Lab 2.0 - Container registries

Return to Workshop

During this module you will configure both nodes to host secure container registries. The registry software runs in a container and listens on port 5000. Configuring the registry consists of generating a self-signed SSL certificate and running the container. Two simple bash scripts are provided to do this. Once the registries are configured and running, the curl command can be used to test basic connectivity.

Configuring the registries

Node 1

Login to node1.0.example.redhatgov.io (from the bastion) and configure the registry. Do this as a regular (non-root) user.

ssh node1.0.example.redhatgov.io

You’ll be asked to confirm the key fingerprint, the first time that you login. Please answer yes.

The authenticity of host 'jajcs.node1.0.rhnaps.io (10.0.2.88)' can't be established.
ECDSA key fingerprint is SHA256:t019FDEhEgp1uhivEZy1gwqaNaXM75tOem4MHpmLRaw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jajcs.node1.0.rhnaps.io,10.0.2.88' (ECDSA) to the list of known hosts.
Last login: Tue Jan 12 02:10:26 2021 from 10.0.2.245
[ec2-user@ip-10-0-2-88 ~]$

Confirm that the FQDN variable is set to node1.0.example.redhatgov.io in the myserver.cnf file.

cd $HOME/files/nodes/registry-files/gen-certs
grep ^FQDN myserver.cnf
FQDN=node1.0.example.redhatgov.io
Run the gen-cert.sh script to generate an SSL certificate.
sh ./gen-cert.sh
Generating a RSA private key
........................................................++++
.......................................++++
writing new private key to 'myserver.key'
-----
Signature ok
subject=C = CH, O = Summit, CN = node1.0.example.redhatgov.io
Getting Private key
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            66:eb:dd:c8:21:f5:38:ef:22:16:79:d0:ba:34:2c:f9:4b:1b:7d:6f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = Summit, CN = node1.0.example.redhatgov.io
        Validity
            Not Before: Apr  7 19:12:30 2020 GMT
            Not After : Sep 28 19:12:30 2025 GMT

Now move up one directory and run the run-registry.sh script to start the registry container.

cd ..
sh ./run-registry.sh
Adding password for user redhat
750ef695e4b66b00919e725bc2559db6ec2f9407e1f31358686b4339017c2ed5


Give the registry a minute or so to start then ...
curl  --user user:password -k https://localhost:5000/v2/_catalog

Testing the registries

Use curl to test that the registry service is running:

curl --user redhat:redhat https://node1.0.example.redhatgov.io:5000/v2/_catalog
{"repositories":[]}

Logout from node1:

exit

Node 2

Login to node2.0.example.redhatgov.io (from the bastion) and configure the registry. Do this as a regular (non-root) user.

ssh node2.0.example.redhatgov.io

You’ll be asked to confirm the key fingerprint, the first time that you login. Please answer yes.

The authenticity of host 'jajcs.node2.0.rhnaps.io (10.0.2.88)' can't be established.
ECDSA key fingerprint is SHA256:t019FDEhEgp1uhivEZy1gwqaNaXM75tOem4MHpmLRaw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'jajcs.node2.0.rhnaps.io,10.0.2.88' (ECDSA) to the list of known hosts.
Last login: Tue Jan 12 02:10:26 2021 from 10.0.2.245
[ec2-user@ip-10-0-2-88 ~]$

Confirm that the FQDN variable is set to node2.0.example.redhatgov.io in the myserver.cnf file.

cd $HOME/files/nodes/registry-files/gen-certs
grep ^FQDN myserver.cnf
FQDN=node2.0.example.redhatgov.io
Run the gen-cert.sh script to generate an SSL certificate.
sh ./gen-cert.sh
Generating a RSA private key
........................................................++++
.......................................++++
writing new private key to 'myserver.key'
-----
Signature ok
subject=C = CH, O = Summit, CN = node2.0.example.redhatgov.io
Getting Private key
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            66:eb:dd:c8:21:f5:38:ef:22:16:79:d0:ba:34:2c:f9:4b:1b:7d:6f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = Summit, CN = node2.0.example.redhatgov.io
        Validity
            Not Before: Apr  7 19:12:30 2020 GMT
            Not After : Sep 28 19:12:30 2025 GMT

Now move up one directory and run the run-registry.sh script to start the registry container.

cd ..
sh ./run-registry.sh
Adding password for user redhat
750ef695e4b66b00919e725bc2559db6ec2f9407e1f31358686b4339017c2ed5


Give the registry a minute or so to start then ...
curl  --user user:password -k https://localhost:5000/v2/_catalog

Testing the registries

Use curl to test that the registry service is running:

curl --user redhat:redhat https://node2.0.example.redhatgov.io:5000/v2/_catalog
{"repositories":[]}

Logout from node2:

exit

Configuring and testing the bastion

Copy the SSL certificates from the registry servers and update the trust store.

sudo scp ec2-user@node1.0.example.redhatgov.io:/etc/pki/ca-trust/source/anchors/myserver.cert /etc/pki/ca-trust/source/anchors/node1.cert
sudo scp ec2-user@node2.0.example.redhatgov.io:/etc/pki/ca-trust/source/anchors/myserver.cert /etc/pki/ca-trust/source/anchors/node2.cert
sudo update-ca-trust

Now try to curl the registries from the bastion using the FQDN:

curl --user redhat:redhat https://node1.0.example.redhatgov.io:5000/v2/_catalog
{"repositories":[]}
curl --user redhat:redhat https://node2.0.example.redhatgov.io:5000/v2/_catalog
{"repositories":[]}

Now that the registries have been configured, the remainder of the commands will be run on the bastion.


Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop