Friday, December 29, 2017

Setting up Artifactory as Docker Registry

I was setting up artifactory as a docker registry on-premises with a self-signed certificate. This was not as simple as some of the docs suggested. It took me a bit to put together the process for this as it wasn’t really laid out in any single place. Here is what I did to get it working.

Distro: Ubuntu 16.04

I decided to do the subdomain method for setup. my FQDN that I will be subdomaining off of is artifactory.contoso.com. Each subdomain will be a different registry within artifactory. This will assume you already have an NGINX  instance setup to do the reverse proxy with the configuration defined by the Artifactory Reverse Proxy Generator.

Create self-signed certificate. I store mine in /mnt/data/ssl

$ openssl req -newkey rsa:2048 -nodes –keyout /mnt/data/ssl/wildcard.artifactory.contoso.com.key -x509 -days 365 –out /mnt/data/ssl/wildcard.artifactory.contoso.com.cert

Need to make this certificate available for docker

# mkdir –p /etc/docker/certs.d/wildcard.artifactory.contoso.com;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.cert;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker.artifactory.contoso.com;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker-local.artifactory.contoso.com;

Now we have a folder setup for each subdomain for each docker registry in Artifactory. Next we need to add the certificates so the CA is known by the system.

# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.crt;
# update-ca-certificates;

Next we need to add the domains to the docker options to allow them to be insecure.

# nano /etc/init.d/docker
### EDIT ###
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry docker.artifactory.contoso.com --insecure-registry docker-local.artifactory.contoso.com

Finally, we just need to restart docker.

# systemctl restart docker

YMMV, but these are the steps that I needed to do to get things working for me.

Setting up Artifactory as Docker Registry

I was setting up artifactory as a docker registry on-premises with a self-signed certificate. This was not as simple as some of the docs suggested. It took me a bit to put together the process for this as it wasn’t really laid out in any single place. Here is what I did to get it working.

Distro: Ubuntu 16.04

I decided to do the subdomain method for setup. my FQDN that I will be subdomaining off of is artifactory.contoso.com. Each subdomain will be a different registry within artifactory. This will assume you already have an NGINX  instance setup to do the reverse proxy with the configuration defined by the Artifactory Reverse Proxy Generator.

Create self-signed certificate. I store mine in /mnt/data/ssl

$ openssl req -newkey rsa:2048 -nodes –keyout /mnt/data/ssl/wildcard.artifactory.contoso.com.key -x509 -days 365 –out /mnt/data/ssl/wildcard.artifactory.contoso.com.cert

Need to make this certificate available for docker

# mkdir –p /etc/docker/certs.d/wildcard.artifactory.contoso.com;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /etc/docker/certs.d/wildcard.artifactory.contoso.com/domain.cert;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker.artifactory.contoso.com;
# ln –s /etc/docker/certs.d/wildcard.artifactory.contoso.com /etc/docker/certs.d/docker-local.artifactory.contoso.com;

Now we have a folder setup for each subdomain for each docker registry in Artifactory. Next we need to add the certificates so the CA is known by the system.

# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.key /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.key;
# cp /mnt/data/ssl/wildcard.artifactory.contoso.com.cert /usr/local/share/ca-certificates/wildcard.artifactory.contoso.com.crt;
# update-ca-certificates;

Next we need to add the domains to the docker options to allow them to be insecure.

# nano /etc/init.d/docker
### EDIT ###
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry docker.artifactory.contoso.com --insecure-registry docker-local.artifactory.contoso.com

Finally, we just need to restart docker.

# systemctl restart docker

YMMV, but these are the steps that I needed to do to get things working for me.