Setting up a Private Registry for HPSB
-
To create a CA / Signed Certificate, provide a container IP.
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -addext "subjectAltName = IP:150.240.76.1" -x509 -days 365 -out certs/domain.crt
The following message appears:
"You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN."
"There are quite a few fields but you can leave some blank. For some fields, there will be a default value, however, if you enter '.', the field will be left blank."
-
Enter the required details to incorporate in your certificate.
"Country Name, State of Province Name, Locality Name, Organization Name, State or Province Name, Locality Name, Organization name, Organizational Unit name, Common Name (For example, server FQDN or Your name), and Email Address"
-
Convert the certificate to base64.
base64 -i certs/domain.crt | tr -d '\n'
-
To create an Auth Token, use a docker http image.
docker run --entrypoint htpasswd httpd:2 -Bbn testuser testpassword > auth/htpasswd
-
Create a registry using the token.
docker run -d \ -p 5000:5000 \ --restart=always \ --name registry \ -v "$(pwd)"/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v "$(pwd)"/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2
Note: Once the registry is up and running, you can push the image.
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8cdf3075bd9f registry:2 "/entrypoint.sh /etc…" 7 seconds ago Up 6 seconds 0.0.0.0:5000->5000/tcp registry
-
Push the SBS image into the registry.
a. Log in to the registry using the username and password.
docker login -u testuser http://localhost:5000 docker push localhost:5000/sbs12:1.3.0.16
b. Docker tag:
docker tag secure-docker-build:1.3.0.16 localhost/secure-docker-build:1.3.0.16
c. Docker push:
docker push localhost:5000/secure-docker-build:1.3.0.16
-
View the pushed docker images.
docker images REPOSITORY TAG IMAGE ID CREATED SIZE httpd 2 8c47575322dd 7 days ago 162MB localhost:5000/secure-docker-build 1.3.0.16 c628c5f2f96a 13 days ago 2.66GB registry 2 4082b3ffee44 2 weeks ago 26.1MB
Here is a sample workload file:
workload: hyper-protect-basic.boTK7KMH3mGmcoKoCNwBV8moGoOD82r58lL**************ITmFvmO1uBGX0= env: | type: env logging: logDNA: hostname: syslog-a.us-south.logging.cloud.ibm.com ingestionKey: ab00e3********a83413 port: 6514 cacerts: - certificate: “Provide the key generated from Step 7” volumes: hpsb: seed: "testing" auths: "150.238.70.28:5000": “Either enter docker.io and the username and Password OR If you are providing container IP, enter the ip with the port value” password: testpassword username: tesuser env: CLIENT_CRT: "LS0tLS1C0FUR*********S0tLS0tCg==" CLIENT_CA: "LS0tLS1CRNFUlR***********JRklDQVRFLS0tLS0K" SERVER_CRT: "LS0tLS1Ca0Z5Ylh*************EREFLQmdOVkJBb0FURS0tLS0tCg==" SERVER_KEY: "LS0tLS1CRUdJTiBQR***********1AgR1AgTUVTU0FHRS0tLS0tCg==" registry: "150.238.70.28:5000/secure-docker-build" “enter either docker.io/name/imagename Or ip of the container and the image name”