#mynavi() #setlinebreak(on); * 目次 [#k9c1266c] #contents - 関連 -- [[dockerメモ]] -- [[Apache+openSSLでクライアント認証]] -- [[Javaでhttps通信時の証明書検証について]] -- [[サーバ名がIPアドレスの場合のSSL証明書作成]] * 概要 [#wcf1173b] #html(<div class="pl10">) Gitlab の Container Registry でプライベートな Dockerレジストリを構築する。 ※尚、ここでいう Gitlab は ストレージサービスとしてのそれではなく、OSS としての GitLab CE を指す。 #html(</div>) * 作業用ディレクトリ作成 [#qe9dac67] #html(<div class="pl10">) #myterm2(){{ mkdir work_gitlab_container cd work_gitlab_container }} #html(</div>) * サーバ証明書の作成 [#cb249828] #html(<div class="pl10">) #myterm2(){{ mkdir certs openssl req \ > -newkey rsa:4096 -nodes -sha256 -keyout certs/サーバ名.key \ > -x509 -days 365 -out certs/サーバ名.crt Generating a 4096 bit RSA private key ..............................................................................................++ .............................................................................................................++ writing new private key to 'certs/サーバ名.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:JP State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []:サーバ名 Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []:サーバ名 Email Address []: }} #html(</div>) * docker-compose.yml の作成 [#g2b1de37] #html(<div class="pl10">) .env #mycode2(){{ SERVER_NAME=サーバ名 }} docker-compose.yml #mycode2(){{ web: image: gitlab/gitlab-ce:latest restart: always hostname: localhost container_name: mygitlab environment: GITLAB_OMNIBUS_CONFIG: | external_url "https://${SERVER_NAME}" registry_external_url "https://${SERVER_NAME}:4567" registry_nginx['ssl_certificate'] = "/var/certs/${SERVER_NAME}.crt" registry_nginx['ssl_certificate_key'] = "/var/certs/${SERVER_NAME}.key" ports: - '80:80' - '443:443' - '8022:22' - '4567:4567' volumes: - './certs:/var/certs' }} #html(</div>) * ビルド/起動 [#gdb545fb] #html(<div class="pl10">) #myterm2(){{ docker-compose up -d }} しばらくすると、以下のようなログが出力され、コンテナがリスタートする。 ※Let's Encrypt を利用して証明書周りのセットアップを行おうとしている模様。(自分で作成しているので不要なのだが) #myterm2(){{ docker logs -g mygitlab ================================================================================ Error executing action `create` on resource 'letsencrypt_certificate[XXX.XXX.XXX.XXX]' ================================================================================ : Recipe: gitlab::gitlab-rails * execute[clear the gitlab-rails cache] action run - execute /opt/gitlab/bin/gitlab-rake cache:clear Recipe: <Dynamically Defined Resource> * service[gitaly] action restart - restart service service[gitaly] Recipe: gitaly::enable * runit_service[gitaly] action hup - send hup to runit_service[gitaly] Recipe: <Dynamically Defined Resource> * service[gitlab-workhorse] action restart - restart service service[gitlab-workhorse] * service[registry] action restart - restart service service[registry] * service[gitlab-exporter] action restart - restart service service[gitlab-exporter] * service[redis-exporter] action restart - restart service service[redis-exporter] * service[prometheus] action restart - restart service service[prometheus] Recipe: monitoring::prometheus * execute[reload prometheus] action run - execute /opt/gitlab/bin/gitlab-ctl hup prometheus Recipe: <Dynamically Defined Resource> * service[alertmanager] action restart - restart service service[alertmanager] * service[postgres-exporter] action restart - restart service service[postgres-exporter] * service[grafana] action restart - restart service service[grafana] Running handlers: There was an error running gitlab-ctl reconfigure: letsencrypt_certificate[XXX.XXX.XXX.XXX] (letsencrypt::http_authorization line 5) had an error: Acme::Client::Error::RejectedIdentifier:\ acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error:\ Acme::Client::Error::RejectedIdentifier: Error creating new order :: Cannot issue for "XXX.XXX.XXX.XXX": The ACME server can not issue a certificate for an IP address Running handlers complete Chef Client failed. 539 resources updated in 03 minutes 09 seconds }} #html(</div>) * イメージをpushしてみる [#q0917c6b] #html(<div class="pl10">) #myterm2(){{ docker login サーバ名:4567 # 適当なイメージをpull docker pull ubuntu # タグ付け/プッシュ docker image tag ubuntu サーバ名:4567/group1/myproject1 docker push サーバ名:4567/group1/myproject1 # ver2 をタグ付け/プッシュ docker image tag ubuntu サーバ名:4567/group1/myproject1:ver2 docker push サーバ名:4567/group1/myproject1:ver2 }} プッシュ後の状態 #html(<div style="display: inline-block; border: 1px solid #333">) #ref(gitlab_container_registry.png) #html(</div>) #html(</div>) * 補足 [#a68ade77] #html(<div class="pl10">) サーバ名をIPアドレスにする場合は、証明書の Subject Alternative Name もチェックされるので、これを含む証明書を作成する必要がある。 でないと、docker login 時に以下のように怒られる。 #myterm2(){{ Error response from daemon: Get https://192.168.0.12:4567/v2/: x509: cannot validate certificate for 192.168.0.12 because it doesn't contain any IP SANs }} ※参考: [[サーバ名がIPアドレスの場合のSSL証明書作成]] 関連記事 - [[Apache+openSSLでクライアント認証]] - [[Javaでhttps通信時の証明書検証について]] #html(</div>)