LXD/LXC
Fire up an Debian 10 in a LXC Container and name it “docker-registry
lxc launch images:debian/10 docker-registry
Adjust the behavior of the LXC Container, otherwise docker wont’t be able to work
lxc config set docker-registry security.nesting true
lxc config set docker-registry security.privileged true
cat «EOT | lxc config set docker-registry raw.lxc -
lxc.cgroup.devices.allow = a
lxc.cap.drop =
EOT
Enter the LXC Container
lxc exec docker-registry -- /bin/bash
Install Software prerequisites
apt install apt-transport-https ca-certificates curl software-properties-common gnupg2
Add the Repository
URL: https://download.docker.com/linux/debian/dists/buster/stable/
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
Read new Repository
apt-get update
Verfiy that only this Repository is used for Docker Updates and install
apt-cache policy docker-ce
Install docker-ce
apt install docker-ce -y
Check that the Docker Service is up and running
systemctl status docker
Install the latest Docker Compose from docker git
URL: https://github.com/docker/compose/releases
curl -L https://github.com/docker/compose/releases/download/1.25.1-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
Make it executable
chmod +x /usr/local/bin/docker-compose
setup environment
mkdir -p /opt/{registry_certs,docker_reg_auth,datafiles}
cd /optcreate the htpasswd user and password file
docker run -it --entrypoint htpasswd -v $PWD/docker_reg_auth:/auth -w /auth registry:2 -Bbc /auth/htpasswd admin admin
adjust the openssl.cnf
copy the original one
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.backup
-----edits------ at the beginning #################################################################### . . [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert <---------comment out . . . . . [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # IP: Addresses or DNS: for each host needed subjectAltName = IP:192.168.1.2,IP:192.168.1.4 # Extensions for a typical CA -----edits-end-------
create the ssl certificates
######on the host, that is running the docker registry
still in the /opt directory
openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry_certs/domain.key -x509 -days 3560 -out registry_certs/domain.cert
on the remote host (notebook, workstation, client)
sudo mkdir -p /etc/docker/certs.d/192.168.1.2:5000 sudo scp -i /home/tux/.ssh/id_rsa [email protected]:/opt/registry_certs/domain.cert /etc/docker/certs.d/192.168.1.2:5000/ca.crt
run the docker in foreground registry
docker run -p 5000:5000 -v $(pwd)/registry_certs:/certs -v $(pwd)/docker_reg_auth:/auth -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.cert -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_AUTH=htpasswd --restart=always --name registry registry:2
Docker Compose File
version: '3'
services:
registry:
restart: always
image: registry:2
ports:
- "5000:5000"
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /datafiles
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.cert
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH: htpasswd
volumes:
- ./docker_reg_auth:/auth
- ./datafiles:/datafiles
- ./registry_certs:/certs
You can start your registry as a background process, which will allow you to exit the ssh session and persist the process
docker-compose up -d
login
docker login https://192.168.1.2:5000