Skip to content
This repository has been archived by the owner on Sep 15, 2022. It is now read-only.

generate certs if REGISTRY_TLS_VERIFY #31

Merged
merged 18 commits into from
Nov 12, 2014
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
FROM google/debian:wheezy

RUN apt-get update && apt-get install --no-install-recommends -yq python-pip build-essential python-dev liblzma-dev libffi-dev curl
RUN pip install docker-registry==0.8.1
RUN apt-get update && apt-get install --no-install-recommends -yq python-pip build-essential python-dev liblzma-dev libffi-dev curl openssl
RUN pip install docker-registry==0.9

ADD requirements.txt /docker-registry-gcs-plugin/requirements.txt
RUN pip install -r /docker-registry-gcs-plugin/requirements.txt
Expand All @@ -16,6 +16,10 @@ ADD run.sh /docker-registry/
# Credentials. Use --volumes-from gcloud-config (google/cloud-sdk).
VOLUME ["/.config"]

# ssl certs
VOLUME ["/ssl"]
VOLUME ["/certs.d"]

# These should be set if credentials are obtained with google/cloud-sdk.
ENV OAUTH2_CLIENT_ID 32555940559.apps.googleusercontent.com
ENV OAUTH2_CLIENT_SECRET ZmssLNjJy2998hD4CTg2ejr2
Expand All @@ -25,4 +29,5 @@ EXPOSE 5000

ENV SETTINGS_FLAVOR prod
WORKDIR /docker-registry
CMD ["docker-registry"]
ENTRYPOINT ["./run.sh"]
22 changes: 22 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,28 @@ There are three ways to specify the credentials:
$ gcutil ssh my-docker-vm
$ sudo docker run -d -e GCS_BUCKET=your-bucket -p 5000:5000 google/docker-registry

### SSL
# generate credentials
# run on localhost:5000
# and copy CA to /etc/docker/certs.d/localhost:5000/ca.crt
docker run -e REGISTRY_TLS_VERIFY=1 \
-v /etc/docker/certs.d:/certs.d \
-p 127.0.0.1:5000:5000 ... google/docker-registry
# generate credentials
# run on localhost:9000
# copy CA to /etc/docker/certs.d/localhost:9000/ca.crt
docker run -e REGISTRY_TLS_VERIFY=1 \
-e REGISTRY_ADDR=localhost:9000
-v /etc/docker/certs.d:/certs.d \
-p 127.0.0.1:9000:5000 ... google/docker-registry
# use custom credentials from /mycerts
# assuming CA is already in /etc/docker/certs.d
docker run -e REGISTRY_TLS_VERIFY=1 \
-v /mycerts:/ssl \
-e GUNICORN_OPTS="['--certfile','/ssl/myserver.cert','--keyfile','/ssl/myserver.key','--ca-certs','/ssl/myca.crt','--ssl-version',3]" \
-p 127.0.0.1:5000:5000 ... google/docker-registry


### Using the registry

docker tag myawesomeimage localhost:5000/myawesomeimage
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
docker-registry-core==2.0.2
docker-registry-core==2.0.3
gcs-oauth2-boto-plugin==1.8
39 changes: 37 additions & 2 deletions run.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
set -e

USAGE="docker run -e GCS_BUCKET=<YOUR_GCS_BUCKET_NAME> \
[-e GCP_ACCOUNT='<YOUR_EMAIL>' ] \
Expand Down Expand Up @@ -53,5 +54,39 @@ else
fi
fi

export GCS_BUCKET BOTO_PATH
exec docker-registry $*
if [ -n "${REGISTRY_TLS_VERIFY}" ] && [ -z "${GUNICORN_OPTS}" ]; then
: ${REGISTRY_ADDR:="localhost:5000"}
: ${BOOT2DOCKER_HOST:="boot2docker.local"}
: ${BOOT2DOCKER_IP:="192.168.59.103"}
cat <<EOF > /ssl/ssl.conf
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_ca]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign
subjectAltName = @alt_names
[v3_req]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, serverAuth
nsCertType = server
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@proppy this is hardcoded isnt it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, because when we generate cert we really only care about localhost/boot2docker.

If you want to support arbitrary hostname you should bring your own cert for now.

See also #33 for later

DNS.2 = ${BOOT2DOCKER_HOST}
IP.1 = 127.0.0.1

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

IP.2 = ${BOOT2DOCKER_IP}
EOF
echo 01 > /ssl/ca.srl
openssl req -subj "/CN=Local CA" -config /ssl/ssl.conf -extensions v3_ca -new -x509 -days 365 -newkey rsa:2048 -nodes -keyout /ssl/ca.key -out /ssl/ca.crt && chmod 600 /ssl/ca.key
openssl req -subj "/CN=Local Docker registry" -config /ssl/ssl.conf -reqexts v3_req -new -newkey rsa:2048 -nodes -keyout /ssl/registry.key -out /ssl/registry.csr && chmod 600 /ssl/registry.key
openssl x509 -req -extfile /ssl/ssl.conf -extensions v3_req -days 365 -in /ssl/registry.csr -CA /ssl/ca.crt -CAkey /ssl/ca.key -out /ssl/registry.cert

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chmod 600 both of the .key files

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

mkdir -p /certs.d/${REGISTRY_ADDR}
cp /ssl/ca.crt /certs.d/${REGISTRY_ADDR}/
SSL_VERSION=$(python -c 'import ssl; print ssl.PROTOCOL_TLSv1')
: ${GUNICORN_OPTS:="['--certfile','/ssl/registry.cert','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.crt','--ssl-version','$SSL_VERSION','--log-level','debug']"}
fi

export GCS_BUCKET BOTO_PATH GUNICORN_OPTS
exec "$@"