diff --git a/Dockerfile b/Dockerfile index b56262b31..bc482e9e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM google/debian:wheezy -RUN apt-get update && apt-get install --no-install-recommends -yq python-pip build-essential python-dev liblzma-dev libffi-dev curl -RUN pip install docker-registry==0.8.1 +RUN apt-get update && apt-get install --no-install-recommends -yq python-pip build-essential python-dev liblzma-dev libffi-dev curl openssl +RUN pip install docker-registry==0.9 ADD requirements.txt /docker-registry-gcs-plugin/requirements.txt RUN pip install -r /docker-registry-gcs-plugin/requirements.txt @@ -16,6 +16,10 @@ ADD run.sh /docker-registry/ # Credentials. Use --volumes-from gcloud-config (google/cloud-sdk). VOLUME ["/.config"] +# ssl certs +VOLUME ["/ssl"] +VOLUME ["/certs.d"] + # These should be set if credentials are obtained with google/cloud-sdk. ENV OAUTH2_CLIENT_ID 32555940559.apps.googleusercontent.com ENV OAUTH2_CLIENT_SECRET ZmssLNjJy2998hD4CTg2ejr2 @@ -25,4 +29,5 @@ EXPOSE 5000 ENV SETTINGS_FLAVOR prod WORKDIR /docker-registry +CMD ["docker-registry"] ENTRYPOINT ["./run.sh"] diff --git a/README.md b/README.md index 123b8fb1b..848f564a9 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,28 @@ There are three ways to specify the credentials: $ gcutil ssh my-docker-vm $ sudo docker run -d -e GCS_BUCKET=your-bucket -p 5000:5000 google/docker-registry +### SSL + # generate credentials + # run on localhost:5000 + # and copy CA to /etc/docker/certs.d/localhost:5000/ca.crt + docker run -e REGISTRY_TLS_VERIFY=1 \ + -v /etc/docker/certs.d:/certs.d \ + -p 127.0.0.1:5000:5000 ... google/docker-registry + # generate credentials + # run on localhost:9000 + # copy CA to /etc/docker/certs.d/localhost:9000/ca.crt + docker run -e REGISTRY_TLS_VERIFY=1 \ + -e REGISTRY_ADDR=localhost:9000 + -v /etc/docker/certs.d:/certs.d \ + -p 127.0.0.1:9000:5000 ... google/docker-registry + # use custom credentials from /mycerts + # assuming CA is already in /etc/docker/certs.d + docker run -e REGISTRY_TLS_VERIFY=1 \ + -v /mycerts:/ssl \ + -e GUNICORN_OPTS="['--certfile','/ssl/myserver.cert','--keyfile','/ssl/myserver.key','--ca-certs','/ssl/myca.crt','--ssl-version',3]" \ + -p 127.0.0.1:5000:5000 ... google/docker-registry + + ### Using the registry docker tag myawesomeimage localhost:5000/myawesomeimage diff --git a/requirements.txt b/requirements.txt index 1a5e646fe..78a06ca05 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -docker-registry-core==2.0.2 +docker-registry-core==2.0.3 gcs-oauth2-boto-plugin==1.8 diff --git a/run.sh b/run.sh index 7aac07da6..897e84ebe 100755 --- a/run.sh +++ b/run.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -e USAGE="docker run -e GCS_BUCKET= \ [-e GCP_ACCOUNT='' ] \ @@ -53,5 +54,43 @@ else fi fi -export GCS_BUCKET BOTO_PATH -exec docker-registry $* +if [ -n "${REGISTRY_TLS_VERIFY}" ] && [ -z "${GUNICORN_OPTS}" ]; then + : ${REGISTRY_ADDR:="localhost:5000"} + : ${REGISTRY_ALT_NAMES_DNS_1:="localhost"} + : ${REGISTRY_ALT_NAMES_DNS_2:="boot2docker"} + : ${REGISTRY_ALT_NAMES_DNS_3:="boot2docker.local"} + : ${REGISTRY_ALT_NAMES_IP_1:="127.0.0.1"} + : ${REGISTRY_ALT_NAMES_IP_2:="192.168.59.103"} + cat < /ssl/ssl.conf +[req] +distinguished_name = req_distinguished_name +[req_distinguished_name] +[v3_ca] +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, keyCertSign +subjectAltName = @alt_names +[v3_req] +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, serverAuth +nsCertType = server +subjectAltName = @alt_names +[alt_names] +DNS.1 = ${REGISTRY_ALT_NAMES_DNS_1} +DNS.2 = ${REGISTRY_ALT_NAMES_DNS_2} +DNS.3 = ${REGISTRY_ALT_NAMES_DNS_3} +IP.1 = ${REGISTRY_ALT_NAMES_IP_1} +IP.2 = ${REGISTRY_ALT_NAMES_IP_2} +EOF + echo 01 > /ssl/ca.srl + openssl req -subj "/CN=Local CA" -config /ssl/ssl.conf -extensions v3_ca -new -x509 -days 365 -newkey rsa:2048 -nodes -keyout /ssl/ca.key -out /ssl/ca.crt && chmod 600 /ssl/ca.key + openssl req -subj "/CN=Local Docker registry" -config /ssl/ssl.conf -reqexts v3_req -new -newkey rsa:2048 -nodes -keyout /ssl/registry.key -out /ssl/registry.csr && chmod 600 /ssl/registry.key + openssl x509 -req -extfile /ssl/ssl.conf -extensions v3_req -days 365 -in /ssl/registry.csr -CA /ssl/ca.crt -CAkey /ssl/ca.key -out /ssl/registry.cert + mkdir -p /certs.d/${REGISTRY_ADDR} + cp /ssl/ca.crt /certs.d/${REGISTRY_ADDR}/ + SSL_VERSION=$(python -c 'import ssl; print ssl.PROTOCOL_TLSv1') + : ${GUNICORN_OPTS:="['--certfile','/ssl/registry.cert','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.crt','--ssl-version','$SSL_VERSION']"} +fi + +export GCS_BUCKET BOTO_PATH GUNICORN_OPTS +exec "$@"