Additional fixes

Couples of nits that where not addressed.

Signed-off-by: Olivier Gambier <olivier@docker.com>
This commit is contained in:
Olivier Gambier 2015-06-12 01:10:03 -07:00
parent 1d5b311fc4
commit c198f8f279
4 changed files with 41 additions and 39 deletions

View File

@ -49,7 +49,7 @@ Typically, create a new configuration file from scratch, and call it `config.yml
-v `pwd`/config.yml:/etc/docker/registry/config.yml \ -v `pwd`/config.yml:/etc/docker/registry/config.yml \
registry:2 registry:2
You can (and probably should) use [this a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml). You can (and probably should) use [this as a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml).
## List of configuration options ## List of configuration options

View File

@ -78,6 +78,12 @@ You should now be able to access your registry from another docker host:
docker push myregistrydomain.com:5000/ubuntu docker push myregistrydomain.com:5000/ubuntu
docker pull myregistrydomain.com:5000/ubuntu docker pull myregistrydomain.com:5000/ubuntu
#### Gotcha
A certificate issuer may supply you with an *intermediate* certificate. In this case, you must combine your certificate with the intermediate's to form a *certificate bundle*. You can do this using the `cat` command:
cat server.crt intermediate-certificates.pem > certs/domain.crt
### Alternatives ### Alternatives
While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md). While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md).
@ -90,7 +96,7 @@ Except for registries running on secure local networks, registries should always
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism). The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism).
> :warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work. :warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work.
First create a password file with one entry for the user "testuser", with password "testpassword": First create a password file with one entry for the user "testuser", with password "testpassword":
@ -120,9 +126,9 @@ And then push and pull images as an authenticated user.
2. Alternatively, the Registry also supports delegated authentication, redirecting users to a specific, trusted token server. That approach requires significantly more investment, and only make sense if you want to fully configure ACLs and more control over the Registry integration into your global authorization and authentication systems. 2. Alternatively, the Registry also supports delegated authentication, redirecting users to a specific, trusted token server. That approach requires significantly more investment, and only make sense if you want to fully configure ACLs and more control over the Registry integration into your global authorization and authentication systems.
You will find [background information here](spec/auth/token.md), and [configuration information here](configuration.md#auth). You will find [background information here](spec/auth/token.md), and [configuration information here](configuration.md#auth).
Beware that you will have to implement your own authentication service for this to work. Beware that you will have to implement your own authentication service for this to work.
## Managing with Compose ## Managing with Compose

View File

@ -38,11 +38,9 @@ This basically tells Docker to entirely disregard security for your registry.
Generate your own certificate: Generate your own certificate:
``` mkdir -p certs && openssl req \
mkdir -p certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt -x509 -days 365 -out certs/domain.crt
```
Be sure to use the name `myregistrydomain.com` as a CN. Be sure to use the name `myregistrydomain.com` as a CN.

View File

@ -130,16 +130,14 @@ That's certainly because you are using a self-signed certificate, despite the wa
If you really insist on using these, you have to trust it at the OS level. If you really insist on using these, you have to trust it at the OS level.
Usually, on Ubuntu this is done with: Usually, on Ubuntu this is done with:
```
cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
update-ca-certificates update-ca-certificates
```
... and on RedHat with: ... and on RedHat with:
```
cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
update-ca-trust update-ca-trust
```
Now: Now: