devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Further security improvements for docker registry install
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
continuist 2025-08-24 13:31:34 -04:00
parent 95331c2d11
commit 6c9431767a
1 changed files with 28 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
Docker_Registry_Install_Guide.md
View file

@ -83,11 +83,6 @@ sudo mkdir -p /var/tmp/podman-$(id -u CI_SERVICE_USER)/{root,run,tmp,xdg-data,xd
sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/tmp/podman-$(id -u CI_SERVICE_USER) sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/tmp/podman-$(id -u CI_SERVICE_USER)
sudo chmod 755 /var/tmp/podman-$(id -u CI_SERVICE_USER) sudo chmod 755 /var/tmp/podman-$(id -u CI_SERVICE_USER)
# Create runtime directory for user
sudo mkdir -p /run/user/$(id -u CI_SERVICE_USER)/podman-run
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /run/user/$(id -u CI_SERVICE_USER)/podman-run
sudo chmod 755 /run/user/$(id -u CI_SERVICE_USER)/podman-run
# Initialize Podman with rootless configuration (no home directory access) # Initialize Podman with rootless configuration (no home directory access)
sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root PODMAN_RUNROOT=/run/user/\$(id -u)/podman-run PODMAN_TMPDIR=/var/tmp/podman-\$(id -u)/tmp XDG_DATA_HOME=/var/tmp/podman-\$(id -u)/xdg-data XDG_CONFIG_HOME=/var/tmp/podman-\$(id -u)/xdg-config podman system migrate" sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root PODMAN_RUNROOT=/run/user/\$(id -u)/podman-run PODMAN_TMPDIR=/var/tmp/podman-\$(id -u)/tmp XDG_DATA_HOME=/var/tmp/podman-\$(id -u)/xdg-data XDG_CONFIG_HOME=/var/tmp/podman-\$(id -u)/xdg-config podman system migrate"
sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root PODMAN_RUNROOT=/run/user/\$(id -u)/podman-run PODMAN_TMPDIR=/var/tmp/podman-\$(id -u)/tmp XDG_DATA_HOME=/var/tmp/podman-\$(id -u)/xdg-data XDG_CONFIG_HOME=/var/tmp/podman-\$(id -u)/xdg-config podman info" sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root PODMAN_RUNROOT=/run/user/\$(id -u)/podman-run PODMAN_TMPDIR=/var/tmp/podman-\$(id -u)/tmp XDG_DATA_HOME=/var/tmp/podman-\$(id -u)/xdg-data XDG_CONFIG_HOME=/var/tmp/podman-\$(id -u)/xdg-config podman info"
@ -100,15 +95,18 @@ sudo su - CI_SERVICE_USER -c "env PODMAN_ROOT=/var/tmp/podman-\$(id -u)/root POD
sudo useradd -r -s /bin/false registry-proxy sudo useradd -r -s /bin/false registry-proxy
# Create registry configuration directories # Create registry configuration directories
sudo mkdir -p /etc/registry/certs/private /etc/registry/certs/clients sudo mkdir -p /etc/registry/certs/{private,clients,ca,requests}
sudo chown root:root /etc/registry/certs/private /etc/registry/certs/clients sudo chown -R root:root /etc/registry/certs
sudo chmod 750 /etc/registry/certs/private sudo chmod 750 /etc/registry/certs/private
sudo chmod 755 /etc/registry/certs/clients sudo chmod 755 /etc/registry/certs/{clients,ca,requests}
# Create registry data directory # Create registry data directory
sudo mkdir -p /var/lib/registry/data sudo mkdir -p /var/lib/registry/data
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry/data sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry
sudo chmod 755 /var/lib/registry/data sudo chmod 750 /var/lib/registry /var/lib/registry/data
# Create log directory for nginx proxy
sudo install -d -o registry-proxy -g registry-proxy /var/log/registry-proxy
``` ```
### 2.4 Install Systemd Services ### 2.4 Install Systemd Services
@ -136,7 +134,7 @@ ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tm
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_STORAGE_DELETE_ENABLED=false \ -e REGISTRY_STORAGE_DELETE_ENABLED=false \
-v /var/lib/registry/data:/var/lib/registry:z \ -v /var/lib/registry/data:/var/lib/registry:z \
registry:2 docker.io/library/registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry
Restart=on-failure Restart=on-failure
@ -224,7 +222,7 @@ http {
location /v2/ { location /v2/ {
limit_req zone=reg_write burst=10; limit_req zone=reg_write burst=10;
proxy_pass http://reg; proxy_pass http://reg;
proxy_set_header Host $host:4443; proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} }
@ -255,28 +253,28 @@ sudo chmod 644 /etc/containers/policy.json
cd /etc/registry/certs cd /etc/registry/certs
# Generate server CA private key in private subdirectory # Generate server CA private key in private subdirectory
sudo -u CI_SERVICE_USER openssl genrsa -out private/ca.key 4096 sudo openssl genrsa -out private/ca.key 4096
# Generate server CA certificate in ca subdirectory # Generate server CA certificate in ca subdirectory
sudo -u CI_SERVICE_USER openssl req -new -x509 -key private/ca.key \ sudo openssl req -new -x509 -key private/ca.key \
-out ca/ca.crt \ -out ca/ca.crt \
-days 365 \ -days 365 \
-subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Registry-CA" -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Registry-CA"
# Generate server private key in private subdirectory # Generate server private key in private subdirectory
sudo -u CI_SERVICE_USER openssl genrsa -out private/registry.key 4096 sudo openssl genrsa -out private/registry.key 4096
# Copy and use the project's OpenSSL configuration file # Copy and use the project's OpenSSL configuration file
sudo cp /opt/APP_NAME/registry/openssl.conf /etc/registry/certs/requests/ sudo cp /opt/APP_NAME/registry/openssl.conf /etc/registry/certs/requests/
