Securing A Private Docker Registry By Using SSL, Tokens, LDAP – Part 3

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.00 out of 5)
Loading...

Securing Your Private Docker Registry by Tokens and LDAP

In a recent article (part 1 and part 2), I discussed how to Build A High Availability Private Docker Registry.
Below I am going to show you how to add Docker Auth/Tokens, TLS/SSL, LDAP, to your Private Docker Registry.

Docker Token Authentication / Authorization (Over SSL) Flow digram

Generating Certificates to be used by the Registry

Before we start modifying the configuration, we need to first generate, request, sign the SSL certificates. we will be using those throughout the configurations below.
Note: Below I am generating/using my own CA. feel free to get a certificate from let’s encrypt which provides free SSL certificates for personnel use, or pay for one of that provide public SSL certificates, the configuration process would be similar.

First, lets create a file called cert.conf, this file contains additional certificate setting, in our case primarily DNS alt names.

Note: As you can see from the cert.conf above, I added additional DNS(FQDN) names in the alt_names section.

Next, lets generate the CA public and private keys.

Next, lets generate the server/client certificate – request, then signed by CA.

Verify certificate information like FQDN, Alt-names, etc.

Tip: Extra bonus, convert the certificate to pk12 format(optional).

Now, that we have the certificates, we are ready to use them.

Create required SSL files and directorys

In the next step we are creating an SSL directory, this will be used by both Docker Auth and the Docker Registry.

Create the SSL directory and copy the appropriate certificates.

Add certificates to systems trust store

Tip: The below steps work on CoreOS, your Linux distro may require a different process, so make sure to check your distros documentation.

Configuration changes to making Docker work with SSL

Modify the file below and remove the –insecure-registry... make sure to restart the docker demon for the changes to take effect.
/etc/systemd/system/docker.service.d/50-insecure-registry.conf

Also Modify /var/lib/coreos-install/user_data DOCKER_OPTS to not include –insecure-registry... something like this Environment=DOCKER_OPTS=”

Adding Docker Auth/Tokens in the mix

In the next step, I am going to create a Docker Auth configuration file.
The configuration file uses TLS/SSL for communication, and LDAP for authentication/authorization.
Tip: You can use Docker Auth/token process with static users, that works great in a small environment. however, if your setup is a bit more complex configuration, especially if you are already using LDAP for authentication you might find the below setup useful.

First, lets create the appropriate directorys.

Next, lets create a token configuration file.
The file name used is config/auth_config.yml

Note: To use the proxy user you will need to create a password file with your LDAP proxy password (I used a file called pass in the ssl directory like this – ssl/pass).

As you can see from the above configuration, its using /ssl/coreos-cert.pem and /ssl/coreos-key.pem for SSL communication.
Finally, to start the Docker Auth container run the below.
Note: Replace with –v=2 –alsologtostderr for debugging.

If things work properly and debugging is turned on, you can something like the below by looking on the logs.

Now that Docker Auth, LDAP and SSL is working, lets move on to modify the docker registry configuration.

Note: After modifying the Docker registry configuration, you will be able to test / troubleshot the configuration including using curl for api/authentication, more about that below.

Adding SSL to the docker registry configuration

Below is an updated docker-registry-config.yml, with SSL/https, the original configuration is available here in part 2.

Finally start your registry container buy just running the below.

Note: One of the things to check if you run into any issues is your proxy settings (if you have any). in some of my tests docker login did not honer the no_proxy keyword causing traffic to try and pass my proxy breaking the docker login.

  1. Use tcpdump if verify traffic is coming in
  2. Try removing http_proxy and https_proxy from /etc/environment

Always remember to re-start the docker demon with systemctl restart docker for changes to take effect.

To make this configuration highly available, you now have two options.

  1. Replace coreos1 on each server with the server name like coreos2.
  2. Use something like consul, Nginx, traefik to load balance requests by using the name coreos.domain.com, this will not be an issue since the certificate was generated with the alt-names option.

Using/testing Docker registry using Auth, LDAP

We are now reday to test docker login, by using the SSL, Auth+Tokan, LDAP.
The first way to see if things work as expected, is by simply using docker login, something like the below.

And the registry logs would look something like the below.

Now, lets try a simple push then pull, something like the below should work.

Using API with CURL to manipulate the registry

To simply test your configuration by using curl.
Something like the configuration below will work.

And the output would look something like the below.

I hope you enjoyed reading Securing Your Docker Registry, give it a thumbs up by rating the article or by just providing feedback.

You might also like – Articles related to Docker Kubernetes / micro-services.

Leave a Reply

avatar
300
  Subscribe  
Notify of