In our previous blogs, we have discussed various possible docker architectures and its integration with e-commerce platforms like Magento. In today’s discussion, we will setup a secure private docker registry.<\/p>\n
Docker being a very powerful deployment tool, allows flexibility, scalability and centralisation. A centralised storage hub is facilitated by\u00a0Docker hub<\/a>, a public registry for storing docker images. Using Docker hub for storing and accessing docker images is indeed a good idea for Devops personnel, however you might not want to share everything on a public docker registry, making it accessible to everyone.<\/p>\n Docker provides its own image to setup a private docker registry, deploying which we can store docker images within our internal server architecture. All images stored in private docker registry will be saved on the server.<\/p>\n <\/p>\n <\/p>\n In our project, we are using Ubuntu 16.04 as Operating System and docker-registry version 2. To deploy docker registry, please ensure that you have latest versions of docker engine and docker-compose tool installed on your server.<\/p>\n For docker CE Installation:<\/p>\n <\/p>\n <\/p>\n To install docker-compose tool:<\/p>\n <\/p>\n <\/p>\n Now, create a project directory for docker registry,<\/p>\n <\/p>\n <\/p>\n Create a docker-compose.yml<\/strong><\/em> file and a directory naming data<\/strong><\/em> in the docker-registry directory. Contents of docker-compose.yml are,<\/p>\n <\/p>\n <\/p>\n This docker-compose.yml file will pull registry:latest<\/em> image and will run it on port 5000. Also, we are storing Images on our docker host, so we will map data directory with the\u00a0registry storage filesystem root directory inside registry container.\u00a0Also, we have enabled image deletion parameter in docker registry.<\/p>\n So far we have added a block for registry setup in docker-compose.yml file. Still our private docker registry is running over plain HTTP and is accessible to everyone having docker registry URL.<\/p>\n Now we will proceed with deploying SSL and user authentication mechanism in the registry. Create a directory nginx<\/strong><\/em> inside docker-registry<\/strong><\/em> directory. Upload your SSL certificates for your registry domain or create private SSL certificates to be added in nginx configuration file.<\/p>\n To generate private certificates, run the following command,<\/p>\n <\/p>\n <\/p>\n For user authentication management, create a user for basic HTTP authentication as,<\/p>\n <\/p>\n <\/p>\n Now, setup nginx configuration file as registry.conf inside nginx docker directory and mention path to SSL certificates, basic authentication configuration and registry info as,<\/p>\n <\/p>\n <\/p>\n Here nginx will act as a SSL terminator for private docker registry. Now add Nginx block in docker-compose.yml.<\/p>\n <\/p>\n <\/p>\n Now docker environment is ready to be created. We will build the images and deploy containers to run a secure private docker registry.<\/p>\n <\/p>\n <\/p>\n To check created docker images,<\/p>\n <\/p>\n <\/p>\n To check running docker containers.<\/p>\n <\/p>\n <\/p>\n <\/p>\n Your secured private docker registry is ready to be used. We\u00a0will now push a docker image to docker-registry. Lets pull docker image hello-world<\/p>\n <\/p>\n <\/p>\n Login to private docker registry and enter your registry auth user and password. As in this case,<\/p>\n <\/p>\n <\/p>\n Now tag docker image hello-world with the registry,<\/p>\n <\/p>\n <\/p>\n Push the tagged docker image as,<\/p>\n <\/p>\n <\/p>\n Now check the uploaded image on docker registry from terminal using curl,<\/p>\n <\/p>\n <\/p>\n Above command will list images in json format. We can also check list of docker images stored on registry by inspecting data directory on docker host,<\/p>\n <\/p>\n <\/p>\n In order to delete any particular image, first check image availability along with its tag as,<\/p>\n <\/p>\n <\/p>\n Now, delete image repositories and blobs, and restart registry container as,<\/p>\n <\/p>\n <\/p>\n Finally, list all the images of docker registry to check available images,<\/p>\n <\/p>\n <\/p>\n At last, you are all set to launch your own private docker registry over ssl. Explore more and more with docker containers and docker registry applications. A well managed container architecture lays strong foundation of distributed architecture.<\/p>\n You can discuss your doubts and queries with us at support@webkul.com<\/a>.<\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":"Docker Registry Setup<\/h2>\n
https:\/\/docs.docker.com\/install\/linux\/docker-ce\/ubuntu\/#install-docker-ce<\/pre>\n
https:\/\/docs.docker.com\/compose\/install\/<\/pre>\n
mkdir docker-registry<\/pre>\n
registry:\r\n image: registry\r\n container_name: registry\r\n ports:\r\n - 5000:5000\r\n environment:\r\n - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=\/data\r\n - REGISTRY_STORAGE_DELETE_ENABLED=true\r\n\r\n volumes:\r\n - .\/data:\/data<\/pre>\n
cd docker-registry\/nginx\/ && \\ \r\necho -e \"\\n\\n\\n\\n\\n\\n\\n\" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \\ \r\n-keyout myregistry.key -out myregistry.crt<\/pre>\n
cd docker-registry\/nginx\r\nhtpasswd -c registry.password my_user<\/pre>\n
upstream docker-registry {\r\nserver registry:5000;\r\n}\r\n\r\nserver {\r\n listen 80 default_server;\r\n server_name myregistry.com;\r\n return 302 https:\/\/$server_name$request_uri;\r\n }\r\n\r\nserver {\r\n\r\n listen 443;\r\n server_name myregistry.com;\r\n # SSL\r\n ssl on;\r\n ssl_certificate \/etc\/nginx\/conf.d\/myregistry.crt;\r\n ssl_certificate_key \/etc\/nginx\/conf.d\/myregistry.key;\r\n\r\n # disable any limits to avoid HTTP 413 for large image uploads\r\n client_max_body_size 0;\r\n\r\n # required to avoid HTTP 411: see Issue #1486 (https:\/\/github.com\/docker\/docker\/issues\/1486)\r\n chunked_transfer_encoding on;\r\n\r\n # Do not allow connections from docker 1.5 and earlier\r\n # docker pre-1.6.0 did not properly set the user agent on ping, catch \"Go *\" user agents\r\n location = \/ {\r\n rewrite ^ https:\/\/$server_name$request_uri\/v2\/_catalog redirect;\r\n}\r\n location \/v2\/ {\r\n if ($http_user_agent ~ \"^(docker\\\/1\\.(3|4|5(?!\\.[0-9]-dev))|Go ).*$\" ) {\r\n return 404;\r\n }\r\n # To add basic authentication to v2 use auth_basic setting plus add_header\r\n auth_basic \"registry.localhost\";\r\n auth_basic_user_file \/etc\/nginx\/conf.d\/registry.password;\r\n add_header 'Docker-Distribution-Api-Version' 'registry\/2.0' always;\r\n\r\n proxy_pass http:\/\/docker-registry;\r\n proxy_set_header Host $http_host; # required for docker client's sake\r\n proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP\r\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\r\n proxy_set_header X-Forwarded-Proto $scheme;\r\n proxy_read_timeout 900;\r\n }\r\n}\r\n<\/pre>\nnginx:\r\n image: \"nginx:1.9\"\r\n container_name: nginx\r\n ports:\r\n - 443:443\r\n - 80:80\r\n links:\r\n - registry:registry\r\n volumes:\r\n - .\/nginx\/:\/etc\/nginx\/conf.d\/\r\n\r\nregistry:\r\n image: registry\r\n container_name: registry\r\n ports:\r\n - 5000:5000\r\n environment:\r\n - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=\/data\r\n - REGISTRY_STORAGE_DELETE_ENABLED=true\r\n\r\n volumes:\r\n - .\/data:\/data\r\n<\/pre>\n
docker-compose up -d<\/pre>\n
docker images<\/pre>\n
docker-compose ps<\/pre>\n
Pushing an Image to Secured Private Docker Registry<\/h2>\n
docker pull hello-world<\/pre>\n
docker login myregistry.com<\/pre>\n
docker tag hello-world myregistry.com\/hello-world<\/pre>\n
docker push myregitsry\/hello-world<\/pre>\n
curl -u my_user:my_user_password https:\/\/myregistry.com\/v2\/_catalog<\/pre>\n
ls docker-registry\/data\/docker\/registry\/v2\/repositories\/<\/pre>\n
curl -u my_user:my_user_password https:\/\/registry.com\/v2\/mention_image_name\/tags\/list<\/pre>\n
cd docker-registry\/data\/docker\/registry\/v2\/repositories\/\r\nrm -rf mention_image_name\r\ndocker exec -ti registry bin\/registry garbage-collect \/etc\/docker\/registry\/config.yml\r\ndocker-compose restart registry<\/pre>\n
curl -u my_user:my_user_password https:\/\/myregistry.com\/v2\/_catalog<\/pre>\n