Credential Helper Configuration Documentation
search cancel

Credential Helper Configuration Documentation

book

Article ID: 336289

calendar_today

Updated On:

Products

VMware vCenter Server

Environment

VMware vCenter Server 7.0.x

Resolution

Introduction

The plain Docker login interface 'docker login' stores the user login credential on Docker client, which could be vulnerable for leaking vSphere user credential. This vRegistry / Harbor docker credential helper is to address this security risk and provide a secure way for vSphere users to login via docker CLI.

This documentation covers mainly the certificate and proxy configurations for Linux, Windows and Mac OS.

Certificate configuration

Linux
  1. Login to the vsphere UI, navigate to the Image Registry option under Configure tab for the cluster and click on Download SSL Root Certificate to save the registry CA certificate to local and save it as ca.crt.
  2. Get the Harbor cert and save it to the following location:
/etc/docker/certs.d/192.168.123.2/ca.crt
  1. Restart docker
Windows 10
  1. Login to the vsphere UI, navigate to the Image Registry option under Configure tab for the cluster and click on Download SSL Root Certificate to save the registry CA certificate to local and save it as ca.crt.
  1. Install the certificate on Windows:
    1. Open Windows Explorer, right-click the file you’ve downloaded, and choose Install certificate.
    2. Then, select the following options:
    3. Store location: local machine
    4. Check place all certificates in the following store
    5. Click Browser, and select Trusted Root Certificate Authorities
    6. Click Finish
  2. Copy the cert obtained from step 1 to the following location on your local:
C:\ProgramData\Docker\certs.d\<harbor_ip>\ca.crt
  1. Restart docker

Windows 7
  1. Login to the vsphere UI, navigate to the Image Registry option under Configure tab for the cluster and click on Download SSL Root Certificate to save the registry CA certificate to local and save it as ca.crt.
  1. Install the certificate on Windows by following the steps mentioned below:
    1. Open Windows Explorer, right-click the file you’ve downloaded, and choose Install certificate.
    2. Then, select the following options:
    3. Store location: local machine
    4. Check place all certificates in the following store
    5. Click Browser, and select Trusted Root Certificate Authorities
    6. Click Finish
  2. Copy the cert obtained from step 1 to the following location on your local:
C:\ProgramData\Docker\certs.d\<harbor_ip>\ca.crt
  1. To copy the cert obtained from step 1 to the following docker's cert store, run these commands:
  • docker-machine ssh default
  • sudo -s
  • mkdir /var/lib/boot2docker/certs
  • Copy the ca.crt to the folders /var/lib/boot2docker/certs/ and /etc/docker/certs.d/
  1. Restart docker
docker-machine restart default

Mac OS
  1. Login to the vsphere UI, navigate to the Image Registry option under Configure tab for the cluster and click on Download SSL Root Certificate to save the registry CA certificate to local and save it as ca.crt.
  2. Get the Harbor cert and save it to the following locations:
  • /etc/docker/certs.d/<harbor_ip>/ca.crt
  • ~/.docker/certs.d/<harbor_ip>/ca.crt

Proxy configuration

Linux
  1. Add the proxy IP and port to the proxy config file at location /etc/systemd/system/docker.service.d/proxy.conf as follows:
[Service]
Environment="HTTP_PROXY=http://<proxy_ip>:<proxy_port"
Environment="HTTPS_PROXY=http://<proxy_ip>:<proxy_port"
  1. Export the proxy variables in the Terminal where you need proxy access:
export HTTP_PROXY=http://<proxy_ip>:<proxy_port
export HTTPS_PROXY=http://<proxy_ip>:<proxy_port
  1. Restart docker
sudo systemctl daemon-reload
sudo systemctl restart docker
  1. In case you hit the permission denied issue with docker login you may need to execute the command:
sudo chmod 666 /var/run/docker.sock

Windows 10
  1. Add the proxy IP address and port to the proxies in the docker config file at location ~/.docker/config.json as follows:
{
    "auths": {},
    "credsStore": "desktop",
    "proxies": {
        "default": {
            "httpProxy": "http://<proxy_ip>:<proxy_port>",
            "httpsProxy": "http://<proxy_ip>:<proxy_port>"
        }
    },
    "experimental": "enabled",
    "stackOrchestrator": "swarm"
}
  1. Add the following values to the system environment variables as well:
HTTP_PROXY = "http://<proxy_ip>:<proxy_port>"
HTTPS_PROXY = "http://<proxy_ip>:<proxy_port>"
  1. Add the gateway VM IP to the manual proxy configuration for docker as well
  1. Restart docker
Windows 7
  1. Add the proxy IP address and port to the proxies in the docker config file at location ~/.docker/config.json as follows:
{
    "auths": {},
    "credsStore": "desktop",
    "proxies": {
        "default": {
            "httpProxy": "http://<proxy_ip>:<proxy_port>",
            "httpsProxy": "http://<proxy_ip>:<proxy_port>"
        }
    },
    "experimental": "enabled",
    "stackOrchestrator": "swarm"
}
  1. Add the gateway VM IP to the manual proxy configuration for docker as well
docker-machine ssh default
sudo -s
  
  1. Add the following to the file /var/lib/boot2docker/profile:
export HTTP_PROXY=http://<proxy_ip>:<proxy_port>
export HTTPS_PROXY=http://<proxy_ip>:<proxy_port>
  1. Restart docker
docker-machine restart default

Mac OS
  1. Add the proxy IP and port to the list of proxies in the docker config file at location ~/.docker/config.json as follows:
{
  "proxies" : {
    "default" : {
      "httpsProxy" : "http://<proxy_ip>:<proxy_port>",
      "httpProxy" : "http://<proxy_ip>:<proxy_port>"
    }
  },
  "credsStore" : "osxkeychain",
  "stackOrchestrator" : "swarm"
  1. Add the proxy IP and port to the manual proxy configuration for docker as well
  1. Restart docker
Powered by Wolken Software