Docker private repository journey

Docker Journey

Baby steps to greatness…

1. Install private Docker repository (Nexus 3)

2. Create self signed certificate because our signatures rock

3. Configure nexus for https connections (required by Docker)

4. Export self signed certificate

5. Import and Install certificate on Docker client

6. Setup nexus repository

7. Push images to nexus J

…Call JMP if you get stuck :)

Nexus Repository Manager

Download the nexus repository manager for preferred OS, for this killer tutorial I’ll be deploying to Ubuntu but deploying to Windows should be similar

· Ubuntu download: nexus-3.0.0-03-unix.tar.gz

· Windows download: nexus-3.0.0-03-win64.zip

Extract the tar file to desired location (in my case ~/alchemy/nexus/) using the command:

tar –xvzf nexus-3.0.0-03-unix.tar.gz

Setup the service:

Create a symbolic link to the nexus script in the init.d folder:

sudo ln -s $NEXUS_HOME/bin/nexus /etc/init.d/nexus

            cd /etc/init.d
                   sudo update-rc.d nexus defaults
                   sudo service nexus start (before running start we need to configure some https stuffs)

Create a self signed certificate (because our signatures rock)

We’re going to use the keytool application to generate some dodgy certificates, in order to use the keytool you will need to install java, this can be done by using the apt-get install openjdk-8-jdk command if your systems doesn’t already have java

To generate the certificate run the following command, the command will create a keystore.jks file in the same folder from where you ran the command:

keytool -genkeypair -keystore keystore.jks -storepass Password1 -keypass Password1 -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=10.9.222.43, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" -ext "SAN=DNS:scmbdirectory.com,IP:10.9.222.43" -ext "BC=ca:true"

Copy the certificate created to the folder /etc/ssl/keystore.jks

Configure Nexus

Two configuration changes need to happen to get nexus to support https (which is required by Docker and is better in general)

· Update $NEXUS_HOME/etc/org.sonatype.nexus.cfg

Add ${karaf.etc}/jetty-https.xml to the end of the nexus-args, don’t forget to separate with a comma ie.

nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-requestlog.xml,${karaf.etc}/jetty-https.xml

Add application-port-ssl=8443

· Update jetty-https.xml file

Update the certificate details under the sslContextFactory tag to look like the following

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath">/etc/ssl/keystore.jks</Set>
<Set name="KeyStorePassword">Password1</Set>
<Set name="KeyManagerPassword">Password1</Set>
<Set name="TrustStorePath">/etc/ssl/keystore.jks</Set>
<Set name="TrustStorePassword">Password1</Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
</New>

Export certificate

We need to export the certificate to be able to import it into the ubuntu certificate store, client (unsigned certificates) are saved as .cert while signed certificates are saved as .crt

Run the command below from the machine that will be pushing or pulling images from Nexus

sudo keytool -printcert -sslserver nexushost:port –rfc (change nexushost to the ip or host name of the server and port to the https port of nexus)

Save the output to the file ~/docker.cert

Import and Install certificate

Create the directory structure /etc/docker/certs.d/nexushost

Copy the certificate exported above into the folder you just created.

Run the following command to import the certificate:

sudo update-ca-certificates

You may now start the nexus service using:

Sudo service nexus start

Import and Install certificate

Go to the https://nexushome:8443/#admin/repository/repositories to configure a docker repository

There are thre types of docker repositories that can be created when clicking on the “create new” button:

· Docker (group) Used to link multiple repositories