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs/requests/openssl.conf sudo chown root:root /etc/registry/certs/requests/openssl.conf
# Generate server certificate signing request in requests subdirectory # Generate server certificate signing request in requests subdirectory
sudo -u CI_SERVICE_USER openssl req -new -key private/registry.key \ sudo openssl req -new -key private/registry.key \
-out requests/registry.csr \ -out requests/registry.csr \
-config requests/openssl.conf -config requests/openssl.conf
# Sign server certificate with CA # Sign server certificate with CA
sudo -u CI_SERVICE_USER openssl x509 -req -in requests/registry.csr \ sudo openssl x509 -req -in requests/registry.csr \
-CA ca/ca.crt -CAkey private/ca.key -CAcreateserial \ -CA ca/ca.crt -CAkey private/ca.key -CAcreateserial \
-out registry.crt \ -out registry.crt \
-days 365 \ -days 365 \
@ -285,45 +283,39 @@ sudo -u CI_SERVICE_USER openssl x509 -req -in requests/registry.csr \
# 2. Generate client CA for mTLS authentication # 2. Generate client CA for mTLS authentication
# Generate client CA private key # Generate client CA private key
sudo -u CI_SERVICE_USER openssl genrsa -out private/client-ca.key 4096 sudo openssl genrsa -out private/client-ca.key 4096
# Generate client CA certificate # Generate client CA certificate
sudo -u CI_SERVICE_USER openssl req -new -x509 -key private/client-ca.key \ sudo openssl req -new -x509 -key private/client-ca.key \
-out clients/ca.crt \ -out clients/ca.crt \
-days 365 \ -days 365 \
-subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Client-CA" -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Client-CA"
# Generate client certificate for CI operations # Generate client certificate for CI operations
sudo -u CI_SERVICE_USER openssl genrsa -out private/client.key 4096 sudo openssl genrsa -out private/client.key 4096
# Generate client certificate signing request # Generate client certificate signing request
sudo -u CI_SERVICE_USER openssl req -new -key private/client.key \ sudo openssl req -new -key private/client.key \
-out requests/client.csr \ -out requests/client.csr \
-subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-CI-Client" -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-CI-Client"
# Sign client certificate with client CA # Sign client certificate with client CA
sudo -u CI_SERVICE_USER openssl x509 -req -in requests/client.csr \ sudo openssl x509 -req -in requests/client.csr \
-CA clients/ca.crt -CAkey private/client-ca.key -CAcreateserial \ -CA clients/ca.crt -CAkey private/client-ca.key -CAcreateserial \
-out clients/client.crt \ -out clients/client.crt \
-days 365 -days 365
# Set proper FHS-compliant permissions # Set proper FHS-compliant permissions
sudo chmod 600 private/ca.key private/registry.key private/client-ca.key private/client.key # Private keys - owner read/write only sudo chmod 600 private/ca.key private/client-ca.key private/client.key # Private keys - owner read/write only
sudo chmod 644 ca/ca.crt registry.crt clients/ca.crt clients/client.crt # Certificates - world readable sudo chmod 644 ca/ca.crt registry.crt clients/client.crt # Certificates - world readable
sudo chmod 644 requests/registry.csr requests/client.csr requests/openssl.conf # Requests - world readable sudo chmod 644 requests/registry.csr requests/client.csr requests/openssl.conf # Requests - world readable
# Make client CA readable by registry-proxy user for nginx # Set registry key and client CA permissions for nginx proxy access
sudo chown root:registry-proxy /etc/registry/certs/clients/ca.crt sudo chgrp registry-proxy /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
sudo chmod 640 /etc/registry/certs/clients/ca.crt sudo chmod 640 /etc/registry/certs/private/registry.key /etc/registry/certs/clients/ca.crt
# Verify certificate creation # Verify certificate creation
sudo -u CI_SERVICE_USER openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)" sudo openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
# Create required directories for containers
sudo mkdir -p /var/log/nginx
sudo mkdir -p /tmp/registry-tmp /tmp/nginx-tmp
sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/log/nginx /tmp/registry-tmp /tmp/nginx-tmp
sudo chmod 755 /var/log/nginx /tmp/registry-tmp /tmp/nginx-tmp
# 3. Install server CA certificate in system trust store (for curl, wget, etc.) # 3. Install server CA certificate in system trust store (for curl, wget, etc.)
sudo cp /etc/registry/certs/ca/ca.crt /usr/local/share/ca-certificates/registry-ca.crt sudo cp /etc/registry/certs/ca/ca.crt /usr/local/share/ca-certificates/registry-ca.crt
@ -346,13 +338,9 @@ sudo ufw allow 4443/tcp # Docker Registry via nginx (authenticated pushes with m
### 4.2 Enable and Start Services ### 4.2 Enable and Start Services
```bash ```bash
# Enable and start services
sudo systemctl --global enable registry.service
sudo systemctl enable registry-proxy.service
# Start as the service user # Start as the service user
sudo -u CI_SERVICE_USER sh -lc 'systemctl --user daemon-reload && systemctl --user enable --now registry.service' sudo -u CI_SERVICE_USER sh -lc 'systemctl --user daemon-reload && systemctl --user enable --now registry.service'
sudo systemctl start registry-proxy.service sudo systemctl enable --now registry-proxy.service
``` ```
## Step 5: Verify Installation ## Step 5: Verify Installation