I know Docker Hub, and I know you can create your own repositories on it.
But you have to pay when you want to create multiple private repo's.
So I want my own Docker Registry Server using self signed certificates.
I'm following the official documentation
So these are the steps:
Create certificates in certs/
mkdir -p certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
So this creates a domain.key and domain.cert in my certs/.
Now it's time to start my docker registry (using the keys):
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=certs/domain.key \
registry:2
After the deploy I see this:
$ docker ps
"/bin/registry /etc/d" 12 seconds ago Restarting (1) 1 seconds ago 0.0.0.0:5000->5000/tcp
My docker logs are telling me:
time="2015-12-11T10:18:19Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.5.2 instance.id=ee1b0d64-89eb-4be7-bc3e-e0e249bf117d version=v2.2.1
time="2015-12-11T10:18:19Z" level=info msg="redis not configured" go.version=go1.5.2 instance.id=ee1b0d64-89eb-4be7-bc3e-e0e249bf117d version=v2.2.1
time="2015-12-11T10:18:19Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.5.2 instance.id=ee1b0d64-89eb-4be7-bc3e-e0e249bf117d version=v2.2.1
time="2015-12-11T10:18:19Z" level=fatal msg="open certs/domain.crt: permission denied"
Can someone tell me what I'm doing wrong? Thanks
It's an issue with SELinux and Docker:
chcon -Rt svirt_sandbox_file_t ~/certs/
Related
I am trying to run curl command from Red Hat Enterprise Linux 7 server with curl below:-
*curl -0 -v --cert-type p12 --cert /mycert.p12:<password> --cacert /my_sec_cert.cer -X GET "https://<url>"*
and ended up with the error :-
unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
NSS error -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
When i am using pem certificate for same curl command with private key. Its working fine for me.
Can anyone suggest how to use p12 with Rhel7 here? Thanks
Can't login to my private docker registry from the gitlab-ci.
Scenario:
gitlab CE omnibus installation, the registry is inside the gitlab.
gitlab-runner with docker executor running as container in a docker swarm cluster
gitlab-runner has a ca.crt in /etc/gitlab-runner/certs/
The ca.crt contain the server, the intermediate and the root certificate in the correct order.
It's not a sel-signed certificate, it's a wildcard certificate (*.domain.com)
Inside the gitlab-runner container I can run curl https://registry.domain.com without erro
What I have tried:
Add the registry as insecure (daemon.json and in the .gitlab-ci.yaml)
Add the certificate in the runner as registry.domain.com.crt
.gitlab-ci.yml
build_image:
image: docker:19.03.8
services:
- name: docker:19.03.12-dind
command: ["--insecure-registry=registry.domain.com:443"]
alias: docker
stage: build
...
script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.domain.com
obs: I already saw this without success.
I still don't know what caused this issue but the solution was mount docker socket in the gitlab-runner
gitlab-runner register <other_options> --docker-volumes /var/run/docker.sock:/var/run/docker.sock
I'm using kubeadm to build k8s cluster and default ssl certs will be used in 1 year.
I plan use cfssl or opensll to gen new certs with 10 years use.
Could anynone pls help me.
Thanks all
You can generate certs using cfssl or openssl and store in a directory and specify that directory in Kubeadm init and kubeadm will not generate certs and use the provided certs.
kubeadm init --cert-dir
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#custom-certificates
Kubeadm also provides cert renew mechanism for renewing certs for 1 year.
kubeadm alpha certs renew
Since you have a running cluster which signs certs with 1 year of validity you can change this flag of kube controller manager default duration of cert signed to sign certs for 10 years.
--experimental-cluster-signing-duration duration Default: 8760h0m0s
Once this is done you can use below guide to sign cert valid for 10 years.
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#renew-certificates-with-the-kubernetes-certificates-api
To renew Kubernetes certs for 10 years (not recommended).
Check certs expiration
kubeadm alpha certs check-expiration --config="/etc/kubernetes/kubeadm-config.yaml"
Back up the existing Kubernetes certificates
mkdir -p $HOME/fcik8s-old-certs/pki
/bin/cp -p /etc/kubernetes/pki/*.* $HOME/fcik8s-old-certs/pki
Back up the existing configurtion files
/bin/cp -p /etc/kubernetes/*.conf $HOME/fcik8s-old-certs
Back up your home configuration
mkdir -p $HOME/fcik8s-old-certs/.kube
/bin/cp -p ~/.kube/config $HOME/fcik8s-old-certs/.kube/.
