diff --git a/books/portable-docker.org b/books/portable-docker.org index baa23312..d77d87e5 100644 --- a/books/portable-docker.org +++ b/books/portable-docker.org @@ -4361,10 +4361,6 @@ These two headers contain the same information, identifying the client cert id to the backend server. Either of these may be used for secondary authorization in your app. -*** Next steps - - * Install apps. - ** Docker Registry :PROPERTIES: :EXPORT_FILE_NAME: 000660-docker-registry @@ -4381,6 +4377,145 @@ more control and security. By using a registry, you can version images, enforce access policies, and simplify deployment, making it a key part of your infrastructure. +If you only have one Docker server, running a registry might be kind +of pointless. But you may want to run it for any of these reasons: + + * You have multiple Docker servers and you want an image cache that they can all share. + * You have built your own custom images that you want to distribute. + * You want to run faasd and need a place to store your function container images. + * You want to store images for any reason. + + +*** Configure registry + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +pi make registry config +#+end_run + +Configure the registry hostname: + +#+begin_stdout +REGISTRY_TRAEFIK_HOST: Enter the registry domain name (eg. registry.example.com) +: registry.pi.example.com +#+end_stdout + +It is *highly* recommended to turn on HTTP Basic Authentication or +Mutual TLS, in order to protect the registry from unauthorized use: + +#+begin_stdout +? Do you want to enable sentry authorization in front of this app (effectively making the entire site private)? + No +> Yes, with HTTP Basic Authentication + Yes, with Oauth2 + Yes, with Mutual TLS (mTLS) + +Enter the username for HTTP Basic Authentication +: ryan + +Enter the passphrase for ryan (leave blank to generate a random passphrase) +: hunter2 + +Hashed password: ryan:$apr1$Rav9J1xZ$oKMnqMzcEequ6H2VBha6N0 +Url encoded: https://ryan:hunter2@example.com/... + +> Would you like to create additional usernames (for the same access privilege)? No + +> Would you like to export the usernames and cleartext passwords to the file passwords.js +n? No +#+end_stdout + +*** Install registry + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +pi make registry install +#+end_run + +*** Configure Docker client + +To use the registry, configure the docker client on the pi: + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +docker login registry.pi.example.com +#+end_run + +#+begin_stdout +Username: ryan +Password: +WARNING! Your password will be stored unencrypted in /home/ryan/.docker/config.json. +Configure a credential helper to remove this warning. See +https://docs.docker.com/engine/reference/commandline/login/#credential-stores + +Login Succeeded +#+end_stdout + +*** Test pushing an image: + +Pull an image from the normal Docker registry for testing purposes: + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +docker pull docker.io/traefik/whoami:latest +#+end_run + +Retag the image so that it belongs to your registry now: + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +docker tag docker.io/traefik/whoami:latest registry.pi.example.com/traefik/whoami:latest +#+end_run + + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +docker push registry.example.com/traefik/whoami:latest +#+end_run + +#+begin_stdout +The push refers to repository [registry.example.com/traefik/whoami] +298b6a4a6489: Pushed +a1b937ed548c: Pushed +01d1702a867e: Pushed +latest: digest: sha256:c899811bc4a1f63a1273c612e15f1bea6514a19c7b08143dbbdef3e8f882c38d size: 948 +#+end_stdout + +*** Configure Docker client for Mutual TLS + +If you choose the mTLS sentry authorization with step-ca, you can +configure your docker client to use your client certificate and key: + +On the client computer: + + * Create a directory under =/etc/docker/certs.d= matching the registry + hostname (e.g., =/etc/docker/certs.d/registry.pi.example.com/=). + + * Copy three files into the new directory: + + =ca.crt= - the Step-CA public CA cert. + =client.cert= - the client's public cert. + =client.key= - the client's private key. + +*** Restrict access by IP address + +In addition to (or in lieu of) sentry authorization, you can restrict +access by source IP address. By default the access is allowed to +0.0.0.0/0 which allows all traffic. For example, you may restrict +access to only a specific list of subnets: + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +pi make registry reconfigure var=REGISTRY_IP_SOURCERANGE=192.168.1.10/24,10.13.13.10/32 +#+end_run + +Make to re-install after all config changes: + +#+attr_shortcode: :style secondary :title Run this on your Raspberry Pi +#+begin_run +pi make registry install +#+end_run + * Install apps :PROPERTIES: :EXPORT_HUGO_SECTION_FRAG: install-web-services