From 6c9431767aec7419faa72fc1c1e953918fd242b7 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sun, 24 Aug 2025 13:31:34 -0400
Subject: [PATCH] Further security improvements for docker registry install

---
 Docker_Registry_Install_Guide.md | 68 +++++++++++++-------------------
 1 file changed, 28 insertions(+), 40 deletions(-)

diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index 1076361..f1e4b9e 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -83,11 +83,6 @@ sudo mkdir -p /var/tmp/podman-$(id -u CI_SERVICE_USER)/{root,run,tmp,xdg-data,xd
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/tmp/podman-$(id -u CI_SERVICE_USER)
 sudo chmod 755 /var/tmp/podman-$(id -u CI_SERVICE_USER)
 
-# Create runtime directory for user
-sudo mkdir -p /run/user/$(id -u CI_SERVICE_USER)/podman-run
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /run/user/$(id -u CI_SERVICE_USER)/podman-run
-sudo chmod 755 /run/user/$(id -u CI_SERVICE_USER)/podman-run
-
 # Initialize Podman with rootless configuration (no home directory access)
 sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root PODMAN_RUNROOT=/run/user/\$(id -u)/podman-run PODMAN_TMPDIR=/var/tmp/podman-\$(id -u)/tmp XDG_DATA_HOME=/var/tmp/podman-\$(id -u)/xdg-data XDG_CONFIG_HOME=/var/tmp/podman-\$(id -u)/xdg-config podman system migrate"
 sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root PODMAN_RUNROOT=/run/user/\$(id -u)/podman-run PODMAN_TMPDIR=/var/tmp/podman-\$(id -u)/tmp XDG_DATA_HOME=/var/tmp/podman-\$(id -u)/xdg-data XDG_CONFIG_HOME=/var/tmp/podman-\$(id -u)/xdg-config podman info"
@@ -100,15 +95,18 @@ sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root POD
 sudo useradd -r -s /bin/false registry-proxy
 
 # Create registry configuration directories
-sudo mkdir -p /etc/registry/certs/private /etc/registry/certs/clients
-sudo chown root:root /etc/registry/certs/private /etc/registry/certs/clients
+sudo mkdir -p /etc/registry/certs/{private,clients,ca,requests}
+sudo chown -R root:root /etc/registry/certs
 sudo chmod 750 /etc/registry/certs/private
-sudo chmod 755 /etc/registry/certs/clients
+sudo chmod 755 /etc/registry/certs/{clients,ca,requests}
 
