Docker : Use Registry
2020/08/06 |
Install Docker-Registry to build Private Registry for Docker images.
|
|
[1] | Install Registry. |
root@dlp:~# apt -y install docker-registry
|
[2] | Configure Registry. This is the settings to use HTTP connection and no-authentication. |
root@dlp:~#
vi /etc/docker/registry/config.yml # comment out [auth] section like follows version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/docker-registry delete: enabled: true http: addr: :5000 headers: X-Content-Type-Options: [nosniff] #auth: # htpasswd: # realm: basic-realm # path: /etc/docker/registry health: storagedriver: enabled: true interval: 10s threshold: 3
root@dlp:~#
systemctl restart docker-registry
# verify possible to access from any clients # for HTTP connection, it needs to add [insecure-registries] setting
root@dlp:~#
vi /etc/docker/daemon.json # create new # add hosts to allow HTTP connection { "insecure-registries": [ "docker.internal:5000", "dlp.srv.world:5000" ] }
root@dlp:~#
systemctl restart docker
# [push] from localhost root@dlp:~# docker tag nginx localhost:5000/nginx:my-registry root@dlp:~# docker push localhost:5000/nginx:my-registry root@dlp:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 08393e824c32 29 hours ago 132MB localhost:5000/nginx my-registry 08393e824c32 29 hours ago 132MB # [pull] from another node root@node01:~# docker pull dlp.srv.world:5000/nginx:my-registry root@node01:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE dlp.srv.world:5000/nginx my-registry 08393e824c32 29 hours ago 132MB |
[3] | To enable Basic authentication, Configure like follows. |
root@dlp:~#
apt -y install apache2-utils
root@dlp:~#
vi /etc/docker/registry/config.yml # uncomment [auth] section and specify passwd file
.....
.....
auth:
htpasswd:
realm: basic-realm
path: /etc/docker/registry/.htpasswd
.....
.....
root@dlp:~#
systemctl restart docker-registry
# add users # add [-c] at initial file creation root@dlp:~# htpasswd -Bc /etc/docker/registry/.htpasswd ubuntu New password: Re-type new password: Adding password for user ubuntu # verify possible to access # an error is shown if access with no-authentication root@node01:~# docker pull dlp.srv.world:5000/nginx:my-registry Error response from daemon: Get http://dlp.srv.world:5000/v2/nginx/manifests/my-registry: no basic auth credentials # authenticate by a user added with [htpasswd] root@node01:~# docker login dlp.srv.world:5000
Username: ubuntu
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
root@node01:~# docker pull dlp.srv.world:5000/nginx:my-registry root@node01:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE dlp.srv.world:5000/nginx my-registry 08393e824c32 30 hours ago 132MB |
[4] | To access via HTTPS and use valid certificates like from Let's Encrypt and so on,
Configure like follows. This example is based on the environment that certificates have been gotten under the [/etc/letsencrypt/live/dlp.srv.world]. |
root@dlp:~# mkdir /etc/docker/certs.d root@dlp:~# cp -p /etc/letsencrypt/live/dlp.srv.world/{fullchain,privkey}.pem /etc/docker/certs.d/ root@dlp:~# chown docker-registry /etc/docker/certs.d/{fullchain,privkey}.pem
root@dlp:~#
vi /etc/docker/registry/config.yml # add [tls] section under the [http] section like follows
.....
.....
http:
addr: :5000
tls:
certificate: /etc/docker/certs.d/fullchain.pem
key: /etc/docker/certs.d/privkey.pem
headers:
X-Content-Type-Options: [nosniff]
.....
.....
root@dlp:~#
systemctl restart docker-registry
# verify possible to access # on HTTPS connection, it does not need to add [insecure-registries] on Docker root@node01:~# docker pull dlp.srv.world:5000/nginx:my-registry root@node01:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE dlp.srv.world:5000/nginx my-registry 08393e824c32 31 hours ago 132MB |
[5] | To access via HTTPS and use self signed certificates, Configure like follows. This example is based on the environment that certificates have been created under the [/etc/ssl/private]. |
root@dlp:~# mkdir -p /etc/docker/certs.d/dlp.srv.world:5000 root@dlp:~# cp -p /etc/ssl/private/server.{crt,key} /etc/docker/certs.d/dlp.srv.world:5000/ root@dlp:~# chown docker-registry /etc/docker/certs.d/dlp.srv.world:5000/server.{crt,key}
root@dlp:~#
vi /etc/docker/registry/config.yml # add [tls] section under the [http] section like follows
.....
.....
http:
addr: :5000
tls:
certificate: /etc/docker/certs.d/dlp.srv.world:5000/server.crt
key: /etc/docker/certs.d/dlp.srv.world:5000/server.key
headers:
X-Content-Type-Options: [nosniff]
.....
.....
root@dlp:~#
systemctl restart docker-registry
# verify possible to access # an error is shown because of self signed certificate root@node01:~# docker pull dlp.srv.world:5000/nginx:my-registry Error response from daemon: Get https://dlp.srv.world:5000/v2/: x509: certificate signed by unknown authority # copy certtificate on registry server to client root@node01:~# mkdir -p /etc/docker/certs.d/dlp.srv.world:5000 root@node01:~# scp root@dlp.srv.world:"/etc/docker/certs.d/dlp.srv.world:5000/server.crt" /etc/docker/certs.d/dlp.srv.world:5000/ca.crt docker pull dlp.srv.world:5000/nginx:my-registry root@node01:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE dlp.srv.world:5000/nginx my-registry 08393e824c32 32 hours ago 132MB |