58e5c619ac
Intermediate certificates are issued by TLS providers who themselves are an intermediate of a certificate in the trust store. Therefore, to prove the chain of trust is valid, you need to include their certificate as well as yours when you send your certificate to the client. Contrary to what I said in issue #683, distribution can handle these certificate bundles like nginx. As discussed in #docker-distribution, I have updated the deployment documentation (which recommends the use of a TLS certificate from a provider) to include instructions on how to handle the intermediate certificate when a user is configuring distribution. Signed-off-by: Luke Carpenter <x@rubynerd.net>
172 lines
5.8 KiB
Markdown
172 lines
5.8 KiB
Markdown
<!--[metadata]>
|
|
+++
|
|
title = "Deploying a registry server"
|
|
description = "Explains how to deploy a registry server"
|
|
keywords = ["registry, service, images, repository"]
|
|
[menu.main]
|
|
parent="smn_registry"
|
|
weight=3
|
|
+++
|
|
<![end-metadata]-->
|
|
|
|
|
|
# Deploying a registry server
|
|
|
|
You obviously need to [install Docker](https://docs.docker.com/installation/) (remember you need **Docker version 1.6.0 or newer**).
|
|
|
|
## Getting started
|
|
|
|
Start your registry:
|
|
|
|
$ docker run -d -p 5000:5000 \
|
|
--restart=always --name registry registry:2
|
|
|
|
That's it.
|
|
|
|
You can now tag an image and push it:
|
|
|
|
$ docker pull ubuntu && docker tag ubuntu localhost:5000/batman/ubuntu
|
|
$ docker push localhost:5000/batman/ubuntu
|
|
|
|
Then pull it back:
|
|
|
|
$ docker pull localhost:5000/batman/ubuntu
|
|
|
|
## Where is my data?
|
|
|
|
By default, your registry stores its data on the local filesystem, inside the container.
|
|
|
|
In a production environment, it's highly recommended to use [another storage backend](storagedrivers.md), by [configuring it](configuration.md).
|
|
|
|
If you want to stick with the local posix filesystem, you should store your data outside of the container.
|
|
|
|
This is achieved by mounting a volume into the container:
|
|
|
|
$ docker run -d -p 5000:5000 \
|
|
-e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry \
|
|
-v /myregistrydata:/var/lib/registry \
|
|
--restart=always --name registry registry:2
|
|
|
|
## Making your Registry available
|
|
|
|
Now that your registry works on `localhost`, you probably want to make it available as well to other hosts.
|
|
|
|
Let assume your registry is accessible via the domain name `myregistrydomain.com` (still on port `5000`).
|
|
|
|
If you try to `docker pull myregistrydomain.com:5000/batman/ubuntu`, you will see the following error message:
|
|
|
|
```
|
|
FATA[0000] Error response from daemon: v1 ping attempt failed with error:
|
|
Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.
|
|
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add
|
|
`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
|
|
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
|
|
simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
|
|
```
|
|
|
|
If trying to reach a non `localhost` registry, Docker requires that you secure it using https, or make it explicit that you want to run an insecure registry.
|
|
|
|
You basically have three different options to comply with that security requirement here.
|
|
|
|
### 1. buy a SSL certificate for your domain
|
|
|
|
This is the (highly) recommended solution.
|
|
|
|
You can buy a certificate for as cheap as 10$ a year (some registrars even offer certificates for free), and this will save you a lot of trouble.
|
|
|
|
Assuming you now have a `domain.crt` and `domain.key` inside a directory named `certs`:
|
|
|
|
```
|
|
# Stop your registry
|
|
docker stop registry && docker rm registry
|
|
|
|
# Start your registry with TLS enabled
|
|
docker run -d -p 5000:5000 \
|
|
-v `pwd`/certs:/certs \
|
|
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
|
|
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
|
|
--restart=always --name registry \
|
|
registry:2
|
|
```
|
|
|
|
If the certificate issuer supplies you with an 'intermediate' certificate, such as Gandi, you need to combine your certificate with the intermediates to form a 'certificate bundle'. You can do this using the cat command: ```cat server.crt GandiStandardSSLCA2.pem > server.with-intermediate.crt```. You can then configure the registry to use your certificate bundle with the ```REGISTRY_HTTP_TLS_CERTIFICATE``` environment variable.
|
|
|
|
**Pros:**
|
|
|
|
- best solution
|
|
- work without further ado (assuming you bought your certificate from a CA that is trusted by your operating system)
|
|
|
|
**Cons:**
|
|
|
|
- ?
|
|
|
|
### 2. instruct docker to trust your registry as insecure
|
|
|
|
This basically tells Docker to entirely disregard security for your registry.
|
|
|
|
1. edit the file `/etc/default/docker` so that there is a line that reads: `DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"` (or add that to existing `DOCKER_OPTS`). Restart docker.
|
|
2. restart your Docker daemon: on ubuntu, this is usually `service docker stop && service docker start`
|
|
|
|
**Pros:**
|
|
|
|
- easy to configure
|
|
|
|
**Cons:**
|
|
|
|
- very insecure
|
|
- you have to configure every docker daemon that wants to access your registry
|
|
|
|
### 3. use a self-signed certificate and configure docker to trust it
|
|
|
|
Alternatively, you can generate your own certificate:
|
|
|
|
```
|
|
mkdir -p certs && openssl req \
|
|
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
|
|
-x509 -days 365 -out certs/domain.crt
|
|
```
|
|
|
|
Be sure to use the name `myregistrydomain.com` as a CN.
|
|
|
|
Now go to solution 1 above and stop and restart your registry.
|
|
|
|
Then you have to instruct every docker daemon to trust that certificate. This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` (don't forget to restart docker after doing so).
|
|
|
|
**Pros:**
|
|
|
|
- more secure than solution 2
|
|
|
|
**Cons:**
|
|
|
|
- you have to configure every docker daemon that wants to access your registry
|
|
|
|
## Using Compose
|
|
|
|
It's highly recommended to use [Docker Compose](https://docs.docker.com/compose/) to facilitate managing your Registry configuration.
|
|
|
|
Here is a simple `docker-compose.yml` that does setup your registry exactly as above, with TLS enabled.
|
|
|
|
```
|
|
registry:
|
|
restart: always
|
|
image: registry:2
|
|
ports:
|
|
- 5000:5000
|
|
environment:
|
|
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
|
|
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
|
|
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
|
|
volumes:
|
|
- /path/registry-data:/var/lib/registry
|
|
- /path/certs:/certs
|
|
```
|
|
|
|
You can then start your registry with a simple
|
|
|
|
$ docker-compose up -d
|
|
|
|
|
|
## Next
|
|
|
|
You are now ready to explore [the registry configuration](configuration.md)
|