Ubuntu 20.04
Sponsored Link

Docker : Use Registry
2020/08/06
 
Install Docker-Registry to build Private Registry for Docker images.
[1] Install Registry.
root@dlp:~#
apt -y install docker-registry
[2] Configure Registry.
This is the settings to use HTTP connection and no-authentication.
root@dlp:~#
vi /etc/docker/registry/config.yml
# comment out [auth] section like follows

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/docker-registry
  delete:
    enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
#auth:
#  htpasswd:
#    realm: basic-realm
#    path: /etc/docker/registry
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
root@dlp:~#
systemctl restart docker-registry
# verify possible to access from any clients

# for HTTP connection, it needs to add [insecure-registries] setting

root@dlp:~#
vi /etc/docker/daemon.json
# create new

# add hosts to allow HTTP connection

{
  "insecure-registries":
    [
      "docker.internal:5000",
      "dlp.srv.world:5000"
    ]
}
root@dlp:~#
systemctl restart docker
# [push] from localhost

root@dlp:~#
docker tag nginx localhost:5000/nginx:my-registry

root@dlp:~#
docker push localhost:5000/nginx:my-registry

root@dlp:~#
docker images 

REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
nginx                  latest              08393e824c32        29 hours ago        132MB
localhost:5000/nginx   my-registry         08393e824c32        29 hours ago        132MB
# [pull] from another node

root@node01:~#
docker pull dlp.srv.world:5000/nginx:my-registry

root@node01:~#
docker images 

REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
dlp.srv.world:5000/nginx   my-registry         08393e824c32        29 hours ago        132MB
[3] To enable Basic authentication, Configure like follows.
root@dlp:~#
apt -y install apache2-utils
root@dlp:~#
vi /etc/docker/registry/config.yml
# uncomment [auth] section and specify passwd file

.....
.....
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/docker/registry/.htpasswd
.....
.....
root@dlp:~#
systemctl restart docker-registry
# add users

# add [-c] at initial file creation

root@dlp:~#
htpasswd -Bc /etc/docker/registry/.htpasswd ubuntu 

New password:
Re-type new password:
Adding password for user ubuntu
# verify possible to access

# an error is shown if access with no-authentication

root@node01:~#
docker pull dlp.srv.world:5000/nginx:my-registry

Error response from daemon: Get http://dlp.srv.world:5000/v2/nginx/manifests/my-registry: no basic auth credentials
# authenticate by a user added with [htpasswd]

root@node01:~#
docker login dlp.srv.world:5000 

Username: ubuntu
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@node01:~#
docker pull dlp.srv.world:5000/nginx:my-registry

root@node01:~#
docker images 

REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
dlp.srv.world:5000/nginx   my-registry         08393e824c32        30 hours ago        132MB
[4] To access via HTTPS and use valid certificates like from Let's Encrypt and so on, Configure like follows.
This example is based on the environment that certificates have been gotten under the [/etc/letsencrypt/live/dlp.srv.world].
root@dlp:~#
mkdir /etc/docker/certs.d

root@dlp:~#
cp -p /etc/letsencrypt/live/dlp.srv.world/{fullchain,privkey}.pem /etc/docker/certs.d/

root@dlp:~#
chown docker-registry /etc/docker/certs.d/{fullchain,privkey}.pem

root@dlp:~#
vi /etc/docker/registry/config.yml
# add [tls] section under the [http] section like follows

.....
.....
http:
  addr: :5000
  tls:
    certificate: /etc/docker/certs.d/fullchain.pem
    key: /etc/docker/certs.d/privkey.pem
  headers:
    X-Content-Type-Options: [nosniff]
.....
.....
root@dlp:~#
systemctl restart docker-registry
# verify possible to access

# on HTTPS connection, it does not need to add [insecure-registries] on Docker

root@node01:~#
docker pull dlp.srv.world:5000/nginx:my-registry

root@node01:~#
docker images 

REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
dlp.srv.world:5000/nginx   my-registry         08393e824c32        31 hours ago        132MB
[5] To access via HTTPS and use self signed certificates, Configure like follows.
This example is based on the environment that certificates have been created under the [/etc/ssl/private].
root@dlp:~#
mkdir -p /etc/docker/certs.d/dlp.srv.world:5000

root@dlp:~#
cp -p /etc/ssl/private/server.{crt,key} /etc/docker/certs.d/dlp.srv.world:5000/

root@dlp:~#
chown docker-registry /etc/docker/certs.d/dlp.srv.world:5000/server.{crt,key}

root@dlp:~#
vi /etc/docker/registry/config.yml
# add [tls] section under the [http] section like follows

.....
.....
http:
  addr: :5000
  tls:
    certificate: /etc/docker/certs.d/dlp.srv.world:5000/server.crt
    key: /etc/docker/certs.d/dlp.srv.world:5000/server.key
  headers:
    X-Content-Type-Options: [nosniff]
.....
.....
root@dlp:~#
systemctl restart docker-registry
# verify possible to access

# an error is shown because of self signed certificate

root@node01:~#
docker pull dlp.srv.world:5000/nginx:my-registry

Error response from daemon: Get https://dlp.srv.world:5000/v2/: x509: certificate signed by unknown authority
# copy certtificate on registry server to client

root@node01:~#
mkdir -p /etc/docker/certs.d/dlp.srv.world:5000

root@node01:~#
scp root@dlp.srv.world:"/etc/docker/certs.d/dlp.srv.world:5000/server.crt" /etc/docker/certs.d/dlp.srv.world:5000/ca.crt

root@node01:~#
docker pull dlp.srv.world:5000/nginx:my-registry

root@node01:~#
docker images 

REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
dlp.srv.world:5000/nginx   my-registry         08393e824c32        32 hours ago        132MB
Matched Content