docker private registry setup

When you dealing with production grade docker and containers you need to secure and maintain your images so to do that we need to  configure own private registry for our organisation .




Key Benefits for private docker registry :


  1.  Private image artifactory  kind of
  2.  Bandwidth saving during image push 
  3.  distributed storage for 
  4.  no need for internet connection all the time

Dokcer Private registry can be setup in two modes:

1.  Non-secure mode (http based requests)
2.  Secure mode  (https based requests)


Setup architecture :-

1.  Docker  registry   server 
  
  1.  IP:  192.168.10.254     
  2.  Server :  Rhel 7.5 
  3.  firewalld  off  or   5000 port allowed 
2.   Docker client (push client)

  1.  IP  :   192.168.10.101
  2.   Client :   rhel 7.5 
3.  Docker client  (pull client)

  1.  IP :    192.168.10.127
  2.  Client :   ubuntu 16.04  
 



Use case 1:

We are going to take  Non-secure mode  registry setup

Docker  Registry  setup :

Step 1 :  checking docker version 

[root@adhoc ~]# docker version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      dded712/1.13.1
 Built:           Tue Jul 17 18:34:48 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      dded712/1.13.1
 Built:           Tue Jul 17 18:34:48 2018
 OS/Arch:         linux/amd64
 Experimental:    false



Step  2 :     pulling  docker registry image from  docker hub

[root@adhoc ~]# docker pull registry

Step 3:   running  registry server on 5000 with restart policy

[root@adhoc ~]# docker run -itd --name privatereg  -p 5000:5000 --restart=always  docker.io/registry


[root@adhoc ~]# docker ps
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS                    NAMES
4d79520b89c4        docker.io/registry   "/entrypoint.sh /e..."   3 days ago          Up 3 days           0.0.0.0:5000->5000/tcp   registry



setup Docker  pull client  (rhel 7.5)

 Step 1 :    Installing docker

[root@station101 ~]# yum  install docker -y

step  2:   changing in configuration file 

Add these lines in the last of  /etc/sysconfig/docker  file

ADD_REGISTRY='--add-registry 192.168.10.254:5000'
INSECURE_REGISTRY='--insecure-registry 192.168.10.254:5000'



step  3:    restart  and  daemon-reload  

[root@station101 ~]# systemctl daemon-reload

[root@station101 ~]# systemctl restart  docker



step 4:   Pushing  images to docker private registry  

 Note:  first we need to tag then push it

[root@station101 ~]# docker tag  docker.io/registry  192.168.10.254:5000/registry
[root@station101 ~]# docker push 192.168.10.254:5000/registryThe push refers to a repository [192.168.10.254:5000/registry]
6b263b6e9ced: Pushed
dead8a13b621: Pushed
00a8ff67f927: Pushed
2b7bd2eefde2: Pushed
a120b7c9a693: Pushed
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364


Setup docker client for  Pulling  images (Ubuntu 16.04)

step 1:    install docker

[___] sudo apt  install docker

step 2 :  make changes in configuration search

-->> cat  /etc/docker/daemon.json
 
{ "insecure-registries" : ["192.168.10.254:5000"] }

Step  3 :    pulling  image from private registry  

-->> docker  pull   192.168.10.254:5000/nginx

[root@station101 ~]# systemctl daemon-reload

[root@station101 ~]# systemctl restart  docker


Important  :  setting  up secure  private private registry with authentication

Create directory : 

root@adhoc:   mkdir  /certs
step 1:   creating  self  signed  SSL  Certificate
 root@adhoc:  openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key \
  -x509 -days 365 -out /certs/ca.crt


root@adhoc:  docker run --entrypoint htpasswd registry:2 -Bbn ashu redhat >/certs/htpasswd
 



 Step 2:   running  docker registry  with only SSL


[root@adhoc ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry

OR :   docker registry with SSL and authentication 

docker run -d   -p 5000:5000   --restart=always   --name registry   -v /certs:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key   registry:2

 Setting  docker  secure client  :  

Note:     setting  registry  as same above but here we need to download  ca.crt  key to secure connection :

Step 1:  create directory  

[root@station101 ~]# mkdir -p  /etc/docker/certs.d/192.168.10.254:5000/

step  2:   Download ca.crt  

[root@station101 ~]# scp  192.168.10.254:/certs/ca.crt  /etc/docker/certs.d/192.168.10.254

Now: you can login 
 
[root@station101 ~]#  docker login  192.168.10.254:5000 -u ashu


Advanced  tips and tricks:-

Important:   Right now we need to tag  the image on  docker  client for pushing and also need to mention  ip address :port  while pulling  the image .

Tip 1:      pulling  and pushing  docker image without  ip and port  

[root@station101 ~]# systemctl status docker
 ● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-11-30 06:25:17 GMT; 24h ago
     Docs: http://docs.docker.com
 Main PID: 1187 (dockerd-current)
    Tasks: 26
 
 
[root@station101 ~]# cat  /usr/lib/systemd/system/docker.service

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.socket registries.service
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer

[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          --registry-mirror=http://192.168.10.254:5000 \       # add this
$OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
      $REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process

[Install]
WantedBy=multi-user.target

Restart and reload 

[root@station101 ~]# systemctl daemon-reload

[root@station101 ~]# systemctl restart  docker


Tip  2:      To  search  image in docker private registry

Search  all  present  images 

[___] curl -k -X GET https://192.168.10.254:5000/v2/_catalog
{"repositories":["busybox","centos","centos6","nginx","registry","simpleapp"]}

search tag of a particular  image:

[___] curl -k -X GET https://192.168.10.254:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}

Thanks for staying
Enjoy the learning ....!!

 

Comments

  1. Thanks for posting such a Useful information .You done a great job.
    and also we are providing E-Learning Portal Videos for students and working Professionals
    Hurry Up! Bag All Courses in Rs - 10000 /- + taxes
    41 Career building courses.
    Designed by 33 industrial experts
    600+ hours of video Content
    DevOps and Cloud E-Learning Portal

    ReplyDelete
  2. Thank you for sharing valuable devops

    ReplyDelete
  3. Awesome post. You Post is very informative. Thanks for Sharing.
    DevOps Training Institute in Noida

    ReplyDelete
  4. It's essential that you love where you live. Staying in your home should make you happy. For people who work from home, it is even more important than their home is one they enjoy. A great way to increase how you feel inside is by completing home projects that need to be done.If you are going to sell your home and it does not suit the buyer, they can always fix it to satisfy themselves.Make Premium Look By Using Home improvement tools .

    ReplyDelete
  5. great https://docs.google.com/spreadsheets/d/1ov9ixS19JOjE2HPNJ_u6mU9AMFx13muG14d_L2pTYkU/edit?usp=sharing

    ReplyDelete
  6. Your post contains a lot of useful information for me. Thank you very much for that.


    Devops Training in pune

    ReplyDelete
  7. Hey thanks for this amazing post! Thank you so much for sharing the good post, I appreciate your hard work.Keep blogging.
    DevOps Training in Electronic City


    ReplyDelete
  8. You’d outstanding guidelines there. I did a search about the field and identified that very likely the majority will agree with your web page.
    Berhampur University BCOM 1st Year Result 2020
    Berhampur University Odisha BCOM 2nd Year Result 2020
    Berhampur University Odisha BCOM 3rd Year Result 2020

    ReplyDelete
  9. Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great information. We are technology/news/smartphone company, If you want to read such useful news then Visit us: https://techmie.com/

    ReplyDelete
  10. Fantastic blog!!! Thanks for sharing with us, Waiting for your upcoming data.
    why is python so popular
    why is python popular

    ReplyDelete

Post a Comment