devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve security further #4
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 14:37:38 -04:00
parent 68fcf80217
commit 4508b746cb
1 changed files with 14 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
Docker_Registry_Install_Guide.md
View file

@ -127,7 +127,6 @@ Environment=PODMAN_RUNROOT=/run/user/%U/podman-run
Environment=PODMAN_TMPDIR=/var/tmp/podman-%U/tmp Environment=PODMAN_TMPDIR=/var/tmp/podman-%U/tmp
Environment=XDG_DATA_HOME=/var/tmp/podman-%U/xdg-data Environment=XDG_DATA_HOME=/var/tmp/podman-%U/xdg-data
Environment=XDG_CONFIG_HOME=/var/tmp/podman-%U/xdg-config Environment=XDG_CONFIG_HOME=/var/tmp/podman-%U/xdg-config
StateDirectory=registry
ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file \ ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file \
run --rm --name registry \ run --rm --name registry \
-p 127.0.0.1:5000:5000 \ -p 127.0.0.1:5000:5000 \
@ -368,6 +367,10 @@ sudo ufw allow from 192.168.0.0/16 to any port 4443 proto tcp
# For public access to 4443 (less secure), use: # For public access to 4443 (less secure), use:
# sudo ufw allow 4443/tcp # sudo ufw allow 4443/tcp
# Optional: Consider SystemCallFilter for additional hardening
# (validate exact syscall set for your distro's nginx build)
# SystemCallFilter=@system-service
# Note: Port 5000 is NOT opened - registry runs loopback-only # Note: Port 5000 is NOT opened - registry runs loopback-only
## Client Trust Configuration ## Client Trust Configuration
@ -376,19 +379,21 @@ For clients to trust your registry certificates, they should install the server
**For pulls (port 443):** **For pulls (port 443):**
```bash ```bash
# On client systems # On client systems - use the actual FQDN/IP from your certificates
sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS sudo mkdir -p /etc/containers/certs.d/REGISTRY_HOST
sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS/ca.crt sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/REGISTRY_HOST/ca.crt
``` ```
**For pushes (port 4443, mTLS):** **For pushes (port 4443, mTLS):**
```bash ```bash
# On client systems # On client systems - use the actual FQDN/IP from your certificates
sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443 sudo mkdir -p /etc/containers/certs.d/REGISTRY_HOST:4443
sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/ca.crt sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/REGISTRY_HOST:4443/ca.crt
sudo cp /path/to/client.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.cert sudo cp /path/to/client.crt /etc/containers/certs.d/REGISTRY_HOST:4443/client.cert
sudo cp /path/to/client.key /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.key sudo cp /path/to/client.key /etc/containers/certs.d/REGISTRY_HOST:4443/client.key
``` ```
**Note:** Replace `REGISTRY_HOST` with the actual FQDN or IP address that matches your certificate's Subject Alternative Name (SAN). For pushes, both the server CA certificate and client certificate/key are required for mTLS authentication.
``` ```
### 4.2 Enable and Start Services ### 4.2 Enable and Start Services