devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve security further #2
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 14:27:24 -04:00
parent d7258dbd95
commit 195e82c8e4
1 changed files with 30 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
Docker_Registry_Install_Guide.md
View file

@ -42,7 +42,7 @@ This guide covers setting up a rootless Docker Registry v2 with host TLS reverse
```bash ```bash
# Install Podman and related tools # Install Podman and related tools
sudo apt install -y podman sudo apt install -y podman slirp4netns fuse-overlayfs
# Verify installation # Verify installation
podman --version podman --version
@ -178,6 +178,7 @@ MemoryDenyWriteExecute=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
IPAddressDeny=any IPAddressDeny=any
IPAddressAllow=127.0.0.1/8 ::1 IPAddressAllow=127.0.0.1/8 ::1
LimitNOFILE=65536
ExecStart=/usr/sbin/nginx -g 'daemon off;' -c /etc/registry/nginx.conf ExecStart=/usr/sbin/nginx -g 'daemon off;' -c /etc/registry/nginx.conf
Restart=on-failure Restart=on-failure
@ -204,10 +205,18 @@ http {
client_max_body_size 2g; client_max_body_size 2g;
ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_verify_depth 2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Connection ""; proxy_set_header Connection "";
proxy_request_buffering off; proxy_request_buffering off;
proxy_read_timeout 300s; proxy_read_timeout 300s;
proxy_temp_path /run/registry-proxy/proxy_temp;
client_body_temp_path /run/registry-proxy/client_temp;
fastcgi_temp_path /run/registry-proxy/fastcgi_temp;
uwsgi_temp_path /run/registry-proxy/uwsgi_temp;
scgi_temp_path /run/registry-proxy/scgi_temp;
upstream reg { server 127.0.0.1:5000; } upstream reg { server 127.0.0.1:5000; }
# 443: unauthenticated pulls only # 443: unauthenticated pulls only
@ -360,6 +369,26 @@ sudo ufw allow from 192.168.0.0/16 to any port 4443 proto tcp
# sudo ufw allow 4443/tcp # sudo ufw allow 4443/tcp
# Note: Port 5000 is NOT opened - registry runs loopback-only # Note: Port 5000 is NOT opened - registry runs loopback-only
## Client Trust Configuration
For clients to trust your registry certificates, they should install the server CA certificate:
**For pulls (port 443):**
```bash
# On client systems
sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS
sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS/ca.crt
```
**For pushes (port 4443, mTLS):**
```bash
# On client systems
sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443
sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/ca.crt
sudo cp /path/to/client.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.cert
sudo cp /path/to/client.key /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.key
```
``` ```
### 4.2 Enable and Start Services ### 4.2 Enable and Start Services