Create a Secure and Private Docker Registry

  • June 3, 2015

    Create a Secure and Private Docker Registry

    June 3, 2015

    Now that we’ve discussed and shown you how to do a few things with containers, we are ready to show you how to create your own docker registry to securely store your container images. This is especially important in light of recent news about Docker Hub images being insecure.

    Below are a few examples of why having a private docker registry is a good idea:

    • Hand-off between Developers and Operation Engineers
    • Updating Source code to an application
    • Moving an application from one server to another
    • Free for private Docker Hub repositories
    • And Much More!

    This tutorial will explain how to install and configure a docker registry server, as well as generate and sign SSL keys for secure authentication when issuing a ‘docker pull’, or ‘docker push’ command.

    NOTE: If you are going to be using your private docker registry in production, you may want to consider getting your SSL certificate signed by a Certificate Authority (VeriSign). Also, we are using AWS for the purposes of this blog, but these can be executed on any public cloud.

    Things You’ll Need:

    • Amazon EC2 Instance with an EIP and the following packages installed.
    • Docker
    • OpenSSL
    • Git
    • Amazon S3 Bucket
    • Amazon Security Group Configuration
    • Basic knowledge of DNS (Route 53 or another Public DNS Provider)

    Setup and Configure Your Private Docker Registry Server

    Step 1: Login to your EC2 instance and clone the docker-registry repository.

    Step 2: To make things easier, we created a script that will generate and sign the keys / certs for us. It is located in the GitHub repository we have cloned in step 1.

    NOTE: Before we run the generate-ca.sh script, it is important to know a few things if you are self signing your certificate.

    When generating the keys and certs it is necessary to enter a password. However, we will have the script remove it after it has been entered. Also note, when prompted with the questions below, fill them out accordingly:

    “Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:”

    Press Enter Here to bypass this prompt

    “Common Name (e.g. server FQDN or YOUR name):”

    This will need to be whatever you are going to call your DNS Name.Example: registry.redapt.com

    Now let’s go ahead and run the script to generate our keys and certificates.

    Great! We have our certificates and keys generated, let’s go and configure our deploy-registry.sh script to point to our S3 Bucket.

    Fill out your script with the IAM Access Key, Secret Key, etc. If you are familiar with Amazon S3, it should be self-explanatory. Once you have filled out the necessary information, run the script to start your docker container.

    If successful, you should see your docker registry container running on your EC2 instance by running the following command.

    We are now ready to build and deploy the nginx registry container which will handle our SSL encryption. Build and run your nginx-registry container.

    And that’s it! You have successfully deployed a private docker registry server, with SSL authentication. Now when we run a “˜docker ps’ command, we should see the following:

    Setup and Configure Your Client (your computer)

    Now that we have our registry server up and running, we will need to authenticate to it. To do so, we will need to retrieve the following files from our docker registry server.

    • client.key
    • client.crt
    • ca.crt

    Once we have copied those 3 files to our client, we will need to create and place them in the following directory:

    IMPORTANT!

    1. You MUST rename the client.crt file to client.cert – This is what docker’s API tools look for when running a ‘docker push’ or ‘docker pull’ command.
    2. You MUST make sure you name the directory accordingly with whatever your FQDN is. (Example: registry.redapt.com)
    3. Login to your Public DNS provider, and create a DNS record that points to the EIP of your EC2 Instance. (Example: registry.redapt.com)

    Testing Authentication to Your Docker Registry

    Now that we have our client configured and authenticating to our Docker Registry. It is time to test it all out. For testing purposes, we will pull down a docker hub image from our public docker hub, re-tagging it, and pushing it to our new Private Docker Registry Server. To do this, run the following commands:

    NOTE: Be sure to replace “registry.yourdomain.com” with the actual URL you used when generating your certificates and setting up your DNS.

    Success! Your new docker image should start to push to your new Private Docker Registry Server. Stay tuned for our next post and don’t forget to comment below!

    Note: This is currently a way of setting up a private docker registry. This might change at a later date as software vendors continue to develop things for docker. But for now, this is a way of getting up and running with a private docker registry on AWS.

    Comments(0)

    Leave a comment

    Required fields are marked *