In this post let’s see how to setup a docker private registry (ver 2.x) with TLS and HTTP authentication on an OpenPower server running RHEL 7.1 LE Linux distribution. Except the specific instruction related to registry package installation on RHEL, the instructions will work for most other Linux distributions (Ubuntu, Fedora etc) running on either Intel or OpenPower servers.
Install Docker Private Registry Package on RHEL LE
Pre-compiled packages for docker and docker-registry (ver 2.1) for RHEL 7.1 LE is available from Unicamp repository. Please note that these packages are provided on an as-is basis.
# cat > /etc/yum.repos.d/unicamp-docker.repo <<EOF [unicamp-docker] name=Unicamp Repo for Docker Packages baseurl=http://ftp.unicamp.br/pub/ppc64el/rhel/7_1/docker-ppc64el/ enabled=1 gpgcheck=0 EOF # yum install -y docker-distribution
Install Docker Private Registry on other Linux Distributions
On RHEL for Intel servers and Fedora for Intel and OpenPower servers, the registry ver 2.x package is named docker-distribution.
On Ubuntu for Intel and OpenPower the registry ver 2.x package is named docker-registry. Please install the respective package for your distribution.
The remaining set of instructions are same across distributions and servers.
First, create a directory to store the images. This could be created on any mount point on the designated server, backed by either local disk or external disk.
In this example, /data/ is a separate partition on the disk which will be used for storing docker images.
# mkdir /data/registry_data
Create an HTTP access control file using ‘htpasswd’ command. The following command installs the httpd-tools package which contains the htpasswd tool and creates a file registry_passwd for the user ‘regimguser’. Replace the file name and user name as per your requirements. The option ‘-B’ is used for bcrypt encryption of passwords.
# yum install -y httpd-tools # mkdir -p /etc/registry/ # htpasswd -Bc /etc/registry/registry_passwd regimguser
Note that htpasswd is available as part of httpd-tools package on RHEL based systems and apache2-utils on Ubuntu based systems.
Create Registry Configuration File
Following is the config file used in this example setup on RHEL.
# cat /etc/registry/config.yml version: 0.1 storage: filesystem: rootdirectory: /data/registry_data delete: enabled: true http: addr: registry.kube.com:5000 auth: htpasswd: realm: basic-realm path: /etc/registry/registry_passwd
Secure Registry using TLS
Create certificate for securing the registry using TLS and copy it to all docker hosts. Ensure you use the registry FQDN as the CN when generating the certificates.
# mkdir /certs/ # openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key -x509 -days 365 -out /certs/domain.crt Generating a 4096 bit RSA private key ..........................................................................................++ [snip]
Copy the certificate to all the docker hosts, place it under the specific path as shown below:
# mkdir -p /etc/docker/certs.d/registry.kube.com:5000/ # cp domain.crt /etc/docker/certs.d/registry.kube.com:5000/ca.crt
Trust the certificate at OS level and update the CA list. The instructions varies between different Linux distributions.
On RHEL and Fedora perform the following steps:
# cp domain.crt /etc/pki/ca-trust/source/anchors/registry.kube.com.crt # update-ca-trust
On Ubuntu perform the following steps:
# cp domain.crt /usr/local/share/ca-certificates/registry.kube.com.crt # update-ca-certificates
Restart the docker daemon.
# service docker restart
Start the Registry Server
On RHEL, start the registry server using the following command line:
# REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt REGISTRY_HTTP_TLS_KEY=/certs/domain.key screen -dmS registry registry /etc/registry/config.yml
The REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY can also be specified as part of the registry configuration file. Given below is a sample configuration:
# cat /etc/registry/config.yml version: 0.1 storage: filesystem: rootdirectory: /data/registry_data delete: enabled: true http: addr: registry.kube.com:5000 host: https://registry.kube.com:5000 tls: certificate: /certs/domain.crt key: /certs/domain.key auth: htpasswd: realm: basic-realm path: /etc/registry/registry_passwd
Start the registry server using the following command line:
# screen -dmS registry registry /etc/registry/config.yml
On Ubuntu systems, the registry binary is named as docker-registry. Further, Ubuntu also ships service definition file. So, you can make the configuration changes to the default registry configuration file found in /etc/docker/registry/config.yml and restart the docker-registry service.
# service docker-registry restart
Alternatively, you can run it in a screen session like shown above for RHEL, but using docker-registry as the binary name instead of registry.
# screen -dmS registry docker-registry /etc/registry/config.yml
From any docker host, validate if you can login or not. Use the userid and password that was created with htpasswd tool.
# docker login https://registry.kube.com:5000
You are now all set to use docker private registry in your environment.