kizbitz · February 21, 2024 14:46 · daddydrac · Jun 6, 2022
diff --git a/self-signed-private-registry.sh b/self-signed-private-registry.sh
 #!/usr/bin/env bash

 # Installs/Configures:
 #  - Docker
 #  - Docker Registy Container with self-signed cert
 #
 # Tested on Ubuntu 14.04.1

 # Must be executed with elevated privilages
 if [ "$(id -u)" != "0" ]; then
  printf "This script must be ran as root or sudo!\n"
  exit 1
 fi

 # prompt helper function
 function prompt () {
  if [ -z ${!1} ]; then
    local response=""
    while [[ ${response} = "" ]]; do
      read -p "$2: " response
    done
    eval $1=${response}
  fi
 }

 # collect required information
 # - C   Country
 # - ST  State
 # - L    Location
 # - O    Organization
 # - OU   Organizational Unit
 # - CN   Common Name
 echo -e "\nRequired information:"
 prompt BITS "Enter bit size for certs (Ex. 2048)"
 prompt DAYS "Enter number of days to sign the certs with (Ex. 365)"
 prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)"
 prompt STATE "Enter the 'State' for the cert (Ex. IN)"
 prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)"
 prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)"
 prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)"
 prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)"

 # ... Docker ...
 # ~~~~~~~~~~~~~~

 # for aufs
 echo -e "\nInstalling linux-image-extra ..."
 apt-get update && apt-get -y install linux-image-extra-$(uname -r)
 sleep 10

 # Install Docker
 echo -e "\nInstalling Docker ..."
 curl -sSL https://get.docker.com/ubuntu/ | sudo sh


 # ... Certs ...
 # ~~~~~~~~~~~~~

 # ... prep certs ...

 echo -e "\nGenerating certs ..."
 mkdir certs
 cd certs
 # Generate a root key
 openssl genrsa -out rootCA.key ${BITS}

 # Generate a root certificate
 openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\
    -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
    -out rootCA.crt

 # Generate key for host
 openssl genrsa -out ${COMMON}.key ${BITS}

 # Generate CSR
 openssl req -new -key ${COMMON}.key \
    -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
    -out ${COMMON}.csr

 # Sign certificate request
 openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
    -out ${COMMON}.crt

 sudo mkdir /usr/local/share/ca-certificates/${COMMON}
 sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON}
 sudo update-ca-certificates

 mkdir -p /etc/docker/certs.d/${COMMON}
 cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt

 # add ${COMMON} to /etc/hosts
 echo -e "\nAdding ${COMMON} to /etc/hosts ..."
 if [ ! `cat /etc/hosts | grep -o "${COMMON}"` ]; then
    sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts
 fi


 # ... launch registry ...
 # ~~~~~~~~~~~~~~~~~~~~~~~

 # Restart Docker to pick up our certs
 echo -e "\nRestarting Docker daemon ..."
 sudo service docker restart
 sleep 10

 echo -e "\nLaunching our private registry ..."
 cd ..
 docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \
    registry:2


 # Instructions
 echo -e "\nInstallation finished ...

 Notes
 =====

 - /etc/hosts should have an entry for '${COMMON}'
  ~> cat /etc /hosts

 - All generated certificates have been saved in the certs directory (see lines 64-65 above).
 - You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below)

 Using the private registry
 ==========================
 docker pull busybox
 docker tag busybox ${COMMON}:5000/busybox
 docker push ${COMMON}:5000/busybox
 docker pull ${COMMON}:5000/busybox

 Accessing the private registry from a client machine
 ====================================================

 On the client machine:

 - Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed)

 - Create cert directory
  ~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000
  
 - Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client:
  - Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt

 - Restart the Docker daemon to pick up the cert - REQUIRED!!!
 sudo service docker restart

 - Pull our ${COMMON}/busybox image
  ~> docker pull ${COMMON}:5000/busybox

 "
	#!/usr/bin/env bash

	# Installs/Configures:
	# - Docker
	# - Docker Registy Container with self-signed cert
	#
	# Tested on Ubuntu 14.04.1

	# Must be executed with elevated privilages
	if [ "$(id -u)" != "0" ]; then
	printf "This script must be ran as root or sudo!\n"
	exit 1
	fi

	# prompt helper function
	function prompt () {
	if [ -z ${!1} ]; then
	local response=""
	while [[ ${response} = "" ]]; do
	read -p "$2: " response
	done
	eval $1=${response}
	fi
	}

	# collect required information
	# - C Country
	# - ST State
	# - L Location
	# - O Organization
	# - OU Organizational Unit
	# - CN Common Name
	echo -e "\nRequired information:"
	prompt BITS "Enter bit size for certs (Ex. 2048)"
	prompt DAYS "Enter number of days to sign the certs with (Ex. 365)"
	prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)"
	prompt STATE "Enter the 'State' for the cert (Ex. IN)"
	prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)"
	prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)"
	prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)"
	prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)"

	# ... Docker ...
	# ~~~~~~~~~~~~~~

	# for aufs
	echo -e "\nInstalling linux-image-extra ..."
	apt-get update && apt-get -y install linux-image-extra-$(uname -r)
	sleep 10

	# Install Docker
	echo -e "\nInstalling Docker ..."
	curl -sSL https://get.docker.com/ubuntu/ \| sudo sh


	# ... Certs ...
	# ~~~~~~~~~~~~~

	# ... prep certs ...

	echo -e "\nGenerating certs ..."
	mkdir certs
	cd certs
	# Generate a root key
	openssl genrsa -out rootCA.key ${BITS}

	# Generate a root certificate
	openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\
	-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
	-out rootCA.crt

	# Generate key for host
	openssl genrsa -out ${COMMON}.key ${BITS}

	# Generate CSR
	openssl req -new -key ${COMMON}.key \
	-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
	-out ${COMMON}.csr

	# Sign certificate request
	openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
	-out ${COMMON}.crt

	sudo mkdir /usr/local/share/ca-certificates/${COMMON}
	sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON}
	sudo update-ca-certificates

	mkdir -p /etc/docker/certs.d/${COMMON}
	cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt

	# add ${COMMON} to /etc/hosts
	echo -e "\nAdding ${COMMON} to /etc/hosts ..."
	if [ ! `cat /etc/hosts \| grep -o "${COMMON}"` ]; then
	sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts
	fi


	# ... launch registry ...
	# ~~~~~~~~~~~~~~~~~~~~~~~

	# Restart Docker to pick up our certs
	echo -e "\nRestarting Docker daemon ..."
	sudo service docker restart
	sleep 10

	echo -e "\nLaunching our private registry ..."
	cd ..
	docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \
	-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \
	-e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \
	registry:2


	# Instructions
	echo -e "\nInstallation finished ...

	Notes
	=====

	- /etc/hosts should have an entry for '${COMMON}'
	~> cat /etc /hosts

	- All generated certificates have been saved in the certs directory (see lines 64-65 above).
	- You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below)

	Using the private registry
	==========================
	docker pull busybox
	docker tag busybox ${COMMON}:5000/busybox
	docker push ${COMMON}:5000/busybox
	docker pull ${COMMON}:5000/busybox

	Accessing the private registry from a client machine
	====================================================

	On the client machine:

	- Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed)

	- Create cert directory
	~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000

	- Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client:
	- Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt

	- Restart the Docker daemon to pick up the cert - REQUIRED!!!
	sudo service docker restart

	- Pull our ${COMMON}/busybox image
	~> docker pull ${COMMON}:5000/busybox

	"