forked from TrueCloudLab/distribution
Additional fixes
Couples of nits that where not addressed. Signed-off-by: Olivier Gambier <olivier@docker.com>
This commit is contained in:
parent
1d5b311fc4
commit
c198f8f279
4 changed files with 41 additions and 39 deletions
|
@ -49,7 +49,7 @@ Typically, create a new configuration file from scratch, and call it `config.yml
|
||||||
-v `pwd`/config.yml:/etc/docker/registry/config.yml \
|
-v `pwd`/config.yml:/etc/docker/registry/config.yml \
|
||||||
registry:2
|
registry:2
|
||||||
|
|
||||||
You can (and probably should) use [this a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml).
|
You can (and probably should) use [this as a starting point](https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml).
|
||||||
|
|
||||||
## List of configuration options
|
## List of configuration options
|
||||||
|
|
||||||
|
|
|
@ -78,6 +78,12 @@ You should now be able to access your registry from another docker host:
|
||||||
docker push myregistrydomain.com:5000/ubuntu
|
docker push myregistrydomain.com:5000/ubuntu
|
||||||
docker pull myregistrydomain.com:5000/ubuntu
|
docker pull myregistrydomain.com:5000/ubuntu
|
||||||
|
|
||||||
|
#### Gotcha
|
||||||
|
|
||||||
|
A certificate issuer may supply you with an *intermediate* certificate. In this case, you must combine your certificate with the intermediate's to form a *certificate bundle*. You can do this using the `cat` command:
|
||||||
|
|
||||||
|
cat server.crt intermediate-certificates.pem > certs/domain.crt
|
||||||
|
|
||||||
### Alternatives
|
### Alternatives
|
||||||
|
|
||||||
While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md).
|
While rarely advisable, you may want to use self-signed certificates instead, or use your registry in an insecure fashion. You will find instructions [here](insecure.md).
|
||||||
|
@ -90,7 +96,7 @@ Except for registries running on secure local networks, registries should always
|
||||||
|
|
||||||
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism).
|
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism).
|
||||||
|
|
||||||
> :warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work.
|
:warning: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](#running-a-domain-registry) for this to work.
|
||||||
|
|
||||||
First create a password file with one entry for the user "testuser", with password "testpassword":
|
First create a password file with one entry for the user "testuser", with password "testpassword":
|
||||||
|
|
||||||
|
|
|
@ -38,11 +38,9 @@ This basically tells Docker to entirely disregard security for your registry.
|
||||||
|
|
||||||
Generate your own certificate:
|
Generate your own certificate:
|
||||||
|
|
||||||
```
|
|
||||||
mkdir -p certs && openssl req \
|
mkdir -p certs && openssl req \
|
||||||
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
|
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
|
||||||
-x509 -days 365 -out certs/domain.crt
|
-x509 -days 365 -out certs/domain.crt
|
||||||
```
|
|
||||||
|
|
||||||
Be sure to use the name `myregistrydomain.com` as a CN.
|
Be sure to use the name `myregistrydomain.com` as a CN.
|
||||||
|
|
||||||
|
|
|
@ -130,16 +130,14 @@ That's certainly because you are using a self-signed certificate, despite the wa
|
||||||
If you really insist on using these, you have to trust it at the OS level.
|
If you really insist on using these, you have to trust it at the OS level.
|
||||||
|
|
||||||
Usually, on Ubuntu this is done with:
|
Usually, on Ubuntu this is done with:
|
||||||
```
|
|
||||||
cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
|
cp auth/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
|
||||||
update-ca-certificates
|
update-ca-certificates
|
||||||
```
|
|
||||||
|
|
||||||
... and on RedHat with:
|
... and on RedHat with:
|
||||||
```
|
|
||||||
cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
|
cp auth/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
|
||||||
update-ca-trust
|
update-ca-trust
|
||||||
```
|
|
||||||
|
|
||||||
Now:
|
Now:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue