We set up a private Docker repository

Docker is one of the hottest topics in development. Most of the new projects are built on Docker. At a minimum, it has proven itself for software distribution, for example, our Ambar document search system is installed using docker-compose .

At the beginning of work on Ambar, we used a public docker repository, but with the growth of the project and the emergence of the enterprise version, we thought about creating our own private repository. In this article, we will share our experience in deploying a self-hosted repository: we will describe the whole process step by step, try to bypass all the pitfalls.

Local docker repository

So, the simplest Docker repository can be raised with a single command.

 docker run -d -p 5000:5000 --restart=always --name registry registry:2 

To check the repository, fill in the image of ubuntu.

1. First, download the image from the official repository and add the localhost:5000/ubuntu tag to it.
2. Launch the image in our new repository: docker push localhost:5000/ubuntu .

Well, now we can work with a local docker repository. In order not to remember the repository launch command every time, let's create a docker-compose.yml file:

 registry: restart: always image: registry:2 ports: - 5000:5000 volumes: - /path/data:/var/lib/registry /*         */ 

To start the repository, simply enter the command docker-compose up -d in the directory with the docker-compose file. With a local repository figured out, move on to configuring SSL.

SSL setup

Why do I need SSL? The Docker repository that is accessible from the Internet should work only through a secure https connection. It is possible to circumvent this limitation, use self-signed certificates, but as practice shows it works once and easier to configure everything correctly once, good for those who do not have an SSL certificate, I will tell you how to use Letsencrypt . It is worth mentioning that SSL is a prerequisite for authentication in the repository.

If you have an SSL certificate - specify the path to it in the docker-compose file, see the listing below.

 registry: restart: always image: registry:2 ports: - 5000:5000 environment: REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key volumes: - /path/data:/var/lib/registry - /path/certs:/certs /*   c  */ 

If there is no SSL certificate, the best way to use Letsencrypt. In the latest docker versions, it works out of the box without first creating certificates, although I haven’t found a working example anywhere, so I’ll give it here.

 registry: restart: always image: registry:2 ports: - 443:5000 /*      443,  letsencrypt    */ environment: REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE: /cache.letsencrypt /*       letsencrypt*/ REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL: hello@rdseventeen.com /* email,         letsencrypt */ volumes: - /path/data:/var/lib/registry 

It is worth paying attention to the fact that for the correct operation of Letsencrypt it is necessary to change the port from 5000 to 443. The location of the Letsencrypt cache can be anything.
To test our repository, run the following commands:

 docker pull ubuntu docker tag ubuntu myregistrydomain.com:443/ubuntu docker push myregistrydomain.com:443/ubuntu docker pull myregistrydomain.com:443/ubuntu 

Configuring Authentication

Protect our repository with a password. To do this, create a file with passwords and specify its docker repository. The following command will create a user testuser with the password testpassword , put them in a file and save it in path / auth / htpasswd.

  docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > path/auth/htpasswd 

In docker-compose, specify the path to the file with passwords and use basic authentication.

 registry: restart: always image: registry:2 ports: - 443:5000 environment: REGISTRY_HTTP_TLS_LETSENCRYPT_CACHEFILE: /cache.letsencrypt REGISTRY_HTTP_TLS_LETSENCRYPT_EMAIL: hello@rdseventeen.com REGISTRY_AUTH: htpasswd REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm volumes: - /path/data:/var/lib/registry - /path/auth:/auth 

In order for the changes to take effect, you must restart the docker repository. Use the docker-compose restart . Login to the created repository using the docker login myregistrydomain.com:443 . After that, our repository will be available for downloading images stored in it.

Total

In the article we looked at the creation of a private docker repository. For a deep study of the topic I recommend to familiarize yourself with the official manual and the list of repository settings .

Thanks for attention!