Friday, December 29, 2017

Setting up Artifactory as Docker Registry

I was setting up artifactory as a docker registry on-premises with a self-signed certificate. This was not as simple as some of the docs suggested. It took me a bit to put together the process for this as it wasn’t really laid out in any single place. Here is what I did to get it working.

Distro: Ubuntu 16.04

I decided to do the subdomain method for setup. my FQDN that I will be subdomaining off of is artifactory.contoso.com. Each subdomain will be a different registry within artifactory. This will assume you already have an NGINX  instance setup to do the reverse proxy with the configuration defined by the Artifactory Reverse Proxy Generator.

Create self-signed certificate. I store mine in /mnt/data/ssl

$ openssl req -newkey rsa:2048 -nodes –keyout /mnt/data/ssl/wildcard.artifactory.contoso.com.key -x509 -days 365 –out /mnt/data/ssl/wildcard.artifactory.contoso.com.cert

Need to make this certificate available for docker

# mkdir –p /etc/docker/certs.d/wildcard.artifactory.contoso.com;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.cert;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker.artifactory.contoso.com;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker-local.artifactory.contoso.com;

Now we have a folder setup for each subdomain for each docker registry in Artifactory. Next we need to add the certificates so the CA is known by the system.

# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.crt;
# update-ca-certificates;

Next we need to add the domains to the docker options to allow them to be insecure.

# nano /etc/init.d/docker
### EDIT ###
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry docker.artifactory.contoso.com --insecure-registry docker-local.artifactory.contoso.com

Finally, we just need to restart docker.

# systemctl restart docker

YMMV, but these are the steps that I needed to do to get things working for me.

Wednesday, December 13, 2017

No Matching Cipher Found

Today I tried to pull latest from the develop branch in a git repository in TFS 2015. I use SSH for authentication to tfs git repositories, and when I ran the git pull command, I was presented with the following error:

no matching cipher found. their offer: aes256-cbc,aes192-cbc,aes128-cbc

There were some other lines about making sure the repository existed, and that I had permission, etc. But this line was the one that sort of stood out to me. It is not an error that I have come across before. It took me a little while to track down the issue, which is why I am writing this.

The error is not a TFS issue, nor is it a git issue. The error is coming from SSH. I think it started after I updated my version of openSSH on my mac to version 7.6p1.

To fix the issue, I opened up /etc/ssh/ssh_config and added the lines:

Match Host my-tfs-server.company-domain.com
    Ciphers +aes128-cbc,aes192-cbc,aes256-cbc

You could make it less restrictive and omit Match Host line altogether, but I would rather add the exception for the specific servers that require it. After adding those lines, I was able to pull latest again.

Setting up Artifactory as Docker Registry

I was setting up artifactory as a docker registry on-premises with a self-signed certificate. This was not as simple as some of the docs suggested. It took me a bit to put together the process for this as it wasn’t really laid out in any single place. Here is what I did to get it working.

Distro: Ubuntu 16.04

I decided to do the subdomain method for setup. my FQDN that I will be subdomaining off of is artifactory.contoso.com. Each subdomain will be a different registry within artifactory. This will assume you already have an NGINX  instance setup to do the reverse proxy with the configuration defined by the Artifactory Reverse Proxy Generator.

Create self-signed certificate. I store mine in /mnt/data/ssl

$ openssl req -newkey rsa:2048 -nodes –keyout /mnt/data/ssl/wildcard.artifactory.contoso.com.key -x509 -days 365 –out /mnt/data/ssl/wildcard.artifactory.contoso.com.cert

Need to make this certificate available for docker

# mkdir –p /etc/docker/certs.d/wildcard.artifactory.contoso.com;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.cert;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker.artifactory.contoso.com;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker-local.artifactory.contoso.com;

Now we have a folder setup for each subdomain for each docker registry in Artifactory. Next we need to add the certificates so the CA is known by the system.

# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.crt;
# update-ca-certificates;

Next we need to add the domains to the docker options to allow them to be insecure.

# nano /etc/init.d/docker
### EDIT ###
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry docker.artifactory.contoso.com --insecure-registry docker-local.artifactory.contoso.com

Finally, we just need to restart docker.

# systemctl restart docker

YMMV, but these are the steps that I needed to do to get things working for me.

No Matching Cipher Found

Today I tried to pull latest from the develop branch in a git repository in TFS 2015. I use SSH for authentication to tfs git repositories, and when I ran the git pull command, I was presented with the following error:

no matching cipher found. their offer: aes256-cbc,aes192-cbc,aes128-cbc

There were some other lines about making sure the repository existed, and that I had permission, etc. But this line was the one that sort of stood out to me. It is not an error that I have come across before. It took me a little while to track down the issue, which is why I am writing this.

The error is not a TFS issue, nor is it a git issue. The error is coming from SSH. I think it started after I updated my version of openSSH on my mac to version 7.6p1.

To fix the issue, I opened up /etc/ssh/ssh_config and added the lines:

Match Host my-tfs-server.company-domain.com
    Ciphers +aes128-cbc,aes192-cbc,aes256-cbc

You could make it less restrictive and omit Match Host line altogether, but I would rather add the exception for the specific servers that require it. After adding those lines, I was able to pull latest again.