Setting up a Private Docker Registry

In this page we will see how to setup a new private Docker registry.

Private registry :

A private registry is used as your private repository for Docker images. We can use it just like other public repositories available : Docker Hub, AWS ECR (EC2 Container Registry) etc.

We need a private repository if we want to keep our Docker images private and don’t want to push it to public repositories. We can use a private repository to shift our Docker images from one stage to another just like form Development to QA and further ahead to Stage and Production. We can make our registry secure by using ssl certification.

Now lets see how we can setup a new private docker registry :

Environment : Ubuntu 14.4

• Pull the docker image of Registry :

$ docker pull registry:2

this will pull the registry image from docker hub.

Now we have docker registry image available on our machine.

Deploying plain HTTP registry :

• Open the /etc/default/docker file for editing
• Assuming our registry name is : myregistrydomain.com . Please replace this name your registry name.
• Edit the DOCKER_OPTS line as mentioned below :

DOCKER_OPTS=” — insecure-registry myregistrydomain.com:5000”

• Restart docker daemon :

$ service restart docker

Deploying Registry using self signed certificates :

• Generate your own certificate by running the below mentioned command :

$ mkdir -p certs && openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt

When we execute this command it will ask for few parameters that we need to enter. Among all parameters when it ask for CN i.e. Common name, make sure to use the name myregistrydomain.com as CN.

• Restart the docker daemon :

$ service restart docker

Now we are done with our ca certificates and ready with registry image on our machine, run the below command to start the docker registry :

$ docker run -d -p 5000:5000 — restart=always — name registry registry:2

This will start the docker registry container on your machine.

How to use your private docker registry :

• Tag any existing image to point it to your registry.

$ docker pull ubuntu && docker tag ubuntu myregistrydomain.com:5000/ubuntu

• Then push it to your private registry :

$ docker push myregistrydomain.com:5000/ubuntu

• Then pull your image from private registry :

$ docker pull myregistrydomain.com:5000/ubuntu

Few important points to remember :

• The CN (common name) while generating CA certificates should be fqdn (hostname.domainname.com) i.e. fully qualified domain name of your machine on which docker registry container is running.
• This can be seen by following command :

$ cat /etc/hostname

here it will be your machine host-name . for eg . myregistrydomain.

• then check the /etc/hosts file where we have to mention the fqdn against the IP Address of localhost. for eg. “192.168.x.x myregistrydomain.com myregistrydomain”. Here the domain registered by the company is *.domain.com , hence the fqdn is host-name followed by domain name.
• to configure the registry setup on other hosts/machines to access the private registry running on other machine, we have to do the registry setup. Commands to do a registry setup on remote machine arementioned below :
• mkdir /certs
• mkdir /etc/docker/certs.d
• mkdir /etc/docker/certs.d/myregistrydomain.com
• cp certs/* /certs/
• cp certs/domain.crt /etc/docker/certs.d/myregistrydomain.com/ca.crt
• echo ‘DOCKER_OPTS=” — insecure-registry myregistrydomain.com:5000"’ >> /etc/default/docker
• echo ‘192.168.2.112 myregistrydomain.com myregistrydomain’ >> /etc/hosts
• service docker restart

To list repositories/images on your provate registry :

• $ curl — cacert certs/domain.crt -X GET https://myregistrydomain.com:5000/v2/_catalog
• this will result like :

{“repositories”:[“hello”,”image1”,”image2”,”image3”,”image4”,”image5”]}