The public Docker repository is fine for initial testing, but if you’re setting up a production environment, it’s essential to use your own operating system images and your own registry server. This way, you’ll have your own private SO/Apps repo.

To generate our Gentoo base image, it’s as simple as downloading the stage3 from the Gentoo website and importing it as a Docker image:

If we want to have our own Docker image repository on Github, we must install the registry.

This can be configured in two ways:

• TLS: Ideal for production environments
• TCP: Testing

If we want to use TCP, we must modify the Docker config, indicating on the computing server that it can connect to the registry server without TLS:

DOCKER_OPTS="--insecure-registry=registry.alfaexploit.com:5000"

On the other hand, if we’re setting up a server that will go into production, we have two options:

• Buy a TLS certificate: We only need to configure the server part.
• Self-generate a certificate: We need to configure the server and clients.

I’m going to choose to self-generate it:

Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:AAAAAAA
Locality Name (eg, city) []:BBBBBB
Organization Name (eg, company) [Internet Widgits Pty Ltd]:alfaexploit.com
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:registry.alfaexploit.com
Email Address []:kr0m@alfaexploit.com

In each of the computing nodes (including the server itself), we add the self-signed certificate as trusted:

NOTE: Of course, registry.alfaexploit.com must resolve to the computing server where the container with the registry is located.

We filter access to our registry server with iptables on both testing and production servers:

If configured with plain TCP:

If configured with TLS:

By default, images are stored inside the container. If we want to store them in an external directory, we can do so using volumes:

We can view the local images. To upload them to the repository, we need to tag them indicating the registry server and port:

CONTAINER ID        IMAGE                      COMMAND                CREATED              STATUS              PORTS                                                                         NAMES
e15dac3ce5a1        registry:2              "registry cmd/regist   23 seconds ago        Restarting (1) 7 seconds ago   0.0.0.0:5000->5000/tcp   registry            

REPOSITORY                 TAG                 IMAGE ID            CREATED    VIRTUAL SIZE
gentoo/mysql               latest              fd8d51641254        3 days ago    1.542 GB
gentoo/updated_sinpasswd   latest              c3b9f653bf61        3 days ago    1.175 GB
gentoo_imported            latest              b1c4c04c1d2b        3 days ago    1.345 GB
gentoo/updated             latest              4eedf047deb9        3 days ago    1.175 GB
gentoo                     latest              264d2b032543        3 days ago    773.1 MB
registry                   2                   b4ad0b763f11        2 weeks ago    548.6 MB

Indeed, we now have a new image that would be downloaded from the server registry:

REPOSITORY                        TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry.alfaexploit.com:5000/kr0m/gentoo_apache   latest              5e8bc79dc6de 3 days ago          1.187 GB

To deploy our container on another computing node:

If we have configured TLS, we must accept our CA as trusted on each computing node: