#!/usr/bin/env bash # Installs/Configures: # - Docker # - Docker Registy Container with self-signed cert # # Tested on Ubuntu 14.04.1 # Must be executed with elevated privilages if [ "$(id -u)" != "0" ]; then printf "This script must be ran as root or sudo!\n" exit 1 fi # prompt helper function function prompt () { if [ -z ${!1} ]; then local response="" while [[ ${response} = "" ]]; do read -p "$2: " response done eval $1=${response} fi } # collect required information # - C Country # - ST State # - L Location # - O Organization # - OU Organizational Unit # - CN Common Name echo -e "\nRequired information:" prompt BITS "Enter bit size for certs (Ex. 2048)" prompt DAYS "Enter number of days to sign the certs with (Ex. 365)" prompt COUNTRY "Enter the 'Country' for the cert (Ex. US)" prompt STATE "Enter the 'State' for the cert (Ex. IN)" prompt LOCATION "Enter the 'Location' for the cert (Ex. Indianapolis)" prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. Docker)" prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Support)" prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)" # ... Docker ... # ~~~~~~~~~~~~~~ # for aufs echo -e "\nInstalling linux-image-extra ..." apt-get update && apt-get -y install linux-image-extra-$(uname -r) sleep 10 # Install Docker echo -e "\nInstalling Docker ..." curl -sSL https://get.docker.com/ubuntu/ | sudo sh # ... Certs ... # ~~~~~~~~~~~~~ # ... prep certs ... echo -e "\nGenerating certs ..." mkdir certs cd certs # Generate a root key openssl genrsa -out rootCA.key ${BITS} # Generate a root certificate openssl req -x509 -new -nodes -key rootCA.key -days ${DAYS}\ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \ -out rootCA.crt # Generate key for host openssl genrsa -out ${COMMON}.key ${BITS} # Generate CSR openssl req -new -key ${COMMON}.key \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/CN=${COMMON}" \ -out ${COMMON}.csr # Sign certificate request openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \ -out ${COMMON}.crt sudo mkdir /usr/local/share/ca-certificates/${COMMON} sudo cp rootCA.crt /usr/local/share/ca-certificates/${COMMON} sudo update-ca-certificates mkdir -p /etc/docker/certs.d/${COMMON} cp rootCA.crt /etc/docker/certs.d/${COMMON}/ca.crt # add ${COMMON} to /etc/hosts echo -e "\nAdding ${COMMON} to /etc/hosts ..." if [ ! `cat /etc/hosts | grep -o "${COMMON}"` ]; then sudo echo "127.0.0.1 ${COMMON}" >> /etc/hosts fi # ... launch registry ... # ~~~~~~~~~~~~~~~~~~~~~~~ # Restart Docker to pick up our certs echo -e "\nRestarting Docker daemon ..." sudo service docker restart sleep 10 echo -e "\nLaunching our private registry ..." # cd .. # docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/certs:/certs \ # -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${COMMON}.crt \ # -e REGISTRY_HTTP_TLS_KEY=/certs/${COMMON}.key \ # registry:2 # Instructions echo -e "\nInstallation finished ... Notes ===== - /etc/hosts should have an entry for '${COMMON}' ~> cat /etc /hosts - All generated certificates have been saved in the certs directory (see lines 64-65 above). - You'll need the 'rootCA.crt' to access the private repository from client machines (Instructions below) Using the private registry ========================== docker pull busybox docker tag busybox ${COMMON}:5000/busybox docker push ${COMMON}:5000/busybox docker pull ${COMMON}:5000/busybox Accessing the private registry from a client machine ==================================================== On the client machine: - Add ${COMMON} entry to /etc/hosts with correct IP of server (if needed) - Create cert directory ~> sudo mkdir -p /etc/docker/certs.d/${COMMON}:5000 - Copy and rename the 'rootCA.crt' file (on the server in the certs directory) into the directory you just created on the client: - Full path on client: /etc/docker/certs.d/${COMMON}:5000/ca.crt - Restart the Docker daemon to pick up the cert - REQUIRED!!! sudo service docker restart - Pull our ${COMMON}/busybox image ~> docker pull ${COMMON}:5000/busybox "