Yogesh-R | March 7th, 2022
How to set-up a Private Docker Registry?

Robotics Workshop

When you dealing with production grade Docker and containers you need to secure and maintain your images so to do that we need to  configure own private registry for our organization .

Key Benefits for Private Docker registry:

  1.  Private image artifactory  kind of
  2.  Bandwidth saving during image push 
  3.  Distributed storage for 
  4.  No need for internet connection all the time

Docker Private Registry can be setup in two modes:

1.  Non-secure mode (http based requests)

2.  Secure mode (https based requests)

SET-UP ARCHITECTURE:
1. Docker registry server   

  1.  IP:  192.168.10.254     
  2.  Server :  RHEL  7.5 
  3.  Firewalld  off  or   5000 port allowed 

2.   Docker client (push client)

  1.  IP  :   192.168.10.101
  2. Client :   RHEL 7.5 

3.  Docker client (Pull client)

  1.  IP :    192.168.10.127
  2.  Client :   Ubuntu 16.04  

Use case 1:   NON-SECURE MODE REGISTRY MODE

Docker  Registry  setup :

Step 1 :  Checking Docker version 

[[email protected] ~]# docker version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      dded712/1.13.1
 Built:           Tue Jul 17 18:34:48 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      dded712/1.13.1
 Built:           Tue Jul 17 18:34:48 2018
 OS/Arch:         linux/amd64
 Experimental:    false


Step  2 :     Pulling  Docker registry image from  Docker hub

[[email protected] ~]# docker pull registry

Step 3:   running  registry server on 5000 with restart policy

[[email protected] ~]# docker run -itd --name privatereg  -p 5000:5000 --restart=always  docker.io/registry

[[email protected] ~]# docker ps
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS                    NAMES
4d79520b89c4        docker.io/registry   "/entrypoint.sh /e..."   3 days ago          Up 3 days           0.0.0.0:5000->5000/tcp   registry


Setup Docker  pull client  (RHEL 7.5)

Step 1 :    Installing Docker

[[email protected] ~]# yum  install docker -y

Step  2:   Changing in configuration file 

Add these lines in the last of  /etc/sysconfig/docker  file

ADD_REGISTRY='--add-registry 192.168.10.254:5000'
INSECURE_REGISTRY='--insecure-registry 192.168.10.254:5000'

Step  3:    Restart  and  daemon-reload  

[[email protected] ~]# systemctl daemon-reload

[[email protected] ~]# systemctl restart  docker

Step 4:   Pushing  images to Docker private registry  
Note:  first we need to tag then push it

[[email protected] ~]# docker tag  docker.io/registry  192.168.10.254:5000/registry
[[email protected] ~]# docker push 192.168.10.254:5000/registryThe push refers to a repository [192.168.10.254:5000/registry]
6b263b6e9ced: Pushed
dead8a13b621: Pushed
00a8ff67f927: Pushed
2b7bd2eefde2: Pushed
a120b7c9a693: Pushed
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364

Setup Docker client for  Pulling  images (Ubuntu 16.04)

Step 1:    Install Docker

[___] sudo apt  install docker

Step 2 :  Make changes in configuration search

-->> cat  /etc/docker/daemon.json
 
{ "insecure-registries" : ["192.168.10.254:5000"] }

Step  3 :    Pulling  image from private registry  

-->> docker  pull   192.168.10.254:5000/nginx

[[email protected] ~]# systemctl daemon-reload
[[email protected] ~]# systemctl restart  docker
Important  :  setting  up secure  private  registry with authentication
 

Create directory : 
[email protected]:   mkdir  /certs
Step 1:   Creating  self-signed  SSL  Certificate
 [email protected]:  openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key \
  -x509 -days 365 -out /certs/ca.crt
[email protected]:  docker run --entrypoint htpasswd registry:2 -Bbn ashu redhat >/certs/htpasswd
Step 2:   Running  Docker registry  with only SSL

[[email protected] ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry

OR :   Docker registry with SSL and authentication 
docker run -d   -p 5000:5000   --restart=always   --name registry   -v /certs:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key   registry:2

Setting  Docker  secure client  :  
Note:     setting  registry  as same above but here we need to download  ca.crt  key to secure connection :
Step 1:  Create directory  
[[email protected] ~]# mkdir -p  /etc/docker/certs.d/192.168.10.254:5000/
Step  2:   Download ca.crt  
[[email protected] ~]# scp  192.168.10.254:/certs/ca.crt  /etc/docker/certs.d/192.168.10.254
Now: you can login 

 [[email protected] ~]#  docker login  192.168.10.254:5000 -u ashu
Advanced  tips and tricks:-
Important:   Right now we need to tag  the image on  Docker  client for pushing and also need to mention  IP address :port  while pulling  the image .
Tip 1:      pulling  and pushing  Docker image without  IP and port  
[[email protected] ~]# systemctl status Docker
 ● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-11-30 06:25:17 GMT; 24h ago
   Docs: http://docs.docker.com
 Main PID: 1187 (dockerd-current)
    Tasks: 26
  [[email protected] ~]# cat  /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.socket registries.service
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer
[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          --registry-mirror=http://192.168.10.254:5000 \       # add this
$OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \

 $REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process
[Install]
WantedBy=multi-user.target
Restart and reload 
[[email protected] ~]# systemctl daemon-reload
[[email protected] ~]# systemctl restart  docker
Tip  2:      To  search  image in Docker private registry
Search  all  present  images 
[___] curl -k -X GET https://192.168.10.254:5000/v2/_catalog
{"repositories":["busybox","centos","centos6","nginx","registry","simpleapp"]}
Search tag of a particular  image:
[___] curl -k -X GET https://192.168.10.254:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}


Enjoy the learning ....!!

www.techienest.in      

email: [email protected]

www.lnbcore.com