REf: https://katacoda.com/courses/cicd/launch-private-registry
Launch Private Registry with SSL
———————————–
In this scenario, we’ll cover how to launch a private Docker Registry with TLS via SSL.
A private Registry enables you to distribute Docker Images without being dependent on external providers or the public cloud. This allows you to increase security and confidence of your image sources and versioning.
Step 1 – Starting Registry
The Registry is deployed as a container and accessible via port 5000. Docker clients will use this domain to access the registry and push/pull images. By specifying a domain, a client can access multiple registries.
In this example our Docker registry is located at registry.test.training.katacoda.com.
docker run -d -p 5000:5000 \
-v /root/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.test.training.katacoda.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.test.training.katacoda.com.key \
-v /opt/registry/data:/var/lib/registry \
–name registry registry:2
Mounting the volume /var/lib/registry is important. This is where the Registry will store all of the pushed images. Mounting the directory will allow you to restart and upgrade the container in future.
Securing access to the Registry via TLS is important. If the Registry is insecure, then you’ll need to configure every Docker daemon accessing the Registry to allow access.
To secure the Registry, we’ll use SSL certificates combined with NGINX to manage the SSL termination. We’ve added the certificate and key to the certs directory on the client.
ls /root/certs/
When creating the Registry container, the certs where mounted in with the correct environment variables set for the Registry to pickup the certificates.
-v /root/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.test.training.katacoda.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.test.training.katacoda.com.key \
Important:These certificates are only for test purposes and not production use. Visit letsencrypt.org to obtain a certificate for your domain.
We can test access to the registry using curl. The response should provide headers, for example Docker-Distribution-API-Version, indicating the request was processed by the Registry server.
curl -i https://registry.test.training.katacoda.com:5000/v2/
Pushing Images:
—————-
The Registry is now running.
We now need to push images to our new Registry. To push/pull images from non-default Registries we need to include the URL in the image name. Generally, an image follows a <name>:<tag> format as Docker defaults to the public registry. The full format is <registry-url>:<name>:<tag>.
We can use the docker tag to add additional tags to existing images. In this case the Redis image.
docker pull redis:alpine; docker tag redis:alpine registry.test.training.katacoda.com:5000/redis:alpine
Once tagged we can push the image. The different layers of the image will be pushed.
docker push registry.test.training.katacoda.com:5000/redis:alpine
Pulling Images
—————-
First, remove images so they need to be pulled again
docker rmi redis:alpine && docker rmi registry.test.training.katacoda.com:5000/redis:alpine
As with push, pulling also includes the URL of our target Registry.
docker pull registry.test.training.katacoda.com:5000/redis:alpine
You’ve successfully deployed our Registry. In this example our registry had the domain registry.test.training.katacoda.com:5000.
Steps for production:
———————
Define a domain for your registry. You need to own the domain and point the DNS to the host running your registry container.
Obtain SSL certificate . Letsencrypt.org offers free HTTPS SSL certificates which are ideal for use with Docker Registry and benhall/nginx-registry-proxy
More details at https://docs.docker.com/registry/deploying/
DevOPs Diary 
Leave a comment