-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6861263
commit 04998c0
Showing
1 changed file
with
139 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4361,10 +4361,6 @@ These two headers contain the same information, identifying the client | |
| cert id to the backend server. Either of these may be used for | ||
| secondary authorization in your app. | ||
|
|
||
| *** Next steps | ||
|
|
||
| * Install apps. | ||
|
|
||
| ** Docker Registry | ||
| :PROPERTIES: | ||
| :EXPORT_FILE_NAME: 000660-docker-registry | ||
|
|
@@ -4381,6 +4377,145 @@ more control and security. By using a registry, you can version | |
| images, enforce access policies, and simplify deployment, making it a | ||
| key part of your infrastructure. | ||
|
|
||
| If you only have one Docker server, running a registry might be kind | ||
| of pointless. But you may want to run it for any of these reasons: | ||
|
|
||
| * You have multiple Docker servers and you want an image cache that they can all share. | ||
| * You have built your own custom images that you want to distribute. | ||
| * You want to run faasd and need a place to store your function container images. | ||
| * You want to store images for any reason. | ||
|
|
||
|
|
||
| *** Configure registry | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| pi make registry config | ||
| #+end_run | ||
|
|
||
| Configure the registry hostname: | ||
|
|
||
| #+begin_stdout | ||
| REGISTRY_TRAEFIK_HOST: Enter the registry domain name (eg. registry.example.com) | ||
| : registry.pi.example.com | ||
| #+end_stdout | ||
|
|
||
| It is *highly* recommended to turn on HTTP Basic Authentication or | ||
| Mutual TLS, in order to protect the registry from unauthorized use: | ||
|
|
||
| #+begin_stdout | ||
| ? Do you want to enable sentry authorization in front of this app (effectively making the entire site private)? | ||
| No | ||
| > Yes, with HTTP Basic Authentication | ||
| Yes, with Oauth2 | ||
| Yes, with Mutual TLS (mTLS) | ||
|
|
||
| Enter the username for HTTP Basic Authentication | ||
| : ryan | ||
|
|
||
| Enter the passphrase for ryan (leave blank to generate a random passphrase) | ||
| : hunter2 | ||
|
|
||
| Hashed password: ryan:$apr1$Rav9J1xZ$oKMnqMzcEequ6H2VBha6N0 | ||
| Url encoded: https://ryan:[email protected]/... | ||
|
|
||
| > Would you like to create additional usernames (for the same access privilege)? No | ||
|
|
||
| > Would you like to export the usernames and cleartext passwords to the file passwords.js | ||
| n? No | ||
| #+end_stdout | ||
|
|
||
| *** Install registry | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| pi make registry install | ||
| #+end_run | ||
|
|
||
| *** Configure Docker client | ||
|
|
||
| To use the registry, configure the docker client on the pi: | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| docker login registry.pi.example.com | ||
| #+end_run | ||
|
|
||
| #+begin_stdout | ||
| Username: ryan | ||
| Password: | ||
| WARNING! Your password will be stored unencrypted in /home/ryan/.docker/config.json. | ||
| Configure a credential helper to remove this warning. See | ||
| https://docs.docker.com/engine/reference/commandline/login/#credential-stores | ||
|
|
||
| Login Succeeded | ||
| #+end_stdout | ||
|
|
||
| *** Test pushing an image: | ||
|
|
||
| Pull an image from the normal Docker registry for testing purposes: | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| docker pull docker.io/traefik/whoami:latest | ||
| #+end_run | ||
|
|
||
| Retag the image so that it belongs to your registry now: | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| docker tag docker.io/traefik/whoami:latest registry.pi.example.com/traefik/whoami:latest | ||
| #+end_run | ||
|
|
||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| docker push registry.example.com/traefik/whoami:latest | ||
| #+end_run | ||
|
|
||
| #+begin_stdout | ||
| The push refers to repository [registry.example.com/traefik/whoami] | ||
| 298b6a4a6489: Pushed | ||
| a1b937ed548c: Pushed | ||
| 01d1702a867e: Pushed | ||
| latest: digest: sha256:c899811bc4a1f63a1273c612e15f1bea6514a19c7b08143dbbdef3e8f882c38d size: 948 | ||
| #+end_stdout | ||
|
|
||
| *** Configure Docker client for Mutual TLS | ||
|
|
||
| If you choose the mTLS sentry authorization with step-ca, you can | ||
| configure your docker client to use your client certificate and key: | ||
|
|
||
| On the client computer: | ||
|
|
||
| * Create a directory under =/etc/docker/certs.d= matching the registry | ||
| hostname (e.g., =/etc/docker/certs.d/registry.pi.example.com/=). | ||
|
|
||
| * Copy three files into the new directory: | ||
|
|
||
| =ca.crt= - the Step-CA public CA cert. | ||
| =client.cert= - the client's public cert. | ||
| =client.key= - the client's private key. | ||
|
|
||
| *** Restrict access by IP address | ||
|
|
||
| In addition to (or in lieu of) sentry authorization, you can restrict | ||
| access by source IP address. By default the access is allowed to | ||
| 0.0.0.0/0 which allows all traffic. For example, you may restrict | ||
| access to only a specific list of subnets: | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| pi make registry reconfigure var=REGISTRY_IP_SOURCERANGE=192.168.1.10/24,10.13.13.10/32 | ||
| #+end_run | ||
|
|
||
| Make to re-install after all config changes: | ||
|
|
||
| #+attr_shortcode: :style secondary :title Run this on your Raspberry Pi | ||
| #+begin_run | ||
| pi make registry install | ||
| #+end_run | ||
|
|
||
| * Install apps | ||
| :PROPERTIES: | ||
| :EXPORT_HUGO_SECTION_FRAG: install-web-services | ||
|
|
||