When you dealing with production grade docker and containers you need to secure and maintain your images so to do that we need to configure own private registry for our organisation .
Key Benefits for private docker registry :
Setup architecture :-
1. Docker registry server
Key Benefits for private docker registry :
- Private image artifactory kind of
- Bandwidth saving during image push
- distributed storage for
- no need for internet connection all the time
Dokcer Private registry can be setup in two modes:
1. Non-secure mode (http based requests)
2. Secure mode (https based requests)
Setup architecture :-
1. Docker registry server
- IP: 192.168.10.254
- Server : Rhel 7.5
- firewalld off or 5000 port allowed
- IP : 192.168.10.101
- Client : rhel 7.5
- IP : 192.168.10.127
- Client : ubuntu 16.04
Use case 1:
We are going to take Non-secure mode registry setup
Docker Registry setup :
Step 1 : checking docker version
[root@adhoc ~]# docker version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
Go version: go1.9.4
Git commit: dded712/1.13.1
Built: Tue Jul 17 18:34:48 2018
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
Go version: go1.9.4
Git commit: dded712/1.13.1
Built: Tue Jul 17 18:34:48 2018
OS/Arch: linux/amd64
Experimental: false
Step 2 : pulling docker registry image from docker hub
[root@adhoc ~]# docker pull registry
Step 3: running registry server on 5000 with restart policy
[root@adhoc ~]# docker run -itd --name privatereg -p 5000:5000 --restart=always docker.io/registry
[root@adhoc ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4d79520b89c4 docker.io/registry "/entrypoint.sh /e..." 3 days ago Up 3 days 0.0.0.0:5000->5000/tcp registry
setup Docker pull client (rhel 7.5)
Step 1 : Installing docker
[root@station101 ~]# yum install docker -y
step 2: changing in configuration file
Add these lines in the last of /etc/sysconfig/docker file
ADD_REGISTRY='--add-registry 192.168.10.254:5000'
INSECURE_REGISTRY='--insecure-registry 192.168.10.254:5000'
step 3: restart and daemon-reload
[root@station101 ~]# systemctl daemon-reload
[root@station101 ~]# systemctl restart docker
step 4: Pushing images to docker private registry
Note: first we need to tag then push it
[root@station101 ~]# docker tag docker.io/registry 192.168.10.254:5000/registry
[root@station101 ~]# docker push 192.168.10.254:5000/registryThe push refers to a repository [192.168.10.254:5000/registry]
6b263b6e9ced: Pushed
dead8a13b621: Pushed
00a8ff67f927: Pushed
2b7bd2eefde2: Pushed
a120b7c9a693: Pushed
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364
Setup docker client for Pulling images (Ubuntu 16.04)
step 1: install docker
[___] sudo apt install docker
step 2 : make changes in configuration search
-->> cat /etc/docker/daemon.json
{ "insecure-registries" : ["192.168.10.254:5000"] }
Step 3 : pulling image from private registry
-->> docker pull 192.168.10.254:5000/nginx
Docker Registry setup :
Step 1 : checking docker version
[root@adhoc ~]# docker version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
Go version: go1.9.4
Git commit: dded712/1.13.1
Built: Tue Jul 17 18:34:48 2018
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-68.gitdded712.el7.centos.x86_64
Go version: go1.9.4
Git commit: dded712/1.13.1
Built: Tue Jul 17 18:34:48 2018
OS/Arch: linux/amd64
Experimental: false
Step 2 : pulling docker registry image from docker hub
[root@adhoc ~]# docker pull registry
Step 3: running registry server on 5000 with restart policy
[root@adhoc ~]# docker run -itd --name privatereg -p 5000:5000 --restart=always docker.io/registry
[root@adhoc ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4d79520b89c4 docker.io/registry "/entrypoint.sh /e..." 3 days ago Up 3 days 0.0.0.0:5000->5000/tcp registry
setup Docker pull client (rhel 7.5)
Step 1 : Installing docker
[root@station101 ~]# yum install docker -y
step 2: changing in configuration file
Add these lines in the last of /etc/sysconfig/docker file
ADD_REGISTRY='--add-registry 192.168.10.254:5000'
INSECURE_REGISTRY='--insecure-registry 192.168.10.254:5000'
step 3: restart and daemon-reload
[root@station101 ~]# systemctl daemon-reload
[root@station101 ~]# systemctl restart docker
step 4: Pushing images to docker private registry
Note: first we need to tag then push it
[root@station101 ~]# docker tag docker.io/registry 192.168.10.254:5000/registry
[root@station101 ~]# docker push 192.168.10.254:5000/registryThe push refers to a repository [192.168.10.254:5000/registry]
6b263b6e9ced: Pushed
dead8a13b621: Pushed
00a8ff67f927: Pushed
2b7bd2eefde2: Pushed
a120b7c9a693: Pushed
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364
Setup docker client for Pulling images (Ubuntu 16.04)
step 1: install docker
[___] sudo apt install docker
step 2 : make changes in configuration search
-->> cat /etc/docker/daemon.json
{ "insecure-registries" : ["192.168.10.254:5000"] }
Step 3 : pulling image from private registry
-->> docker pull 192.168.10.254:5000/nginx
