Forked from kizbitz/self-signed-private-registry.sh
Last active
January 4, 2021 00:36
-
-
Save reg2005/82e6136092be5a236e25d229884235ec to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Installs/Configures: | |
# - Docker | |
# - Docker Registy Container with self-signed cert | |
# | |
# Tested on Ubuntu 14.04.1 | |
# Must be executed with elevated privilages | |
if [ "$(id -u)" != "0" ]; then | |
printf "This script must be ran as root or sudo!\n" | |
exit 1 | |
fi | |
# prompt helper function | |
function prompt () { | |
if [ -z ${!1} ]; then | |
local response="" | |
while [[ ${response} = "" ]]; do | |
read -p "$2: " response | |
done | |
eval $1=${response} | |
fi | |
} | |
# collect required information | |
# - C Country | |
# - ST State | |
# - L Location | |
# - O Organization | |
# - OU Organizational Unit | |
# - CN Common Name | |
echo -e "\nRequired information:" | |
prompt BITS "Enter bit size for certs (Ex. 2048)" | |
prompt DAYS "Enter number of days to sign the certs with (Ex. 365)" | |
prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)" | |
prompt STATE "Enter the 'State' for the cert (Ex. IN)" | |
prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)" | |
prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)" | |
prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)" | |
prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)" | |
# ... Docker ... | |
# ~~~~~~~~~~~~~~ | |
# for aufs | |
echo -e "\nInstalling linux-image-extra ..." | |
apt-get update && apt-get -y install linux-image-extra-$(uname -r) | |
sleep 10 | |
# Install Docker | |
echo -e "\nInstalling Docker ..." | |
curl -sSL https://get.docker.com/ubuntu/ | sudo sh | |
# ... Certs ... | |
# ~~~~~~~~~~~~~ | |
# ... prep certs ... | |
echo -e "\nGenerating certs ..." | |
mkdir certs | |
cd certs | |
# Generate a root key | |
openssl genrsa -out rootCA.key ${BITS} | |
# Generate a root certificate | |
openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\ | |
-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \ | |
-out rootCA.crt | |
# Generate key for host | |
openssl genrsa -out ${COMMON}.key ${BITS} | |
# Generate CSR | |
openssl req -new -key ${COMMON}.key \ | |
-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \ | |
-out ${COMMON}.csr | |
# Sign certificate request | |
openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \ | |
-out ${COMMON}.crt | |
sudo mkdir /usr/local/share/ca-certificates/${COMMON} | |
sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON} | |
sudo update-ca-certificates | |
mkdir -p /etc/docker/certs.d/${COMMON} | |
cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt | |
# add ${COMMON} to /etc/hosts | |
echo -e "\nAdding ${COMMON} to /etc/hosts ..." | |
if [ ! `cat /etc/hosts | grep -o "${COMMON}"` ]; then | |
sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts | |
fi | |
# ... launch registry ... | |
# ~~~~~~~~~~~~~~~~~~~~~~~ | |
# Restart Docker to pick up our certs | |
echo -e "\nRestarting Docker daemon ..." | |
sudo service docker restart | |
sleep 10 | |
echo -e "\nLaunching our private registry ..." | |
# cd .. | |
# docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \ | |
# -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \ | |
# -e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \ | |
# registry:2 | |
# Instructions | |
echo -e "\nInstallation finished ... | |
Notes | |
===== | |
- /etc/hosts should have an entry for '${COMMON}' | |
~> cat /etc /hosts | |
- All generated certificates have been saved in the certs directory (see lines 64-65 above). | |
- You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below) | |
Using the private registry | |
========================== | |
docker pull busybox | |
docker tag busybox ${COMMON}:5000/busybox | |
docker push ${COMMON}:5000/busybox | |
docker pull ${COMMON}:5000/busybox | |
Accessing the private registry from a client machine | |
==================================================== | |
On the client machine: | |
- Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed) | |
- Create cert directory | |
~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000 | |
- Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client: | |
- Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt | |
- Restart the Docker daemon to pick up the cert - REQUIRED!!! | |
sudo service docker restart | |
- Pull our ${COMMON}/busybox image | |
~> docker pull ${COMMON}:5000/busybox | |
" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment