github.com/jogo/docker@v1.7.0-rc1/docs/sources/docker-hub-enterprise/configuration.md (about) 1 page_title: Docker Hub Enterprise: Configuration options 2 page_description: Configuration instructions for Docker Hub Enterprise 3 page_keywords: docker, documentation, about, technology, understanding, enterprise, hub, registry 4 5 # Configuring DHE 6 7 ## Overview 8 9 This page will help you properly configure Docker Hub Enterprise (DHE) so it can 10 run in your environment. 11 12 Start with DHE loaded in your browser and click the "Settings" tab to view 13 configuration options. You'll see options for configuring: 14 15 * Domains and ports 16 * Security settings 17 * Storage settings 18 * Authentication settings 19 * Your DHE license 20 21 ## Domains and Ports 22 23 ![Domain and Ports page</admin/settings#http>](../assets/admin-settings-http.png) 24 25 * *Domain Name*: **required** defaults to an empty string, the fully qualified domain name assigned to the DHE host. 26 * *Load Balancer HTTP Port*: defaults to 80, used as the entry point for the image storage service. To see load balancer status, you can query 27 http://<dhe-host>/load_balancer_status. 28 * *Load Balancer HTTPS Port*: defaults to 443, used as the secure entry point 29 for the image storage service. 30 * *HTTP_PROXY*: defaults to an empty string, proxy server for HTTP requests. 31 * *HTTPS_PROXY*: defaults to an empty string, proxy server for HTTPS requests. 32 * *NO_PROXY*: defaults to an empty string, proxy bypass for HTTP and HTTPS requests. 33 34 35 > **Note**: If you need DHE to re-generate a self-signed certificate at some 36 > point, you'll need to first delete `/usr/local/etc/dhe/ssl/server.pem`, and 37 > then restart the DHE containers, either by changing and saving the "Domain Name", 38 > or using `bash -c "$(docker run dockerhubenterprise/manager restart)"`. 39 40 41 ## Security 42 43 ![Security settings page</admin/settings#security>](../assets/admin-settings-security.png) 44 45 * *SSL Certificate*: Used to enter the hash (string) from the SSL Certificate. 46 This cert must be accompanied by its private key, entered below. 47 * *Private Key*: The hash from the private key associated with the provided 48 SSL Certificate (as a standard x509 key pair). 49 50 In order to run, DHE requires encrypted communications via HTTPS/SSL between (a) the DHE registry and your Docker Engine(s), and (b) between your web browser and the DHE admin server. There are a few options for setting this up: 51 52 1. You can use the self-signed certificate DHE generates by default. 53 2. You can generate your own certificates using a public service or your enterprise's infrastructure. See the [Generating SSL certificates](#generating-ssl-certificates) section for the options available. 54 55 If you are generating your own certificates, you can install them by following the instructions for 56 [Adding your own registry certificates to DHE](#adding-your-own-registry-certificates-to-dhe). 57 58 On the other hand, if you choose to use the DHE-generated certificates, or the 59 certificates you generate yourself are not trusted by your client Docker hosts, 60 you will need to do one of the following: 61 62 * [Install a registry certificate on all of your client Docker daemons](#installing-registry-certificates-on-client-docker-daemons), 63 64 * Set your [client Docker daemons to run with an unconfirmed connection to the registry](#if-you-cant-install-the-certificates). 65 66 ### Generating SSL certificates 67 68 There are three basic approaches to generating certificates: 69 70 1. Most enterprises will have private key infrastructure (PKI) in place to 71 generate keys. Consult with your security team or whomever manages your private 72 key infrastructure. If you have this resource available, Docker recommends you 73 use it. 74 75 2. If your enterprise can't provide keys, you can use a public Certificate 76 Authority (CA) like "InstantSSL.com" or "RapidSSL.com" to generate a 77 certificate. If your certificates are generated using a globally trusted 78 Certificate Authority, you won't need to install them on all of your 79 client Docker daemons. 80 81 3. Use the self-signed registry certificate generated by DHE, and install it 82 onto the client Docker daemon hosts as shown below. 83 84 ### Adding your own Registry certificates to DHE 85 86 Whichever method you use to generate certificates, once you have them 87 you can set up your DHE server to use them by navigating to the "Settings" page, 88 going to "Security," and putting the SSL Certificate text (including all 89 intermediate Certificates, starting with the host) into the 90 "SSL Certificate" edit box, and the previously generated Private key into 91 the "SSL Private Key" edit box. 92 93 Click the "Save" button, and then wait for the DHE Admin site to restart and 94 reload. It should now be using the new certificate. 95 96 Once the "Security" page has reloaded, it will show `#` hashes instead of the 97 certificate text you pasted in. 98 99 If your certificate is signed by a chain of Certificate Authorities that are 100 already trusted by your Docker daemon servers, you can skip the "Installing 101 registry certificates" step below. 102 103 ### Installing Registry certificates on client Docker daemons 104 105 If your certificates do not have a trusted Certificate Authority, you will need 106 to install them on each client Docker daemon host. 107 108 The procedure for installing the DHE certificates on each Linux distribution has 109 slightly different steps, as shown below. 110 111 You can test this certificate using `curl`: 112 113 ``` 114 $ curl https://dhe.yourdomain.com/v2/ 115 curl: (60) SSL certificate problem: self signed certificate 116 More details here: http://curl.haxx.se/docs/sslcerts.html 117 118 curl performs SSL certificate verification by default, using a "bundle" 119 of Certificate Authority (CA) public keys (CA certs). If the default 120 bundle file isn't adequate, you can specify an alternate file 121 using the --cacert option. 122 If this HTTPS server uses a certificate signed by a CA represented in 123 the bundle, the certificate verification probably failed due to a 124 problem with the certificate (it might be expired, or the name might 125 not match the domain name in the URL). 126 If you'd like to turn off curl's verification of the certificate, use 127 the -k (or --insecure) option. 128 129 $ curl --cacert /usr/local/etc/dhe/ssl/server.pem https://dhe.yourdomain.com/v2/ 130 {"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]} 131 ``` 132 133 Continue by following the steps corresponding to your chosen OS. 134 135 #### Ubuntu/Debian 136 137 ``` 138 $ export DOMAIN_NAME=dhe.yourdomain.com 139 $ openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt 140 $ update-ca-certificates 141 Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. 142 Running hooks in /etc/ca-certificates/update.d....done. 143 $ service docker restart 144 docker stop/waiting 145 docker start/running, process 29291 146 ``` 147 148 #### RHEL 149 150 ``` 151 $ export DOMAIN_NAME=dhe.yourdomain.com 152 $ openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | tee /etc/pki/ca-trust/source/anchors/$DOMAIN_NAME.crt 153 $ update-ca-trust 154 $ /bin/systemctl restart docker.service 155 ``` 156 157 #### Boot2Docker 1.6.0 158 159 Install the CA cert (or the auto-generated cert) by adding the following to 160 your `/var/lib/boot2docker/bootsync.sh`: 161 162 ``` 163 #!/bin/sh 164 165 cat /var/lib/boot2docker/server.pem >> /etc/ssl/certs/ca-certificates.crt 166 ``` 167 168 169 Then get the certificate from the new DHE server using: 170 171 ``` 172 $ openssl s_client -connect dhe.yourdomain.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /var/lib/boot2docker/server.pem 173 ``` 174 175 If your certificate chain is complicated, you may want to use the changes in 176 [Pull request 807](https://github.com/boot2docker/boot2docker/pull/807/files) 177 178 Now you can either reboot your Boot2Docker virtual machine, or run the following to 179 install the server certificate, and then restart the Docker daemon. 180 181 ``` 182 $ sudo chmod 755 /var/lib/boot2docker/bootsync.sh 183 $ sudo /var/lib/boot2docker/bootsync.sh 184 $ sudo /etc/init.d/docker restart`. 185 ``` 186 187 ### If you can't install the certificates 188 189 If for some reason you can't install the certificate chain on a client Docker host, 190 or your certificates do not have a global CA, you can configure your Docker daemon to run in "insecure" mode. This is done by adding an extra flag, 191 `--insecure-registry host-ip|domain-name`, to your client Docker daemon startup flags. 192 You'll need to restart the Docker daemon for the change to take effect. 193 194 This flag means that the communications between your Docker client and the DHE 195 Registry server are still encrypted, but the client Docker daemon is not 196 confirming that the Registry connection is not being hijacked or diverted. 197 198 > **Note**: If you enter a "Domain Name" into the "Security" settings, it needs 199 > to be DNS resolvable on any client Docker daemons that are running in 200 > "insecure-registry" mode. 201 202 To set the flag, follow the directions below for your operating system. 203 204 #### Ubuntu 205 206 On Ubuntu 14.04 LTS, you customize the Docker daemon configuration with the 207 `/etc/defaults/docker` file. 208 209 Open or create the `/etc/defaults/docker` file, and add the 210 `--insecure-registry` flag to the `DOCKER_OPTS` setting (which may need to be 211 added or uncommented) as follows: 212 213 ``` 214 DOCKER_OPTS="--insecure-registry dhe.yourdomain.com" 215 ``` 216 217 Then restart the Docker daemon with `sudo service docker restart`. 218 219 #### RHEL 220 221 On RHEL, you customize the Docker daemon configuration with the 222 `/etc/sysconfig/docker` file. 223 224 Open or create the `/etc/sysconfig/docker` file, and add the 225 `--insecure-registry` flag to the `OPTIONS` setting (which may need to be 226 added or uncommented) as follows: 227 228 ``` 229 OPTIONS="--insecure-registry dhe.yourdomain.com" 230 ``` 231 232 Then restart the Docker daemon with `sudo service docker restart`. 233 234 ### Boot2Docker 235 236 On Boot2Docker, you customize the Docker daemon configuration with the 237 `/var/lib/boot2docker/profile` file. 238 239 Open or create the `/var/lib/boot2docker/profile` file, and add an `EXTRA_ARGS` 240 setting as follows: 241 242 ``` 243 EXTRA_ARGS="--insecure-registry dhe.yourdomain.com" 244 ``` 245 246 Then restart the Docker daemon with `sudo /etc/init.d/docker restart`. 247 248 ## Image Storage Configuration 249 250 DHE offers multiple methods for image storage, which are defined using specific 251 storage drivers. Image storage can be local, remote, or on a cloud service such 252 as S3. Storage drivers can be added or customized via the DHE storage driver 253 API. 254 255 ![Storage settings page</admin/settings#storage>](../assets/admin-settings-storage.png) 256 257 * *Yaml configuration file*: This file (`/usr/local/etc/dhe/storage.yml`) is 258 used to configure the image storage services. The editable text of the file is 259 displayed in the dialog box. The schema of this file is identical to that used 260 by the [Registry 2.0](http://docs.docker.com/registry/configuration/). 261 * If you are using the file system driver to provide local image storage, you will need to specify a root directory which will get mounted as a sub-path of 262 `/var/local/dhe/image-storage`. The default value of this root directory is 263 `/local`, so the full path to it is `/var/local/dhe/image-storage/local`. 264 265 > **Note:** 266 > Saving changes you've made to settings will restart the Docker Hub Enterprise 267 > instance. The restart may cause a brief interruption for users of the image 268 > storage system. 269 270 ## Authentication 271 272 The "Authentication" settings tab lets DHE administrators control access 273 to the DHE web admin tool and to the DHE Registry. 274 275 The current authentication methods are `None`, `Basic` and `LDAP`. 276 277 > **Note**: if you have issues logging into the DHE admin web interface after changing the authentication 278 > settings, you may need to use the [emergency access to the DHE admin web interface](./adminguide.md#Emergency-access-to-the-dhe-admin-web-interface). 