Add --cluster-signing-duration flag (--experimental-cluster-signing-duration prior to 1.19) for kube-controller-manager
Edit /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
...
- --experimental-cluster-signing-duration=87600h
...
...
87600h ~ 10 years
Renew all certs
kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml --use-api
Approve the cert request
kubectl get csr
kubectl certificate approve <cert_request>
Update the kubeconfig file
kubeadm init phase kubeconfig all --config /etc/kubernetes/kubeadm-config.yaml
Overwrite the original admin file with the newly generated admin configuration file
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
Restart components
docker restart $(docker ps | grep etcd | awk '{ print $1 }')
docker restart $(docker ps | grep kube-apiserver | awk '{ print $1 }')
docker restart $(docker ps | grep kube-scheduler | awk '{ print $1 })
docker restart $(docker ps | grep kube-controller | awk '{ print $1 }')
systemctl daemon-reload && systemctl restart kubelet
Check api-server cert expiration
echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
I want to ask how to access Kubelet API from microk8s cluster.
I looked to this url and it says that Kubelet API requires client certificate.
So I called this (from /var/snap/microk8s/current/certs)
curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key
But I got error saying:
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
How do I fix this issue? Also, what is the difference between kubelet.crt, server.crt, and ca.crt in microk8s?
Thank you!
Try this:
curl --verbose \
--cert ./server.crt \
--key ./server.key \
--insecure \
https://127.0.0.1:10250/healthz
The CA cert in the certs directory is not the signer of the cert :10250 presents to the user. I don't know where the CA cert being presented comes from, it looks like it's rotated as the issuer is CN=<servername>-ca#1567568834 ( hence the --insecure).
The kube-apiserver command line will include the exact path to the kubelet client certs (or could also be stored in a config file in the new k8s world)
--kubelet-client-certificate
--kubelet-client-key
$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
--cert-dir=/var/snap/microk8s/1247/certs
--service-cluster-ip-range=10.22.189.0/24
--authorization-mode=RBAC,Node
--basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
--service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
--client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
--tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
--tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
--kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
--kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
--secure-port=16443
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--etcd-servers=https://127.0.0.1:12379
--etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
--etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
--etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
--requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
--requestheader-allowed-names=front-proxy-client
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
--proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key
I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM. On that VM, the Docker container is running with the following command:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
registry:2
On the remote VM, I have the following directory structure:
/home/myuser/
certs/
registry.crt
registry.key
/etc/docker/certs.d/myregistry.example.com:5000/
ca.crt
ca.key
The ca.crt is the same exact cert as ~/certs/registry.crt (just renamed); same goes for ca.key and registry.key being the same/just renamed. I created the ca* files per a suggestion from the error output you'll see below.
I am almost 100% sure the CA cert is still valid, although any help ruling that out (e.g. how can I actually tell?) would be appreciated. When I start the container and look at the Docker logs, I don't see any errors.
I then attempt to login from my local laptop (Mac):
docker login myregistry.example.com:5000
It queries me for my username, password and email (although I don't recall ever specifying an email when setting up Basic Auth). After entering these correctly (I have checked and double checked...) I get the following error:
myuser#mymachine:~/tmp$docker login myregistry.example.com:5000
Username: my_ciuser
Password:
Email: myuser#example.com
Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
certificate has expired or is not yet valid. If this private registry supports only HTTP or
HTTPS with an unknown CA certificate, please add
`--insecure-registry myregistry.example.com:5000` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
So from my perspective, I guess the following are possible:
The CA cert is invalid (if so, why?!?)
The CA cert is an intermediary cert (if so, how can I tell?)
The CA cert is expired (if so, how do I tell?)
This is a bad error message, and some other facet of the registry is not configured properly (if so, how do I troubleshoot further?)
Perhaps my cert is not located in the correct place on the server, or doesn't have the right permissions set (if so, where does the cert need to be?)
Something else that I would never expect in a million years
Any ideas/thoughts?
As said in the error message:
... In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
where myregistry.example.com:5000 - your CN with port.
You should copy your ca.crt into each Docker Daemon that will connect to your Docker Registry and put it in this folder: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
After this action you need to restart Docker daemon, for example, via sudo service docker stop && service docker start on CentOS (or call similar procedure on your OS).
I had the similar error:
Then I added my private registry to the insecureregistries list.
See below image for docker-desktop