Skip to content
This repository has been archived by the owner on Sep 12, 2018. It is now read-only.

Commit

Permalink
Enable TLS by default if /ssl directory is present.
Browse files Browse the repository at this point in the history
Generates needed keys and certs.
If only one element in the key/cert pair is present, nothing is
overriden; instead, the user is asked to either remove the existing
element, or put the missing one back.

Uses TLSv1, since TLSv1.1 nor TLSv1.2 are available in the current
version of python 2.7.

Usage: docker run -d -p 5000:5000 -v /etc/docker/certs.d:/ssl registry

There are no breaking changes, since the /ssl directory is not present
by default.

Signed-off-by: Tibor Vass <teabee89@gmail.com>
  • Loading branch information
tiborvass committed Nov 7, 2014
1 parent 14796be commit 5890418
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 0 deletions.
6 changes: 6 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,18 @@ FROM ubuntu:14.04
RUN apt-get update \
# Install pip
&& apt-get install -y \
curl \
python-pip \
# Install deps for backports.lmza (python2 requires it)
python-dev \
liblzma-dev \
libevent1-dev \
&& rm -rf /var/lib/apt/lists/*

# get generate_cert
RUN curl -L -o /usr/local/bin/generate_cert https://github.com/SvenDowideit/generate_cert/releases/download/0.1/generate_cert-0.1-linux-amd64/ && \
chmod +x /usr/local/bin/generate_cert

COPY . /docker-registry
COPY ./config/boto.cfg /etc/boto.cfg

Expand All @@ -37,4 +42,5 @@ ENV SETTINGS_FLAVOR dev

EXPOSE 5000

ENTRYPOINT ["/docker-registry/wrap.sh"]
CMD ["docker-registry"]
36 changes: 36 additions & 0 deletions wrap.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/bash

set -e

export ${REGISTRY_HOST:=localhost}

x=0
for f in /ssl/ca.{key,cert}; do
[[ -f $f ]] && x=$((x + 1)) || break
done
case "$x" in
0)
generate_cert -cert=/ssl/ca.cert -key=/ssl/ca.key
;;
1)
echo "Only one of /ssl/ca.key and /ssl/ca.cert was found. Make sure both are either present or absent." && exit 1
;;
esac

x=0
for f in /ssl/registry.{key,crt}; do
[[ -f $f ]] && x=$((x + 1)) || break
done
case "$x" in
0)
generate_cert -cert=/ssl/ca.cert -key=/ssl/ca.key && generate_cert -host="$REGISTRY_HOST" -ca=/ssl/ca.cert -ca-key=/ssl/ca.key -cert=/ssl/registry.crt -key=/ssl/registry.key
;;
1)
echo "Only one of /ssl/registry.key and /ssl/registry.crt was found. Make sure both are either present or absent." && exit 1
;;
esac

# --ssl-version 3 == ssl.PROTOCOL_TLSv1
[[ -d /ssl ]] && export ${GUNICORN_OPTS:="['--certfile','/ssl/registry.crt','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.cert','--ssl-version',3]"}

exec "$@"

0 comments on commit 5890418

Please sign in to comment.