kizbitz/self-signed-private-registry.sh

## self-signed-private-registry.sh
#!/usr/bin/env bash

# Installs/Configures:
#  - Docker
#  - Docker Registy Container with self-signed cert
#
# Tested on Ubuntu 14.04.1

# Must be executed with elevated privilages
if [ "$(id -u)" != "0" ]; then
  printf "This script must be ran as root or sudo!\n"
  exit 1
fi

# prompt helper function
function prompt () {
  if [ -z ${!1} ]; then
    local response=""
    while [[ ${response} = "" ]]; do
      read -p "$2: " response
    done
    eval $1=${response}
  fi
}

# collect required information
# - C   Country
# - ST  State
# - L    Location
# - O    Organization
# - OU   Organizational Unit
# - CN   Common Name
echo -e "\nRequired information:"
prompt BITS "Enter bit size for certs (Ex. 2048)"
prompt DAYS "Enter number of days to sign the certs with (Ex. 365)"
prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)"
prompt STATE "Enter the 'State' for the cert (Ex. IN)"
prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)"
prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)"
prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)"
prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)"

# ... Docker ...
# ~~~~~~~~~~~~~~

# for aufs
echo -e "\nInstalling linux-image-extra ..."
apt-get update && apt-get -y install linux-image-extra-$(uname -r)
sleep 10

# Install Docker
echo -e "\nInstalling Docker ..."
curl -sSL https://get.docker.com/ubuntu/ | sudo sh


# ... Certs ...
# ~~~~~~~~~~~~~

# ... prep certs ...

echo -e "\nGenerating certs ..."
mkdir certs
cd certs
# Generate a root key
openssl genrsa -out rootCA.key ${BITS}

# Generate a root certificate
openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\
    -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
    -out rootCA.crt

# Generate key for host
openssl genrsa -out ${COMMON}.key ${BITS}

# Generate CSR
openssl req -new -key ${COMMON}.key \
    -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
    -out ${COMMON}.csr

# Sign certificate request
openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
    -out ${COMMON}.crt

sudo mkdir /usr/local/share/ca-certificates/${COMMON}
sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON}
sudo update-ca-certificates

mkdir -p /etc/docker/certs.d/${COMMON}
cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt

# add ${COMMON} to /etc/hosts
echo -e "\nAdding ${COMMON} to /etc/hosts ..."
if [ ! `cat /etc/hosts | grep -o "${COMMON}"` ]; then
    sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts
fi


# ... launch registry ...
# ~~~~~~~~~~~~~~~~~~~~~~~

# Restart Docker to pick up our certs
echo -e "\nRestarting Docker daemon ..."
sudo service docker restart
sleep 10

echo -e "\nLaunching our private registry ..."
cd ..
docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \
    registry:2


# Instructions
echo -e "\nInstallation finished ...

Notes
=====

- /etc/hosts should have an entry for '${COMMON}'
  ~> cat /etc /hosts

- All generated certificates have been saved in the certs directory (see lines 64-65 above).
- You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below)

Using the private registry
==========================
docker pull busybox
docker tag busybox ${COMMON}:5000/busybox
docker push ${COMMON}:5000/busybox
docker pull ${COMMON}:5000/busybox

Accessing the private registry from a client machine
====================================================

On the client machine:

- Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed)

- Create cert directory
  ~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000

- Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client:
  - Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt

- Restart the Docker daemon to pick up the cert - REQUIRED!!!
sudo service docker restart

- Pull our ${COMMON}/busybox image
  ~> docker pull ${COMMON}:5000/busybox

"
	#!/usr/bin/env bash

	# Installs/Configures:
	# - Docker
	# - Docker Registy Container with self-signed cert
	#
	# Tested on Ubuntu 14.04.1

	# Must be executed with elevated privilages
	if [ "$(id -u)" != "0" ]; then
	printf "This script must be ran as root or sudo!\n"
	exit 1
	fi

	# prompt helper function
	function prompt () {
	if [ -z ${!1} ]; then
	local response=""
	while [[ ${response} = "" ]]; do
	read -p "$2: " response
	done
	eval $1=${response}
	fi
	}

	# collect required information
	# - C Country
	# - ST State
	# - L Location
	# - O Organization
	# - OU Organizational Unit
	# - CN Common Name
	echo -e "\nRequired information:"
	prompt BITS "Enter bit size for certs (Ex. 2048)"
	prompt DAYS "Enter number of days to sign the certs with (Ex. 365)"
	prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)"
	prompt STATE "Enter the 'State' for the cert (Ex. IN)"
	prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)"
	prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)"
	prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)"
	prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)"

	# ... Docker ...
	# ~~~~~~~~~~~~~~

	# for aufs
	echo -e "\nInstalling linux-image-extra ..."
	apt-get update && apt-get -y install linux-image-extra-$(uname -r)
	sleep 10

	# Install Docker
	echo -e "\nInstalling Docker ..."
	curl -sSL https://get.docker.com/ubuntu/ \| sudo sh


	# ... Certs ...
	# ~~~~~~~~~~~~~

	# ... prep certs ...

	echo -e "\nGenerating certs ..."
	mkdir certs
	cd certs
	# Generate a root key
	openssl genrsa -out rootCA.key ${BITS}

	# Generate a root certificate
	openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\
	-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
	-out rootCA.crt

	# Generate key for host
	openssl genrsa -out ${COMMON}.key ${BITS}

	# Generate CSR
	openssl req -new -key ${COMMON}.key \
	-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
	-out ${COMMON}.csr

	# Sign certificate request
	openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
	-out ${COMMON}.crt

	sudo mkdir /usr/local/share/ca-certificates/${COMMON}
	sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON}
	sudo update-ca-certificates

	mkdir -p /etc/docker/certs.d/${COMMON}
	cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt

	# add ${COMMON} to /etc/hosts
	echo -e "\nAdding ${COMMON} to /etc/hosts ..."
	if [ ! `cat /etc/hosts \| grep -o "${COMMON}"` ]; then
	sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts
	fi


	# ... launch registry ...
	# ~~~~~~~~~~~~~~~~~~~~~~~

	# Restart Docker to pick up our certs
	echo -e "\nRestarting Docker daemon ..."
	sudo service docker restart
	sleep 10

	echo -e "\nLaunching our private registry ..."
	cd ..
	docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \
	-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \
	-e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \
	registry:2


	# Instructions
	echo -e "\nInstallation finished ...

	Notes
	=====

	- /etc/hosts should have an entry for '${COMMON}'
	~> cat /etc /hosts

	- All generated certificates have been saved in the certs directory (see lines 64-65 above).
	- You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below)

	Using the private registry
	==========================
	docker pull busybox
	docker tag busybox ${COMMON}:5000/busybox
	docker push ${COMMON}:5000/busybox
	docker pull ${COMMON}:5000/busybox

	Accessing the private registry from a client machine
	====================================================

	On the client machine:

	- Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed)

	- Create cert directory
	~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000

	- Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client:
	- Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt

	- Restart the Docker daemon to pick up the cert - REQUIRED!!!
	sudo service docker restart

	- Pull our ${COMMON}/busybox image
	~> docker pull ${COMMON}:5000/busybox

	"