This page looks best with JavaScript enabled

Docker Registry

 ·  🎃 kr0m

The public Docker repository is fine for initial testing, but if you’re setting up a production environment, it’s essential to use your own operating system images and your own registry server. This way, you’ll have your own private SO/Apps repo.

To generate our Gentoo base image, it’s as simple as downloading the stage3 from the Gentoo website and importing it as a Docker image:

curl | bzcat | docker import - ‘gentoo’
docker run -ti gentoo /bin/bash

If we want to have our own Docker image repository on Github, we must install the registry.

This can be configured in two ways:

  • TLS: Ideal for production environments
  • TCP: Testing

If we want to use TCP, we must modify the Docker config, indicating on the computing server that it can connect to the registry server without TLS:

vi /etc/conf.d/docker

/etc/init.d/docker stop
/etc/init.d/docker start

On the other hand, if we’re setting up a server that will go into production, we have two options:

  • Buy a TLS certificate: We only need to configure the server part.
  • Self-generate a certificate: We need to configure the server and clients.

I’m going to choose to self-generate it:

mkdir -p /var/lib/docker/certs
cd /var/lib/docker/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout -x509 -days 365 -out

Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:AAAAAAA
Locality Name (eg, city) []:BBBBBB
Organization Name (eg, company) [Internet Widgits Pty Ltd]
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

In each of the computing nodes (including the server itself), we add the self-signed certificate as trusted:

mkdir -p /etc/docker/certs.d/
cp /var/lib/docker/certs/ /etc/docker/certs.d/
/etc/init.d/docker stop
/etc/init.d/docker start

NOTE: Of course, must resolve to the computing server where the container with the registry is located.

We filter access to our registry server with iptables on both testing and production servers:

iptables -I INPUT 1 -s TRUSTED_HOST -p tcp –dport 5000 -j ACCEPT
iptables -I INPUT 2 -p tcp –dport 5000 -j DROP

If configured with plain TCP:

docker run -d -p 5000:5000 –restart=always –name registry registry:2

If configured with TLS:

docker run -d -p 5000:5000 -v /var/lib/docker/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ -e REGISTRY_HTTP_TLS_KEY=/certs/ –restart=always –name registry registry:2

By default, images are stored inside the container. If we want to store them in an external directory, we can do so using volumes:

docker run -d -p 5000:5000 -v /var/lib/docker/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ -e REGISTRY_HTTP_TLS_KEY=/certs/ -v /myregistrydata:/var/lib/registry -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry –restart=always –name registry registry:2

We can view the local images. To upload them to the repository, we need to tag them indicating the registry server and port:

docker ps

CONTAINER ID        IMAGE                      COMMAND                CREATED              STATUS              PORTS                                                                         NAMES
e15dac3ce5a1        registry:2              "registry cmd/regist   23 seconds ago        Restarting (1) 7 seconds ago>5000/tcp   registry            
docker images
REPOSITORY                 TAG                 IMAGE ID            CREATED    VIRTUAL SIZE
gentoo/mysql               latest              fd8d51641254        3 days ago    1.542 GB
gentoo/updated_sinpasswd   latest              c3b9f653bf61        3 days ago    1.175 GB
gentoo_imported            latest              b1c4c04c1d2b        3 days ago    1.345 GB
gentoo/updated             latest              4eedf047deb9        3 days ago    1.175 GB
gentoo                     latest              264d2b032543        3 days ago    773.1 MB
registry                   2                   b4ad0b763f11        2 weeks ago    548.6 MB
docker tag gentoo/mysql
docker push

Indeed, we now have a new image that would be downloaded from the server registry:

docker images

REPOSITORY                        TAG                 IMAGE ID            CREATED             VIRTUAL SIZE   latest              5e8bc79dc6de 3 days ago          1.187 GB

To deploy our container on another computing node:

docker run -i -t /bin/bash

If we have configured TLS, we must accept our CA as trusted on each computing node:

mkdir -p /etc/docker/certs.d/
scp :/etc/docker/certs.d/ /etc/docker/certs.d/

/etc/init.d/docker stop
/etc/init.d/docker start

If you liked the article, you can treat me to a RedBull here