What's on this Page
In this tutorial we are going to learn about Docker registry and how to setup your own private registry with self-sign certificates.
I hope you have read previous posts on docker basics and it’s concepts.
What is Docker Registry?
A registry is a storage and content delivery system, holding named Docker images, available in different tagged versions.
There are to types of Registry:
- Public Registry : The default registry for all images. Docker hub which provides a free-to-use, hosted Registry, plus additional features (organization accounts, automated builds, and more)
- Private Registry : In case if you don’t want to publish your own images to outside world or to improve the download speed instead of downloading images docker hub, we can make the private registry and it’s a great solution to integrate with and complement your CI/CD system. Example like Nexus or Docker registry or Portus
How it’s works?
When you run docker run -it centos bash or docker pull centos command, it’s first checks the image exists locally or not, if not then it pulls from the Docker hub. imagine if you are pulling image on multiple servers, you will have to download the image from docker hub, multiple times. this process will take huge time if your internet connection is slow, So to avoid this we can build our private repository where we can store our private images. that is use case one but other use like you tightly control where your images are being stored, fully own your images distribution pipeline.
Setup Private Registry
There are two ways of setting up your private registry:
- Using self-sign certificates, Quick and dirty way
- Register Certificates for your domain: For production setup
Let’s try with self-sign certificates
- Create directory for hosting registry and registry storage.
mkdir /opt/docker-registry cd /opt/docker-registry/ mkdir data mkdir certs
- Generate self-sign certificates
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
- Start your registry
docker run -d -p 5000:5000 --restart=always \ --name registry -v $PWD/data:/var/lib/registry \ -v $PWD/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
We can test from same host but since we are using self-sign certificates, we need to install in docker client, for that you need to copy certificate file in /etc/docker/conf.d/
let’s assume that your FQDN is registry.linuxian.com
Instaling Linux client certificates
mkdir /etc/docker/certs.d/registry.linuxian.com:5000 cp certs/domain.crt /etc/docker/certs.d/registry.linuxian.com\:5000/ca.crt
Now try to push any local image to your registry server
Copy any image id from about command output
docker tag <IMAGE_ID> registry.linuxian.com:5000/testimage docker push registry.linuxian.com:5000/testimage
Congrantulation, you just setup your private registry.
Instaling Mac OS client certificates
mkdir /etc/docker/certs.d/registry.linuxian.com:5000 cp domain.crt /etc/docker/certs.d/registry.linuxian.com\:5000/ca.crt sudo security add-trusted-cert -d \ -r trustRoot -k /Library/Keychains/System.keychain \ /etc/docker/certs.d/registry.linuxian.com\:5000/ca.crt
Now you can push/pull from your registry server.
Following things require to run in production :
- Registered Domain
- SSL certificates
As you can see in above picture, you can use Load Balanacer like HAproxy, Nginx or ELB ( in AWS ) which handle SSL and proxy request to your registry server.