Skip to content
This repository was archived by the owner on Sep 12, 2018. It is now read-only.

Serve a TLS endpoint if REGISTRY_TLS_VERIFY is set and GUNICORN_OPTS is not#693

Open
tiborvass wants to merge 1 commit intodocker-archive:masterfrom
tiborvass:tls-registry
Open

Serve a TLS endpoint if REGISTRY_TLS_VERIFY is set and GUNICORN_OPTS is not#693
tiborvass wants to merge 1 commit intodocker-archive:masterfrom
tiborvass:tls-registry

Conversation

@tiborvass
Copy link

@tiborvass tiborvass commented Nov 7, 2014

If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, then serve via a TLS endpoint instead of plain HTTP.

This is done by setting GUNICORN_OPTS to some default value, expecting the following files to be present:

  • /ssl/ca.crt
  • /ssl/registry.cert
  • /ssl/registry.key

Signed-off-by: Tibor Vass teabee89@gmail.com

@tiborvass
Copy link
Author

tiborvass commented Nov 7, 2014

Ping @dmp42 @dmcgowan @proppy

@tiborvass tiborvass force-pushed the tls-registry branch 3 times, most recently from 5215470 to ce54641 Compare November 7, 2014 01:10
tianon
tianon reviewed Nov 7, 2014
View reviewed changes
Dockerfile Outdated
Copy link

@tianon tianon Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol indentation

@proppy
Copy link
Contributor

proppy commented Nov 7, 2014

wondering if @dmp42 would have preferred a python impl and keep the ENTRYPOINT intact.

tianon
tianon reviewed Nov 7, 2014
View reviewed changes
Dockerfile Outdated
Copy link

@tianon tianon Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$ROOTFS? Someone copy-pasta'd too much. 😉

@tiborvass tiborvass force-pushed the tls-registry branch 2 times, most recently from 3848eb9 to a7a1a04 Compare November 7, 2014 01:15
tianon
tianon reviewed Nov 7, 2014
View reviewed changes
Dockerfile Outdated
Copy link

@tianon tianon Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean:

ENTRYPOINT ["/docker-registry/run.sh"]
CMD ["docker-registry"]

Copy link

@tianon tianon Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it might be good to rename run.sh now to be less misleading. 😉

@tiborvass tiborvass force-pushed the tls-registry branch 2 times, most recently from 8e1f742 to 5890418 Compare November 7, 2014 01:26
tianon
tianon reviewed Nov 7, 2014
View reviewed changes
Dockerfile Outdated
Copy link

@tianon tianon Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a script; it's a compiled Go binary.

Copy link
Author

@tiborvass tiborvass Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmp42 we can rewrite it in bash if you want with openssl, will take some time though.

Copy link
Contributor

@proppy proppy Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wonder if we should keep the ENTRYPOINT in python and push the extra logic about in-place cert generation to generate_certs

@proppy proppy mentioned this pull request Nov 7, 2014
Merged
proppy
proppy reviewed Nov 7, 2014
View reviewed changes
wrap.sh Outdated
Copy link
Contributor

@proppy proppy Nov 7, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should assume that it's named registry.* or just assumed they get passed as their own bind mount?

@tiborvass tiborvass changed the title Enable TLS by default if /ssl directory is present Serve a TLS endpoint if REGISTRY_TLS_VERIFY is set and GUNICORN_OPTS is not Nov 7, 2014
@tiborvass
Copy link
Author

tiborvass commented Nov 7, 2014

@dmp42 @proppy @ewindisch
Generation of certs are done outside the registry and should be provided under /ssl via --volumes-from or a bind mount. The actual process for users will be documented (in a separate PR + PR to docker/docker/docs ?) from cert generation to including it in the registry container. An additional quick hack could be suggested with something like $(docker run tiborvass/registry:autotls) that would work for the basic needs.

@tiborvass tiborvass force-pushed the tls-registry branch 2 times, most recently from 8aa5c8d to eef7d1c Compare November 10, 2014 20:40
@tiborvass
If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, serve TLS.
eef7d1c 
This is done by setting GUNICORN_OPTS to some default value, expecting
the following files to be present:

* /ssl/ca.crt
* /ssl/registry.cert
* /ssl/registry.key

Signed-off-by: Tibor Vass <teabee89@gmail.com>
@dmp42
Copy link
Contributor

dmp42 commented Nov 11, 2014

@wking @stevvooe @bacongobbler what do you think?

@dmp42 dmp42 added this to the 1.0 milestone Nov 11, 2014
@dmp42 dmp42 added the security label Nov 11, 2014
@wking
Copy link
Contributor

wking commented Nov 11, 2014

On Mon, Nov 10, 2014 at 04:01:55PM -0800, Olivier Gambier wrote:

@wking @stevvooe @bacongobbler what do you think?

I'd just add this to the docs for:

GUNICORN_OPTS='[--ssl-version, 3, --certfile, /ssl/registry.cert, --keyfile, /ssl/registry.keys, --ca-certs, /ssl/ca.crt]'

but if folks want a shortcut environment variable for that, I'll go
along with it ;).

@bacongobbler
Copy link
Contributor

bacongobbler commented Nov 11, 2014

LGTM and +1 on separation of concerns, though users would probably like to have /ssl configurable in case their certs are in another container or are located somewhere else on the local filesystem (--volumes-from doesn't allow you to choose the src and dest directories IIRC). Maybe $REGISTRY_KEYFILE, $REGISTRY_CERTFILE AND $REGISTRY_CA_CERTFILE?

e.g. I usually like to have my certs located at /etc/ssl/certs/..., keys in /etc/ssl/private/... and the CA cert chain at /etc/ssl/root.ca

@wking
Copy link
Contributor

wking commented Nov 11, 2014

On Mon, Nov 10, 2014 at 04:32:28PM -0800, Matthew Fisher wrote:

… though users would probably like to have /ssl configurable…

In this case I'd really rather they just used GUNICORN_OPTS directly.
You don't save much by replacing --certfile with REGISTRY_CERTFILE ;).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement security

Projects

None yet

Milestone

1.0

Development

Successfully merging this pull request may close these issues.

7 participants

@tiborvass @proppy @dmp42 @wking @bacongobbler @stevvooe @tianon