[root@station101 ~]# systemctl daemon-reload
[root@station101 ~]# systemctl restart docker
Important : setting up secure private private registry with authentication
Create directory :
root@adhoc: mkdir /certs
step 1: creating self signed SSL Certificate
root@adhoc: openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key \
-x509 -days 365 -out /certs/ca.crt
root@adhoc: docker run --entrypoint htpasswd registry:2 -Bbn ashu redhat >/certs/htpasswd
Step 2: running docker registry with only SSL
OR : docker registry with SSL and authentication
docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry:2
Setting docker secure client :
Note: setting registry as same above but here we need to download ca.crt key to secure connection :
Step 1: create directory
[root@station101 ~]# mkdir -p /etc/docker/certs.d/192.168.10.254:5000/
step 2: Download ca.crt
[root@station101 ~]# scp 192.168.10.254:/certs/ca.crt /etc/docker/certs.d/192.168.10.254
Now: you can login
[root@station101 ~]# docker login 192.168.10.254:5000 -u ashu
Advanced tips and tricks:-
Important: Right now we need to tag the image on docker client for pushing and also need to mention ip address :port while pulling the image .
Tip 1: pulling and pushing docker image without ip and port
[root@station101 ~]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-30 06:25:17 GMT; 24h ago
Docs: http://docs.docker.com
Main PID: 1187 (dockerd-current)
Tasks: 26
[root@station101 ~]# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.socket registries.service
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer
[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
--init-path=/usr/libexec/docker/docker-init-current \
--seccomp-profile=/etc/docker/seccomp.json \
--registry-mirror=http://192.168.10.254:5000 \ # add this
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY \
$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process
[Install]
WantedBy=multi-user.target
Restart and reload
[root@station101 ~]# systemctl daemon-reload
[root@station101 ~]# systemctl restart docker
Tip 2: To search image in docker private registry
Search all present images
[___] curl -k -X GET https://192.168.10.254:5000/v2/_catalog
{"repositories":["busybox","centos","centos6","nginx","registry","simpleapp"]}
search tag of a particular image:
[___] curl -k -X GET https://192.168.10.254:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
Thanks for staying
Enjoy the learning ....!!
[root@station101 ~]# systemctl restart docker
Important : setting up secure private private registry with authentication
Create directory :
root@adhoc: mkdir /certs
step 1: creating self signed SSL Certificate
root@adhoc: openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key \
-x509 -days 365 -out /certs/ca.crt
root@adhoc: docker run --entrypoint htpasswd registry:2 -Bbn ashu redhat >/certs/htpasswd
Step 2: running docker registry with only SSL
[root@adhoc ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry
OR : docker registry with SSL and authentication
docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry:2
Setting docker secure client :
Note: setting registry as same above but here we need to download ca.crt key to secure connection :
Step 1: create directory
[root@station101 ~]# mkdir -p /etc/docker/certs.d/192.168.10.254:5000/
step 2: Download ca.crt
[root@station101 ~]# scp 192.168.10.254:/certs/ca.crt /etc/docker/certs.d/192.168.10.254
Now: you can login
[root@station101 ~]# docker login 192.168.10.254:5000 -u ashu
Advanced tips and tricks:-
Important: Right now we need to tag the image on docker client for pushing and also need to mention ip address :port while pulling the image .
Tip 1: pulling and pushing docker image without ip and port
[root@station101 ~]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-30 06:25:17 GMT; 24h ago
Docs: http://docs.docker.com
Main PID: 1187 (dockerd-current)
Tasks: 26
[root@station101 ~]# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.socket registries.service
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer
[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
--init-path=/usr/libexec/docker/docker-init-current \
--seccomp-profile=/etc/docker/seccomp.json \
--registry-mirror=http://192.168.10.254:5000 \ # add this
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY \
$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process
[Install]
WantedBy=multi-user.target
Restart and reload
[root@station101 ~]# systemctl daemon-reload
[root@station101 ~]# systemctl restart docker
Tip 2: To search image in docker private registry
Search all present images
[___] curl -k -X GET https://192.168.10.254:5000/v2/_catalog
{"repositories":["busybox","centos","centos6","nginx","registry","simpleapp"]}
search tag of a particular image:
[___] curl -k -X GET https://192.168.10.254:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
Thanks for staying
Enjoy the learning ....!!
Thanks for the post, here is a blog on Path to DevOps.
ReplyDeleteThankyou for sharing this information. Azure DevOps online training
ReplyDeleteThanks for posting such a Useful information .You done a great job.
ReplyDeleteand also we are providing E-Learning Portal Videos for students and working Professionals
Hurry Up! Bag All Courses in Rs - 10000 /- + taxes
41 Career building courses.
Designed by 33 industrial experts
600+ hours of video Content
DevOps and Cloud E-Learning Portal
Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
ReplyDeleteDevOps Online Course in NewYork
Top DevOps Courses Online in NewYork
Best DevOps training online in USA
DevOps Online Course in NewYork
DevOps Advanced Certification course
devops practitioner certification
devops practitioner course in USA
Thank you for sharing valuable devops
ReplyDeleteThank you for sharing valuable Devops Training
ReplyDeleteDevops online Training
Devops Training in Hyderabad
Here is the information regarding best training center for DevOps
ReplyDeleteDevOps Online Course in NewYork
docker training course online
DevOps Advanced Certification course
git online certification course in NewYork
Awesome post. You Post is very informative. Thanks for Sharing.
ReplyDeleteDevOps Training Institute in Noida
Thank you for sharing.
ReplyDeleteDecOps & Cloud Course Videos
It's essential that you love where you live. Staying in your home should make you happy. For people who work from home, it is even more important than their home is one they enjoy. A great way to increase how you feel inside is by completing home projects that need to be done.If you are going to sell your home and it does not suit the buyer, they can always fix it to satisfy themselves.Make Premium Look By Using Home improvement tools .
ReplyDeletegreat https://docs.google.com/spreadsheets/d/1ov9ixS19JOjE2HPNJ_u6mU9AMFx13muG14d_L2pTYkU/edit?usp=sharing
ReplyDeleteThanks for providing a good stuff
ReplyDeleteMicrosoft Azure DevOps Training
Azure DevOps online training in hyderabad
Microsoft Azure DevOps Online Training
Microsoft Azure DevOps training hyderabad
Your post contains a lot of useful information for me. Thank you very much for that.
ReplyDeleteDevops Training in pune
Hey thanks for this amazing post! Thank you so much for sharing the good post, I appreciate your hard work.Keep blogging.
ReplyDeleteDevOps Training in Electronic City
Nice blog,keep posting.
ReplyDeleteDevops training in hyderabad
You’d outstanding guidelines there. I did a search about the field and identified that very likely the majority will agree with your web page.
ReplyDeleteBerhampur University BCOM 1st Year Result 2020
Berhampur University Odisha BCOM 2nd Year Result 2020
Berhampur University Odisha BCOM 3rd Year Result 2020
Excellent Post on AWS.
ReplyDeleteAWS Training in Chennai | AWS Training Institute in Chennai
Informative blog. Thanks for sharing.
ReplyDeleteDocker and Kubernetes Training
Docker and Kubernetes Online Training
Kubernetes Online Training
Docker Online Training
Thanks for sharing the valuable information. Keep on sharing.
ReplyDeleteDocker and Kubernetes Training
Kubernetes Online Training
Docker Online Training
Docker and Kubernetes Online Training
Very Informative! To know more on devops training online.
ReplyDeleteThanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great information. We are technology/news/smartphone company, If you want to read such useful news then Visit us: https://techmie.com/
ReplyDeleteNice Post Product Engineering Company in UK
ReplyDeleteGood blog to read and share..!
ReplyDeleteCyber Security Certification In Chennai
Cyber Security Professional Basic Online Course
Cyber Security Institute In Bangalore
Fantastic blog!!! Thanks for sharing with us, Waiting for your upcoming data.
ReplyDeletewhy is python so popular
why is python popular
maraş evden eve nakliyat
ReplyDeletemaraş evden eve nakliyat
izmir evden eve nakliyat
konya evden eve nakliyat
erzurum evden eve nakliyat
VA5
FRYUFTURFYUIT7
ReplyDeleteتسليك مجاري بالقطيف