 # Create registry data directory
 sudo mkdir -p /var/lib/registry/data
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry/data
-sudo chmod 755 /var/lib/registry/data
+sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry
+sudo chmod 750 /var/lib/registry /var/lib/registry/data
+
+# Create log directory for nginx proxy
+sudo install -d -o registry-proxy -g registry-proxy /var/log/registry-proxy
 ```
 
 ### 2.4 Install Systemd Services
@@ -136,7 +134,7 @@ ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tm
   -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
   -e REGISTRY_STORAGE_DELETE_ENABLED=false \
   -v /var/lib/registry/data:/var/lib/registry:z \
-  registry:2
+  docker.io/library/registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
 ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry
 Restart=on-failure
 
@@ -224,7 +222,7 @@ http {
     location /v2/ {
       limit_req zone=reg_write burst=10;
       proxy_pass http://reg;
-      proxy_set_header Host $host:4443;
+      proxy_set_header Host $host;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
@@ -255,28 +253,28 @@ sudo chmod 644 /etc/containers/policy.json
 cd /etc/registry/certs
 
 # Generate server CA private key in private subdirectory
-sudo -u CI_SERVICE_USER openssl genrsa -out private/ca.key 4096
+sudo openssl genrsa -out private/ca.key 4096
 
 # Generate server CA certificate in ca subdirectory
-sudo -u CI_SERVICE_USER openssl req -new -x509 -key private/ca.key \
+sudo openssl req -new -x509 -key private/ca.key \
     -out ca/ca.crt \
     -days 365 \
     -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Registry-CA"
 
 # Generate server private key in private subdirectory
-sudo -u CI_SERVICE_USER openssl genrsa -out private/registry.key 4096
+sudo openssl genrsa -out private/registry.key 4096
 
 # Copy and use the project's OpenSSL configuration file
 sudo cp /opt/APP_NAME/registry/openssl.conf /etc/registry/certs/requests/
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs/requests/openssl.conf
+sudo chown root:root /etc/registry/certs/requests/openssl.conf
 
 # Generate server certificate signing request in requests subdirectory
-sudo -u CI_SERVICE_USER openssl req -new -key private/registry.key \
+sudo openssl req -new -key private/registry.key \
     -out requests/registry.csr \
     -config requests/openssl.conf
 
 # Sign server certificate with CA
-sudo -u CI_SERVICE_USER openssl x509 -req -in requests/registry.csr \
+sudo openssl x509 -req -in requests/registry.csr \
     -CA ca/ca.crt -CAkey private/ca.key -CAcreateserial \
     -out registry.crt \
     -days 365 \
@@ -285,45 +283,39 @@ sudo -u CI_SERVICE_USER openssl x509 -req -in requests/registry.csr \
 
 # 2. Generate client CA for mTLS authentication
 # Generate client CA private key
-sudo -u CI_SERVICE_USER openssl genrsa -out private/client-ca.key 4096
+sudo openssl genrsa -out private/client-ca.key 4096
 
 # Generate client CA certificate
-sudo -u CI_SERVICE_USER openssl req -new -x509 -key private/client-ca.key \
+sudo openssl req -new -x509 -key private/client-ca.key \
     -out clients/ca.crt \
     -days 365 \
     -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Client-CA"
 
 # Generate client certificate for CI operations
-sudo -u CI_SERVICE_USER openssl genrsa -out private/client.key 4096
+sudo openssl genrsa -out private/client.key 4096
 
 # Generate client certificate signing request
-sudo -u CI_SERVICE_USER openssl req -new -key private/client.key \
+sudo openssl req -new -key private/client.key \
     -out requests/client.csr \
     -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-CI-Client"
 
 # Sign client certificate with client CA
-sudo -u CI_SERVICE_USER openssl x509 -req -in requests/client.csr \
+sudo openssl x509 -req -in requests/client.csr \
     -CA clients/ca.crt -CAkey private/client-ca.key -CAcreateserial \
     -out clients/client.crt \
     -days 365
 
 # Set proper FHS-compliant permissions
-sudo chmod 600 private/ca.key private/registry.key private/client-ca.key private/client.key  # Private keys - owner read/write only
-sudo chmod 644 ca/ca.crt registry.crt clients/ca.crt clients/client.crt  # Certificates - world readable
+sudo chmod 600 private/ca.key private/client-ca.key private/client.key  # Private keys - owner read/write only
+sudo chmod 644 ca/ca.crt registry.crt clients/client.crt  # Certificates - world readable
 sudo chmod 644 requests/registry.csr requests/client.csr requests/openssl.conf  # Requests - world readable
 
-# Make client CA readable by registry-proxy user for nginx
-sudo chown root:registry-proxy /etc/registry/certs/clients/ca.crt
-sudo chmod 640 /etc/registry/certs/clients/ca.crt
+# Set registry key and client CA permissions for nginx proxy access
+sudo chgrp registry-proxy /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
+sudo chmod 640 /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
 
 # Verify certificate creation
-sudo -u CI_SERVICE_USER openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
-
-# Create required directories for containers
-sudo mkdir -p /var/log/nginx
-sudo mkdir -p /tmp/registry-tmp /tmp/nginx-tmp
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/log/nginx /tmp/registry-tmp /tmp/nginx-tmp
-sudo chmod 755 /var/log/nginx /tmp/registry-tmp /tmp/nginx-tmp
+sudo openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
 
 # 3. Install server CA certificate in system trust store (for curl, wget, etc.)
 sudo cp /etc/registry/certs/ca/ca.crt /usr/local/share/ca-certificates/registry-ca.crt
@@ -346,13 +338,9 @@ sudo ufw allow 4443/tcp # Docker Registry via nginx (authenticated pushes with m
 ### 4.2 Enable and Start Services
 
 ```bash
-# Enable and start services
-sudo systemctl --global enable registry.service
-sudo systemctl enable registry-proxy.service
-
 # Start as the service user
 sudo -u CI_SERVICE_USER sh -lc 'systemctl --user daemon-reload && systemctl --user enable --now registry.service'
-sudo systemctl start registry-proxy.service
+sudo systemctl enable --now registry-proxy.service
 ```
 
 ## Step 5: Verify Installation