRY_TLS_VERIFY}" ]; then
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only generate if GUNICORN_OPTS is empty.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@proppy
Copy link
Member Author

proppy commented Nov 10, 2014

PTAL

@proppy
Copy link
Member Author

proppy commented Nov 11, 2014

PTAL @mmdriley @ktintc @dlorenc I'd like to move forward with this.

@proppy
Copy link
Member Author

proppy commented Nov 11, 2014

FYI built: proppy/docker-registry:ssl for testing.

@ktintc
Copy link

ktintc commented Nov 11, 2014

lgtm, thank you!

@proppy
Copy link
Member Author

proppy commented Nov 11, 2014

@mmdriley PTAL simplified a lot based on your offline feedback.

No more conditional check if the certs exist, and I don't document /ssl mount anymore.

EOF
echo 01 > /ssl/ca.srl
openssl req -subj "/CN=local docker registry CA" -config /ssl/ssl.conf -extensions v3_ca -new -x509 -days 365 -newkey rsa:2048 -nodes -keyout /ssl/ca.key -out /ssl/ca.crt
openssl req -subj "/CN=local docker server cert" -config /ssl/ssl.conf -reqexts v3_req -new -newkey rsa:2048 -nodes -keyout /ssl/registry.key -out /ssl/registry.csr

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd go with "Local CA" and "Local Docker registry".

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@mmdriley
Copy link

Seems okay to me modulo above comments.

@proppy
Copy link
Member Author

proppy commented Nov 11, 2014

@tiborvass can you LGTM before I merge?

# assuming CA is already in /etc/docker/certs.d
docker run -e REGISTRY_TLS_VERIFY=1 \
-v /mycerts:/ssl \
-e GUNICORN_OPTS="['--certfile','/ssl/myserver.cert','--keyfile','/ssl/myserver.key','--ca-certs','/ssl/myca.crt']" \

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@proppy don't you wanna make sure users are using tlsv1 ? (would need '--ssl-version', 3)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

nsCertType = server
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@proppy this is hardcoded isnt it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, because when we generate cert we really only care about localhost/boot2docker.

If you want to support arbitrary hostname you should bring your own cert for now.

See also #33 for later

@tiborvass
Copy link

@proppy x509: certificate is valid for localhost, boot2docker.local, not boot2docker
but this is what i have on my boot2docker in /etc/hosts: 127.0.0.1 boot2docker localhost localhost.local

EDIT: works if I pass -e BOOT2DOCKER_HOST=boot2docker, so at least i tested that :) But would be good to have boot2docker part of the default.

@proppy
Copy link
Member Author

proppy commented Nov 12, 2014

Fixed, PTAL

@tiborvass
Copy link

LGTM

proppy added a commit that referenced this pull request Nov 12, 2014
generate certs if REGISTRY_TLS_VERIFY
@proppy proppy merged commit 569a4d6 into GoogleCloudPlatform:master Nov 12, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants