Skip to content
This repository has been archived by the owner on Sep 12, 2018. It is now read-only.

Serve a TLS endpoint if REGISTRY_TLS_VERIFY is set and GUNICORN_OPTS is not #693

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

tiborvass
Copy link

If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, then serve via a TLS endpoint instead of plain HTTP.

This is done by setting GUNICORN_OPTS to some default value, expecting the following files to be present:

  • /ssl/ca.crt
  • /ssl/registry.cert
  • /ssl/registry.key

Signed-off-by: Tibor Vass teabee89@gmail.com

@tiborvass
Copy link
Author

Ping @dmp42 @dmcgowan @proppy

@tiborvass tiborvass force-pushed the tls-registry branch 3 times, most recently from 5215470 to ce54641 Compare November 7, 2014 01:10
@@ -12,6 +12,7 @@ FROM ubuntu:14.04
RUN apt-get update \
# Install pip
&& apt-get install -y \
curl \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol indentation

@proppy
Copy link
Contributor

proppy commented Nov 7, 2014

wondering if @dmp42 would have preferred a python impl and keep the ENTRYPOINT intact.

@@ -19,6 +20,10 @@ RUN apt-get update \
libevent1-dev \
&& rm -rf /var/lib/apt/lists/*

# get generate_cert
RUN curl -L -o $ROOTFS/usr/local/bin/generate_cert https://github.com/SvenDowideit/generate_cert/releases/download/0.1/generate_cert-0.1-linux-amd64/ && \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$ROOTFS? Someone copy-pasta'd too much. 😉

@tiborvass tiborvass force-pushed the tls-registry branch 2 times, most recently from 3848eb9 to a7a1a04 Compare November 7, 2014 01:15
@@ -37,4 +42,4 @@ ENV SETTINGS_FLAVOR dev

EXPOSE 5000

CMD ["docker-registry"]
CMD ["/docker-registry/run.sh"]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean:

ENTRYPOINT ["/docker-registry/run.sh"]
CMD ["docker-registry"]

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it might be good to rename run.sh now to be less misleading. 😉

@tiborvass tiborvass force-pushed the tls-registry branch 2 times, most recently from 8e1f742 to 5890418 Compare November 7, 2014 01:26
@@ -19,6 +20,10 @@ RUN apt-get update \
libevent1-dev \
&& rm -rf /var/lib/apt/lists/*

# get generate_cert
RUN curl -L -o /usr/local/bin/generate_cert https://github.com/SvenDowideit/generate_cert/releases/download/0.1/generate_cert-0.1-linux-amd64/ && \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a script; it's a compiled Go binary.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmp42 we can rewrite it in bash if you want with openssl, will take some time though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wonder if we should keep the ENTRYPOINT in python and push the extra logic about in-place cert generation to generate_certs

esac

x=0
for f in /ssl/registry.{key,crt}; do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should assume that it's named registry.* or just assumed they get passed as their own bind mount?

@tiborvass tiborvass changed the title Enable TLS by default if /ssl directory is present Serve a TLS endpoint if REGISTRY_TLS_VERIFY is set and GUNICORN_OPTS is not Nov 7, 2014
@tiborvass
Copy link
Author

@dmp42 @proppy @ewindisch
Generation of certs are done outside the registry and should be provided under /ssl via --volumes-from or a bind mount. The actual process for users will be documented (in a separate PR + PR to docker/docker/docs ?) from cert generation to including it in the registry container. An additional quick hack could be suggested with something like $(docker run tiborvass/registry:autotls) that would work for the basic needs.

@tiborvass tiborvass force-pushed the tls-registry branch 2 times, most recently from 8aa5c8d to eef7d1c Compare November 10, 2014 20:40
This is done by setting GUNICORN_OPTS to some default value, expecting
the following files to be present:

* /ssl/ca.crt
* /ssl/registry.cert
* /ssl/registry.key

Signed-off-by: Tibor Vass <teabee89@gmail.com>
@dmp42
Copy link
Contributor

dmp42 commented Nov 11, 2014

@wking @stevvooe @bacongobbler what do you think?

@dmp42 dmp42 added this to the 1.0 milestone Nov 11, 2014
@dmp42 dmp42 added the security label Nov 11, 2014
@wking
Copy link
Contributor

wking commented Nov 11, 2014

On Mon, Nov 10, 2014 at 04:01:55PM -0800, Olivier Gambier wrote:

@wking @stevvooe @bacongobbler what do you think?

I'd just add this to the docs for:

GUNICORN_OPTS='[--ssl-version, 3, --certfile, /ssl/registry.cert, --keyfile, /ssl/registry.keys, --ca-certs, /ssl/ca.crt]'

but if folks want a shortcut environment variable for that, I'll go
along with it ;).

@bacongobbler
Copy link
Contributor

LGTM and +1 on separation of concerns, though users would probably like to have /ssl configurable in case their certs are in another container or are located somewhere else on the local filesystem (--volumes-from doesn't allow you to choose the src and dest directories IIRC). Maybe $REGISTRY_KEYFILE, $REGISTRY_CERTFILE AND $REGISTRY_CA_CERTFILE?

e.g. I usually like to have my certs located at /etc/ssl/certs/..., keys in /etc/ssl/private/... and the CA cert chain at /etc/ssl/root.ca

@wking
Copy link
Contributor

wking commented Nov 11, 2014

On Mon, Nov 10, 2014 at 04:32:28PM -0800, Matthew Fisher wrote:

… though users would probably like to have /ssl configurable…

In this case I'd really rather they just used GUNICORN_OPTS directly.
You don't save much by replacing --certfile with REGISTRY_CERTFILE ;).

@tiborvass
Copy link
Author

@bacongobbler @wking thanks for chiming in!

This is a PR to facilitate TLS for registry users. I agree that we should document GUNICORN_OPTS, but mounting certs to /ssl seems to me a more user-friendly API. If people want to customize anything, they can do so with GUNICORN_OPTS.

We could debate having REGISTRY_TLS_VERIFY. It's explicit, but can also be redundant with just checking the existence of an /ssl directory.

Usage: docker run -d -p 5000:5000 -v /my/ssl:/ssl registry

@wking
Copy link
Contributor

wking commented Nov 11, 2014

On Mon, Nov 10, 2014 at 05:33:17PM -0800, Tibor Vass wrote:

We could debate having REGISTRY_TLS_VERIFY. It's explicit, but can
also be redundant with just checking the existence of an /ssl
directory.

That works for me too, as does encouraging folks to terminate their
SSL/TLS in a reverse-proxy in front of the registry. I think that all
of these options (or whichever ones get implemented or are external)
should get documented in the SSL/TLS section of ADVANCED.md, or in a
document linked from there. I think the main problem is informing the
sysadmin, not saving them keystrokes while they write up their
configuration ;).

@tiborvass
Copy link
Author

@wking The goal is to have simple TLS instructions on README.md. We could add a link saying for production configuration, the recommended way is to use a reverse-proxy as described in ADVANCED.md. What do you think?

@wking
Copy link
Contributor

wking commented Nov 11, 2014

On Mon, Nov 10, 2014 at 06:48:44PM -0800, Tibor Vass wrote:

The goal is to have simple TLS instructions on README.md.

I'd just say:

The registry uses Gunicorn to manage workers. If you want to setup
SSL/TLS, you can use any of the usual Gunicorn
options
via GUNICORN_OPTS. For example:

GUNICORN_OPTS='[--ssl-version, 3, --certfile, /ssl/registry.cert, --keyfile, /ssl/registry.keys, --ca-certs, /ssl/ca.crt]' 

That should be enough of a sketch for folks who are already familiar
with SSL/TLS, and it offloads the detailed docs to Gunicorn (which is
appropriate, since it's a Gunicorn feature).

for production configuration, the recommended way is to use a reverse-proxy as described in ADVANCED.md

I'm not sure its the recommended way, but it's certainly one way you
could do this. It sounds like we also want a mini-tutorial in
maintaining client-side root CAs 1, so I'd just stick a more
in-depth SSL/TLS dive somewhere outside the README where we could go
over this in a bit more detail.

if not gunicorn_opts and env.source('REGISTRY_TLS_VERIFY'):
gunicorn_opts = ['--ssl-version', ssl.PROTOCOL_TLSv1]
for k, v in {
'--certfile': '/ssl/registry.cert',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the benefit of enforcing these non-standard, default directory paths when simply adding them to GUNICORN_OPTS would suffice and actually provides more flexibility. Otherwise, I'd say make an environment variable for each path.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the same discussion was posted above: #693 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the repetition. Let's figure out whether or not we want to break these out so this PR can get merged.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants