- 追加された行はこの色です。
- 削除された行はこの色です。
#author("2020-01-17T11:08:53+00:00","","")
#mynavi()
#setlinebreak(on);
* 目次 [#uc91c552]
* 目次 [#k9c1266c]
#contents
- 関連
-- [[gitコマンド]]
-- [[dockerメモ]]
-- [[Apache+openSSLでクライアント認証]]
-- [[Javaでhttps通信時の証明書検証について]]
-- [[サーバ名がIPアドレスの場合のSSL証明書作成]]
* 概要 [#wcf1173b]
#html(<div class="pl10">)
Gitlab の Container Registry でプライベートな Dockerレジストリを構築する。
※尚、ここでいう Gitlab は ストレージサービスとしてのそれではなく、OSS としての GitLab CE を指す。
#html(</div>)
* 作業用ディレクトリ作成 [#qe9dac67]
#html(<div class="pl10">)
#myterm2(){{
mkdir work_gitlab_container
cd work_gitlab_container
}}
#html(</div>)
* サーバ証明書の作成 [#cb249828]
#html(<div class="pl10">)
#myterm2(){{
mkdir certs
openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/サーバ名.key \
> -x509 -days 365 -out certs/サーバ名.crt
Generating a 4096 bit RSA private key
..............................................................................................++
.............................................................................................................++
writing new private key to 'certs/サーバ名.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:サーバ名
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:サーバ名
Email Address []:
}}
#html(</div>)
* docker-compose.yml の作成 [#g2b1de37]
#html(<div class="pl10">)
.env
#mycode2(){{
SERVER_NAME=サーバ名
}}
docker-compose.yml
#mycode2(){{
web:
image: gitlab/gitlab-ce:latest
restart: always
hostname: localhost
container_name: mygitlab
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url "https://${SERVER_NAME}"
registry_external_url "https://${SERVER_NAME}:4567"
registry_nginx['ssl_certificate'] = "/var/certs/${SERVER_NAME}.crt"
registry_nginx['ssl_certificate_key'] = "/var/certs/${SERVER_NAME}.key"
ports:
- '80:80'
- '443:443'
- '8022:22'
- '4567:4567'
volumes:
- './certs:/var/certs'
}}
#html(</div>)
* ビルド/起動 [#gdb545fb]
#html(<div class="pl10">)
#myterm2(){{
docker-compose up -d
}}
しばらくすると、以下のようなログが出力され、コンテナがリスタートする。
※Let's Encrypt を利用して証明書周りのセットアップを行おうとしている模様。(自分で作成しているので不要なのだが)
#myterm2(){{
docker logs -g mygitlab
================================================================================
Error executing action `create` on resource 'letsencrypt_certificate[XXX.XXX.XXX.XXX]'
================================================================================
:
Recipe: gitlab::gitlab-rails
* execute[clear the gitlab-rails cache] action run
- execute /opt/gitlab/bin/gitlab-rake cache:clear
Recipe: <Dynamically Defined Resource>
* service[gitaly] action restart
- restart service service[gitaly]
Recipe: gitaly::enable
* runit_service[gitaly] action hup
- send hup to runit_service[gitaly]
Recipe: <Dynamically Defined Resource>
* service[gitlab-workhorse] action restart
- restart service service[gitlab-workhorse]
* service[registry] action restart
- restart service service[registry]
* service[gitlab-exporter] action restart
- restart service service[gitlab-exporter]
* service[redis-exporter] action restart
- restart service service[redis-exporter]
* service[prometheus] action restart
- restart service service[prometheus]
Recipe: monitoring::prometheus
* execute[reload prometheus] action run
- execute /opt/gitlab/bin/gitlab-ctl hup prometheus
Recipe: <Dynamically Defined Resource>
* service[alertmanager] action restart
- restart service service[alertmanager]
* service[postgres-exporter] action restart
- restart service service[postgres-exporter]
* service[grafana] action restart
- restart service service[grafana]
Running handlers:
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[XXX.XXX.XXX.XXX] (letsencrypt::http_authorization line 5) had an error: Acme::Client::Error::RejectedIdentifier:\
acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error:\
Acme::Client::Error::RejectedIdentifier: Error creating new order :: Cannot issue for "XXX.XXX.XXX.XXX": The ACME server can not issue a certificate for an IP address
Running handlers complete
Chef Client failed. 539 resources updated in 03 minutes 09 seconds
}}
#html(</div>)
* イメージをpushしてみる [#q0917c6b]
#html(<div class="pl10">)
#myterm2(){{
docker login サーバ名:4567
# 適当なイメージをpull
docker pull ubuntu
# タグ付け/プッシュ
docker image tag ubuntu サーバ名:4567/group1/myproject1
docker push サーバ名:4567/group1/myproject1
# ver2 をタグ付け/プッシュ
docker image tag ubuntu サーバ名:4567/group1/myproject1:ver2
docker push サーバ名:4567/group1/myproject1:ver2
}}
プッシュ後の状態
#html(<div style="display: inline-block; border: 1px solid #333">)
#ref(gitlab_container_registry.png)
#html(</div>)
#html(</div>)
* 補足 [#a68ade77]
#html(<div class="pl10">)
サーバ名をIPアドレスにする場合は、証明書の Subject Alternative Name もチェックされるので、これを含む証明書を作成する必要がある。
でないと、docker login 時に以下のように怒られる。
#myterm2(){{
Error response from daemon: Get https://192.168.0.12:4567/v2/: x509: cannot validate certificate for 192.168.0.12 because it doesn't contain any IP SANs
}}
※参考: [[サーバ名がIPアドレスの場合のSSL証明書作成]]
#html(</div>)