2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. vri1561486014514
|
|
|
|
|
.. _security-install-update-the-docker-registry-certificate:
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
==================================
|
|
|
|
|
Local Registry Server Certificates
|
|
|
|
|
==================================
|
|
|
|
|
|
2021-11-09 10:48:34 -05:00
|
|
|
.. note::
|
|
|
|
|
This procedure is deprecated. For up-to-date information, refer to:
|
|
|
|
|
:ref:`configure-docker-registry-certificate-after-installation-c519edbfe90a`.
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
For the Local Docker Registry, HTTPS is always enabled. By default, a
|
|
|
|
|
self-signed server certificate and key is generated and installed for this
|
|
|
|
|
endpoint. However, it is strongly recommended that you update the server
|
|
|
|
|
certificate used after installation with an Intermediate or Root |CA|-signed
|
|
|
|
|
server certificate and key. Refer to the documentation for the external
|
|
|
|
|
Intermediate or Root |CA| that you are using, on how to create public
|
|
|
|
|
certificate and private key pairs, signed by a Root |CA|, for HTTPS.
|
|
|
|
|
|
|
|
|
|
The local Docker registry provides Docker image service that can be accessed
|
|
|
|
|
using the registry API by secure HTTPS. Standalone system, central cloud and
|
|
|
|
|
every subcloud of |DC| system has their own Docker registry called
|
|
|
|
|
`registry.local`.
|
|
|
|
|
|
|
|
|
|
The Docker registry on the central cloud of |DC| system has an
|
|
|
|
|
alias of `registry.central`, which is used by subcloud to remotely login or
|
|
|
|
|
pull images from this central Docker registry.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. rubric:: |context|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
By default a self-signed certificate is generated at installation time for the
|
2021-10-21 16:20:15 -03:00
|
|
|
registry API. For more secure access, an Intermediate or Root |CA|-signed
|
2021-03-15 16:56:04 -03:00
|
|
|
certificate is strongly recommended.
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
The Intermediate or Root |CA|-signed certificate for the registry must have at
|
|
|
|
|
least the following |SANs|: ``DNS:registry.local``, ``DNS:registry.central``, IP
|
2021-03-15 16:56:04 -03:00
|
|
|
Address:<oam-floating-ip-address>, IP Address:<mgmt-floating-ip-address>. Use
|
|
|
|
|
the :command:`system addrpool-list` command to get the |OAM| floating IP
|
2020-08-31 11:01:56 -04:00
|
|
|
Address and management floating IP Address for your system. You can add any
|
2023-02-28 14:02:05 +00:00
|
|
|
additional DNS entry\(s) that you have set up for your |OAM| floating IP
|
2020-08-31 11:01:56 -04:00
|
|
|
Address.
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
Use the following procedure to install an intermediate or Root |CA|-signed
|
|
|
|
|
certificate to either replace the default self-signed certificate or to replace
|
|
|
|
|
an expired or soon to expire certificate.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. rubric:: |prereq|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
Obtain an intermediate or Root |CA|-signed certificate and key from a trusted
|
2021-10-21 16:20:15 -03:00
|
|
|
Intermediate or Root |CA|. Refer to the documentation for the external Root
|
2021-03-15 16:56:04 -03:00
|
|
|
|CA| that you are using, on how to create public certificate and private key
|
2021-10-21 16:20:15 -03:00
|
|
|
pairs, signed by an Intermediate or Root |CA|, for HTTPS.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
|
|
|
|
<create-certificates-locally-using-openssl>` for how to create a test
|
2021-10-21 16:20:15 -03:00
|
|
|
Intermediate or Root |CA| certificate and key, and use it to sign test
|
2021-05-20 14:11:59 -03:00
|
|
|
certificates.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
Put the |PEM| encoded versions of the certificate and key in a single file,
|
|
|
|
|
and copy the file to the controller host.
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
Also, obtain the certificate of the Intermediate or Root |CA| that signed the
|
2021-03-15 16:56:04 -03:00
|
|
|
above certificate.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
.. _security-install-update-the-docker-registry-certificate-d527e71:
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
#. In order to enable internal use of the Docker registry certificate,
|
2020-08-31 11:01:56 -04:00
|
|
|
update the trusted |CA| list for this system with the Root |CA| associated
|
2021-05-20 14:11:59 -03:00
|
|
|
with the Docker registry certificate.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
~(keystone_admin)]$ system certificate-install --mode ssl_ca
|
2020-08-31 11:01:56 -04:00
|
|
|
<pathTocertificate>
|
|
|
|
|
|
|
|
|
|
where:
|
|
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
``<pathTocertificate>``
|
2021-03-15 16:56:04 -03:00
|
|
|
is the path to the intermediate or Root |CA| certificate associated
|
2021-10-21 16:20:15 -03:00
|
|
|
with the Docker registry's Intermediate or Root |CA|-signed
|
2021-03-15 16:56:04 -03:00
|
|
|
certificate.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
#. Update the Docker registry certificate using the
|
2020-08-31 11:01:56 -04:00
|
|
|
:command:`certificate-install` command.
|
|
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
Set the ``mode (-m or --mode)`` parameter to ``docker_registry``.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
~(keystone_admin)]$ system certificate-install --mode docker_registry
|
2020-08-31 11:01:56 -04:00
|
|
|
<pathTocertificateAndKey>
|
|
|
|
|
|
|
|
|
|
where:
|
|
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
``<pathTocertificateAndKey>``
|
|
|
|
|
is the path to the file containing both the Docker registry's
|
2021-10-21 16:20:15 -03:00
|
|
|
Intermediate or Root CA-signed certificate and private key to install.
|
2023-06-19 20:14:20 +00:00
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
|
|
|
|
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
|
|
|
|
which requires a minimum of 2048-bit keys for RSA for better
|
|
|
|
|
security / encryption strength.
|
|
|
|
|
|
|
|
|
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
|
|
|
|
and looking for the "Public-Key" in the output. For more information see
|
|
|
|
|
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
Refer to :ref:`Install/Update Local Registry Certificates
|
|
|
|
|
<installing-updating-the-docker-registry-certificate>` on how to install/update
|
|
|
|
|
and renew local registry certificates.
|
