Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env bash
# Installs/Configures:
# - Docker
# - Docker Registy Container with self-signed cert
#
# Tested on Ubuntu 14.04.1
# Must be executed with elevated privilages
if [ "$(id -u)" != "0" ]; then
printf "This script must be ran as root or sudo!\n"
exit 1
fi
# prompt helper function
function prompt () {
if [ -z ${!1} ]; then
local response=""
while [[ ${response} = "" ]]; do
read -p "$2: " response
done
eval $1=${response}
fi
}
# collect required information
# - C Country
# - ST State
# - L Location
# - O Organization
# - OU Organizational Unit
# - CN Common Name
echo -e "\nRequired information:"
prompt BITS "Enter bit size for certs (Ex. 2048)"
prompt DAYS "Enter number of days to sign the certs with (Ex. 365)"
prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)"
prompt STATE "Enter the 'State' for the cert (Ex. IN)"
prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)"
prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)"
prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)"
prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)"
# ... Docker ...
# ~~~~~~~~~~~~~~
# for aufs
echo -e "\nInstalling linux-image-extra ..."
apt-get update && apt-get -y install linux-image-extra-$(uname -r)
sleep 10
# Install Docker
echo -e "\nInstalling Docker ..."
curl -sSL https://get.docker.com/ubuntu/ | sudo sh
# ... Certs ...
# ~~~~~~~~~~~~~
# ... prep certs ...
echo -e "\nGenerating certs ..."
mkdir certs
cd certs
# Generate a root key
openssl genrsa -out rootCA.key ${BITS}
# Generate a root certificate
openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\
-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
-out rootCA.crt
# Generate key for host
openssl genrsa -out ${COMMON}.key ${BITS}
# Generate CSR
openssl req -new -key ${COMMON}.key \
-subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \
-out ${COMMON}.csr
# Sign certificate request
openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
-out ${COMMON}.crt
sudo mkdir /usr/local/share/ca-certificates/${COMMON}
sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON}
sudo update-ca-certificates
mkdir -p /etc/docker/certs.d/${COMMON}
cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt
# add ${COMMON} to /etc/hosts
echo -e "\nAdding ${COMMON} to /etc/hosts ..."
if [ ! `cat /etc/hosts | grep -o "${COMMON}"` ]; then
sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts
fi
# ... launch registry ...
# ~~~~~~~~~~~~~~~~~~~~~~~
# Restart Docker to pick up our certs
echo -e "\nRestarting Docker daemon ..."
sudo service docker restart
sleep 10
echo -e "\nLaunching our private registry ..."
# cd ..
# docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \
# -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \
# -e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \
# registry:2
# Instructions
echo -e "\nInstallation finished ...
Notes
=====
- /etc/hosts should have an entry for '${COMMON}'
~> cat /etc /hosts
- All generated certificates have been saved in the certs directory (see lines 64-65 above).
- You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below)
Using the private registry
==========================
docker pull busybox
docker tag busybox ${COMMON}:5000/busybox
docker push ${COMMON}:5000/busybox
docker pull ${COMMON}:5000/busybox
Accessing the private registry from a client machine
====================================================
On the client machine:
- Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed)
- Create cert directory
~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000
- Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client:
- Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt
- Restart the Docker daemon to pick up the cert - REQUIRED!!!
sudo service docker restart
- Pull our ${COMMON}/busybox image
~> docker pull ${COMMON}:5000/busybox
"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment