Last active
December 2, 2019 08:03
-
-
Save mmbakker/0978c31f66cd82b5030a73107bb88851 to your computer and use it in GitHub Desktop.
Docker registry setup on CentOS 7 including LetsEncrypt SSL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# Base taken from https://gist.github.com/gadelkareem/04d93219a81fe57a95433366407995d6 | |
# Simplified and modified for CentOS 7 | |
# | |
# *** | |
# Replace all instances of <domain.name> with the domain name you're using for this. | |
# *** | |
# | |
# Oh, and it's untested. :D | |
# | |
# -e: exit immediately when a command fails. | |
# -u: treat unset (undefined) variables as an error and exit. | |
# -x: print each command before executing it (helps in debugging). | |
# -o pipefail: take the exitcode from the rightmost command that failed, instead of the last | |
# command in the script. | |
set -euxo pipefail | |
sudo su | |
#### | |
# 1. INSTALLING DOCKER ON CENTOS 7 | |
# | |
# @see https://docs.docker.com/install/linux/docker-ce/centos/ | |
yum install -y yum-utils \ | |
device-mapper-persistent-data \ | |
lvm2 && \ | |
yum-config-manager \ | |
--add-repo \ | |
https://download.docker.com/linux/centos/docker-ce.repo | |
# To install the latest version of docker CE: | |
# (GPG: 060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35) | |
yum install docker-ce docker-ce-cli containerd.io | |
# To install a specific version of docker CE: | |
# | |
#yum list docker-ce --showduplicates | sort -r | |
#yum install docker-ce-<VERSION_STRING> docker-ce-cli-<VERSION_STRING> containerd.io | |
# | |
# Start docker | |
systemctl start docker | |
# Optionally verify that docker runs: | |
# | |
#docker run hello-world | |
# | |
# This command downloads a test image and runs it in a container. When the container runs, | |
# it prints an informational message and exits. | |
# | |
# 2. INSTALL NGINX + CERTBOT | |
# | |
# I also need nginx as a proxy, so I'm installing that together with certbot. | |
yum install epel-release && \ | |
yum install nginx && \ | |
systemctl start nginx | |
# Update the firewall to allow http and https traffic: | |
firewall-cmd --permanent --zone=public --add-service=http | |
firewall-cmd --permanent --zone=public --add-service=https | |
firewall-cmd --reload | |
### add hostname to nginx vhost, see /etc/nginx/conf.d/<hostname>.conf | |
# Install certbot-nginx | |
yum install certbot-nginx | |
# Update iptables | |
iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT | |
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT | |
# Generate certificate for <domain.name>: | |
certbot --nginx -d <domain.name> | |
# TODO: check this: | |
#certbot certonly --standalone --preferred-challenges http --non-interactive --staple-ocsp --agree-tos -m <mail@domain.name> -d <domain.name> | |
# Create key and crt files: | |
cd /etc/letsencrypt/live/<domain.name> && \ | |
cp privkey.pem domain.key && \ | |
cat cert.pem chain.pem > domain.crt && \ | |
chmod 777 domain.* | |
# Create a test user: | |
mkdir -p /mnt/docker-registry | |
docker run --entrypoint htpasswd registry:latest -Bbn testuser testpass > /mnt/docker-registry/passfile | |
# Run! | |
docker run -d -p 443:5000 --restart=always --name registry \ | |
-v /etc/letsencrypt/live/<domain.name>:/certs \ | |
-v /mnt/docker-registry:/var/lib/registry \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ | |
-e REGISTRY_AUTH=htpasswd \ | |
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ | |
-e REGISTRY_AUTH_HTPASSWD_PATH=/var/lib/registry/passfile \ | |
registry:latest | |
# List images | |
curl https://testuser:testpass@<domain.name>/v2/_catalog | |
# Thanks to Waleed Gadelkareem (https://gist.github.com/gadelkareem). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment