The public Docker repository is fine for initial testing, but if you’re setting up a production environment, it’s essential to use your own operating system images and your own registry server. This way, you’ll have your own private SO/Apps repo.
To generate our Gentoo base image, it’s as simple as downloading the stage3 from the Gentoo website and importing it as a Docker image:
docker run -ti gentoo /bin/bash
If we want to have our own Docker image repository on Github, we must install the registry.
This can be configured in two ways:
- TLS: Ideal for production environments
- TCP: Testing
If we want to use TCP, we must modify the Docker config, indicating on the computing server that it can connect to the registry server without TLS:
On the other hand, if we’re setting up a server that will go into production, we have two options:
- Buy a TLS certificate: We only need to configure the server part.
- Self-generate a certificate: We need to configure the server and clients.
I’m going to choose to self-generate it:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry.alfaexploit.com.key -x509 -days 365 -out registry.alfaexploit.com.crt
Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:AAAAAAA Locality Name (eg, city) :BBBBBB Organization Name (eg, company) [Internet Widgits Pty Ltd]:alfaexploit.com Organizational Unit Name (eg, section) :IT Common Name (e.g. server FQDN or YOUR name) :registry.alfaexploit.com Email Address :email@example.com
In each of the computing nodes (including the server itself), we add the self-signed certificate as trusted:
cp /var/lib/docker/certs/registry.alfaexploit.com.crt /etc/docker/certs.d/registry.alfaexploit.com:5000/ca.crt
NOTE: Of course, registry.alfaexploit.com must resolve to the computing server where the container with the registry is located.
We filter access to our registry server with iptables on both testing and production servers:
iptables -I INPUT 2 -p tcp –dport 5000 -j DROP
If configured with plain TCP:
If configured with TLS:
By default, images are stored inside the container. If we want to store them in an external directory, we can do so using volumes:
We can view the local images. To upload them to the repository, we need to tag them indicating the registry server and port:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e15dac3ce5a1 registry:2 "registry cmd/regist 23 seconds ago Restarting (1) 7 seconds ago 0.0.0.0:5000->5000/tcp registry
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE gentoo/mysql latest fd8d51641254 3 days ago 1.542 GB gentoo/updated_sinpasswd latest c3b9f653bf61 3 days ago 1.175 GB gentoo_imported latest b1c4c04c1d2b 3 days ago 1.345 GB gentoo/updated latest 4eedf047deb9 3 days ago 1.175 GB gentoo latest 264d2b032543 3 days ago 773.1 MB registry 2 b4ad0b763f11 2 weeks ago 548.6 MB
docker push registry.alfaexploit.com:5000/kr0m/gentoo_mysql
Indeed, we now have a new image that would be downloaded from the server registry:
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE registry.alfaexploit.com:5000/kr0m/gentoo_apache latest 5e8bc79dc6de 3 days ago 1.187 GB
To deploy our container on another computing node:
If we have configured TLS, we must accept our CA as trusted on each computing node:
mkdir -p /etc/docker/certs.d/registry.alfaexploit.com:5000/
scp firstname.lastname@example.org :/etc/docker/certs.d/registry.alfaexploit.com:5000/ca.crt /etc/docker/certs.d/registry.alfaexploit.com:5000/