Docker registry:2 Setup with TLS, Basic Auth, and persistent data
I had to setup a Docker registry and found the usual documentation but it seems to be missing a few steps here and there. This quick post is here to help walk through what I did so you dont have to hunt around for the information.
Starting off with this document: https://github.com/docker/distribution/blob/master/docs/deploying.md
Creating TLS Certs
Create the directory structures to put all of our files:
# mkdir -p /opt/docker-registry/cert
# cd /opt/docker-registry/cert
Create the certs in our new directory. It will ask you some questions but it does not really matter what you put in there.
# openssl req -newkey rsa:2048 -nodes -keyout registry_auth.key -x509 -days 365 -out registry_auth.crt
Create a user and password for authentication to our Docker registry
Create the directory structure
# mkdir -p /opt/docker-registry/auth
# cd /opt/docker-registry/auth
Create the user “admin” with the password “password”
# docker run — entrypoint htpasswd registry:2 -Bbn admin password >> /opt/docker-registry/auth/htpasswd
Start the Docker registry container
This will start the registry pointing to our cert and auth file. It will also output the data (items in the registry) to the local file system to “/opt/docker-registry/data” so it will persist after a reboot.
# docker run -d -p 5000:5000 --restart=always --name registry \
-v /opt/docker-registry/data:/var/lib/registry \
-v /opt/docker-registry/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /opt/docker-registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry_auth.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry_auth.key \
registry:2
Update hosts to allow this Docker registry with the self signed cert
Yeah this part is a pain. You will need to update all the external Docker host that will be connecting to this server to ignore the cert.
Edit the file: /etc/default/docker
Add in this content:
DOCKER_OPTS=” — insecure-registry <IP ADDRESS>:5000"
Replace <IP ADDRESS> with the IP address of where the Docker registry is running. If you are using a DNS host name, then put the DNS name in there or your Docker client will complain about the cert.
Restart Docker
# service docker stop
# service docker start
Pushing/Pulling from this registry
On that external Docker host that you updated the “DOCKER_OPTS” on, you can now do stuff like:
Login:
# docker login -u admin -p password -e test@test.com <IP ADDRESS>:5000
The email seems to be ignored and you can use anything you want.
Tag and push an image to the registry:
# docker tag <SOME IMAGE ID FROM DOCKER PS> <IP ADDRESS>:5000/test:tag1
# docker push <IP ADDRESS>:5000/test:tag1
—
ManagedKube built k8sBot, a point-and-click interface for Kubernetes in Slack. Now, software developers and novice k8s users can get meaningful Kubernetes information with just one click in Slack, where you’re already talking with your team. With k8sBot, you can retrieve pod status, get pod logs, and get troubleshooting recommendations based on real-time information from your cluster’s Kubernetes API.
Learn more and start a free trial of k8sBot at managedkube.com