279 280 ### No authentication 281 282 No authentication means that everyone that can access your DHE web administration 283 site. This is not recommended for any use other than testing. 284 285 286 ### Basic authentication 287 288 The `Basic` authentication setting allows the admin to provide username/password pairs local to DHE. 289 Any user who can successfully authenticate can use DHE to push and pull Docker images. 290 You can optionally filter the list of users to a subset of just those users with access to the DHE 291 admin web interface. 292 293 ![Basic authentication settings page</admin/settings#auth>](../assets/admin-settings-authentication-basic.png) 294 295 * A button to add one user, or to upload a CSV file containing username, 296 password pairs 297 * A DHE website Administrator Filter, allowing you to either 298 * * *Allow all authenticated users*: to log into the DHE admin web interface, or 299 * * *Whitelist usernames*: which allows you to restrict access to the web interface to a listed set of users. 300 301 ### LDAP authentication 302 303 Using LDAP authentication allows you to integrate your DHE registry into your 304 organization's existing user and authentication database. 305 306 As this involves existing infrastructure external to DHE and Docker, you will need to 307 gather the details required to configure DHE for your organization's particular LDAP 308 implementation. 309 310 You can test that you have the necessary LDAP server information by using it from 311 inside a Docker container running on the same server as your DHE: 312 313 > **Note**: if the LDAP server is configured to use *StartTLS*, then you need to add `-Z` to the 314 > `ldapsearch` command examples below. 315 316 ``` 317 docker run --rm -it svendowideit/ldapsearch -h <LDAP Server hostname> -b <User Base DN> -D <Search User DN> -w <Search User Password> 318 ``` 319 320 or if the LDAP server is set up to allow anonymous access (which means your *Search User DN* and *Search User Password* settings can remain empty): 321 322 ``` 323 docker run --rm -it svendowideit/ldapsearch -h <LDAP Server hostname> -b <User Base DN> -x 324 ``` 325 326 The result of these queries should be a (very) long list - if you get an authentication error, 327 then the details you have been given are not sufficient. 328 329 The *User Login Attribute* key setting must match the field used in the LDAP server 330 for the user's login-name. On OpenLDAP, it's generally `uid`, and on Microsoft Active Directory 331 servers, it's `sAMAccountName`. The `ldapsearch` output above should allow you to 332 confirm which setting you need. 333 334 ![LDAP authentication settings page</admin/settings#auth>](../assets/admin-settings-authentication-ldap.png) 335 336 * *Use StartTLS*: defaults to unchecked, check to enable StartTLS 337 * *LDAP Server URL*: **required** defaults to null, LDAP server URL (e.g., - ldap://example.com) 338 * *User Base DN*: **required** defaults to null, user base DN in the form (e.g., - dc=example,dc=com) 339 * *User Login Attribute*: **required** defaults to null, user login attribute (e.g., - uid or sAMAccountName) 340 * *Search User DN*: **required** defaults to null, search user DN (e.g., - domain\username) 341 * *Search User Password*: **required** defaults to null, search user password 342 * A *DHE Registry User filter*: allowing you to either 343 * * *Allow all authenticated users* to push or pull any images, or 344 * * *Filter LDAP search results*: which allows you to restrict DHE registry pull and push to users matching the LDAP filter, 345 * * *Whitelist usernames*: which allows you to restrict DHE registry pull and push to the listed set of users. 346 * A *DHE website Administrator filter*, allowing you to either 347 * * *Allow all authenticated users*: to log into the DHE admin web interface, or 348 * * *Filter LDAP search results*: which allows you to restrict DHE admin web access to users matching the LDAP filter, 349 * * *Whitelist usernames*: which allows you to restrict access to the web interface to the listed set of users. 350 351 352 ## Next Steps 353 354 For information on getting support for DHE, take a look at the 355 [Support information](./support.md). 356