In our previous blogs, we have discussed various possible docker architectures and its integration with e-commerce platforms like Magento. In today’s discussion, we will setup a secure private docker registry.
Docker being a very powerful deployment tool, allows flexibility, scalability and centralisation. A centralised storage hub is facilitated by Docker hub, a public registry for storing docker images. Using Docker hub for storing and accessing docker images is indeed a good idea for Devops personnel, however you might not want to share everything on a public docker registry, making it accessible to everyone.
Docker provides its own image to setup a private docker registry, deploying which we can store docker images within our internal server architecture. All images stored in private docker registry will be saved on the server.
Docker Registry Setup
In our project, we are using Ubuntu 16.04 as Operating System and docker-registry version 2. To deploy docker registry, please ensure that you have latest versions of docker engine and docker-compose tool installed on your server.
For docker CE Installation:
|
1 |
https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-docker-ce |
To install docker-compose tool:
|
1 |
https://docs.docker.com/compose/install/ |
Now, create a project directory for docker registry,
|
1 |
mkdir docker-registry |
Create a docker-compose.yml file and a directory naming data in the docker-registry directory. Contents of docker-compose.yml are,
|
1 2 3 4 5 6 7 8 9 10 11 |
registry: image: registry container_name: registry ports: - 5000:5000 environment: - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data - REGISTRY_STORAGE_DELETE_ENABLED=true volumes: - ./data:/data |
This docker-compose.yml file will pull registry:latest image and will run it on port 5000. Also, we are storing Images on our docker host, so we will map data directory with the registry storage filesystem root directory inside registry container. Also, we have enabled image deletion parameter in docker registry.
So far we have added a block for registry setup in docker-compose.yml file. Still our private docker registry is running over plain HTTP and is accessible to everyone having docker registry URL.
Now we will proceed with deploying SSL and user authentication mechanism in the registry. Create a directory nginx inside docker-registry directory. Upload your SSL certificates for your registry domain or create private SSL certificates to be added in nginx configuration file.
To generate private certificates, run the following command,
|
1 2 3 |
cd docker-registry/nginx/ && \ echo -e "\n\n\n\n\n\n\n" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout myregistry.key -out myregistry.crt |
For user authentication management, create a user for basic HTTP authentication as,
|
1 2 |
cd docker-registry/nginx htpasswd -c registry.password my_user |
Now, setup nginx configuration file as registry.conf inside nginx docker directory and mention path to SSL certificates, basic authentication configuration and registry info as,
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
upstream docker-registry { server registry:5000; } server { listen 80 default_server; server_name myregistry.com; return 302 https://$server_name$request_uri; } server { listen 443; server_name myregistry.com; # SSL ssl on; ssl_certificate /etc/nginx/conf.d/myregistry.crt; ssl_certificate_key /etc/nginx/conf.d/myregistry.key; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents location = / { rewrite ^ https://$server_name$request_uri/v2/_catalog redirect; } location /v2/ { if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { return 404; } # To add basic authentication to v2 use auth_basic setting plus add_header auth_basic "registry.localhost"; auth_basic_user_file /etc/nginx/conf.d/registry.password; add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; proxy_pass http://docker-registry; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900; } } |
Here nginx will act as a SSL terminator for private docker registry. Now add Nginx block in docker-compose.yml.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
nginx: image: "nginx:1.9" container_name: nginx ports: - 443:443 - 80:80 links: - registry:registry volumes: - ./nginx/:/etc/nginx/conf.d/ registry: image: registry container_name: registry ports: - 5000:5000 environment: - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data - REGISTRY_STORAGE_DELETE_ENABLED=true volumes: - ./data:/data |
Now docker environment is ready to be created. We will build the images and deploy containers to run a secure private docker registry.
|
1 |
docker-compose up -d |
To check created docker images,
|
1 |
docker images |
To check running docker containers.
|
1 |
docker-compose ps |
Pushing an Image to Secured Private Docker Registry
Your secured private docker registry is ready to be used. We will now push a docker image to docker-registry. Lets pull docker image hello-world
|
1 |
docker pull hello-world |
Login to private docker registry and enter your registry auth user and password. As in this case,
|
1 |
docker login myregistry.com |
Now tag docker image hello-world with the registry,
|
1 |
docker tag hello-world myregistry.com/hello-world |
Push the tagged docker image as,
|
1 |
docker push myregitsry/hello-world |
Now check the uploaded image on docker registry from terminal using curl,
|
1 |
curl -u my_user:my_user_password https://myregistry.com/v2/_catalog |
Above command will list images in json format. We can also check list of docker images stored on registry by inspecting data directory on docker host,
|
1 |
ls docker-registry/data/docker/registry/v2/repositories/ |
In order to delete any particular image, first check image availability along with its tag as,
|
1 |
curl -u my_user:my_user_password https://registry.com/v2/mention_image_name/tags/list |
Now, delete image repositories and blobs, and restart registry container as,
|
1 2 3 4 |
cd docker-registry/data/docker/registry/v2/repositories/ rm -rf mention_image_name docker exec -ti registry bin/registry garbage-collect /etc/docker/registry/config.yml docker-compose restart registry |
Finally, list all the images of docker registry to check available images,
|
1 |
curl -u my_user:my_user_password https://myregistry.com/v2/_catalog |
At last, you are all set to launch your own private docker registry over ssl. Explore more and more with docker containers and docker registry applications. A well managed container architecture lays strong foundation of distributed architecture.
You can discuss your doubts and queries with us at [email protected].
Be the first to comment.