Open in app

Sign in

Write

Sign in

Docker registry:2 Setup with TLS, Basic Auth, and persistent data

ManagedKube
2 min readOct 8, 2015

--

I had to setup a Docker registry and found the usual documentation but it seems to be missing a few steps here and there. This quick post is here to help walk through what I did so you dont have to hunt around for the information.

Starting off with this document: https://github.com/docker/distribution/blob/master/docs/deploying.md

Creating TLS Certs

Create the directory structures to put all of our files:

# mkdir -p /opt/docker-registry/cert
# cd /opt/docker-registry/cert

Create the certs in our new directory. It will ask you some questions but it does not really matter what you put in there.

# openssl req -newkey rsa:2048 -nodes -keyout registry_auth.key -x509 -days 365 -out registry_auth.crt

Create a user and password for authentication to our Docker registry

Create the directory structure

# mkdir -p /opt/docker-registry/auth
# cd /opt/docker-registry/auth

Create the user “admin” with the password “password”

# docker run — entrypoint htpasswd registry:2 -Bbn admin password >> /opt/docker-registry/auth/htpasswd

Start the Docker registry container

This will start the registry pointing to our cert and auth file. It will also output the data (items in the registry) to the local file system to “/opt/docker-registry/data” so it will persist after a reboot.

# docker run -d -p 5000:5000 --restart=always --name registry \
  -v /opt/docker-registry/data:/var/lib/registry \
  -v /opt/docker-registry/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v /opt/docker-registry/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry_auth.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/registry_auth.key \
  registry:2

Update hosts to allow this Docker registry with the self signed cert

Yeah this part is a pain. You will need to update all the external Docker host that will be connecting to this server to ignore the cert.

Edit the file: /etc/default/docker

Add in this content:

DOCKER_OPTS=” — insecure-registry <IP ADDRESS>:5000"

Replace <IP ADDRESS> with the IP address of where the Docker registry is running. If you are using a DNS host name, then put the DNS name in there or your Docker client will complain about the cert.

Restart Docker

# service docker stop
# service docker start

Pushing/Pulling from this registry

On that external Docker host that you updated the “DOCKER_OPTS” on, you can now do stuff like:

Login:

# docker login -u admin -p password -e test@test.com <IP ADDRESS>:5000

The email seems to be ignored and you can use anything you want.

Tag and push an image to the registry:

# docker tag <SOME IMAGE ID FROM DOCKER PS> <IP ADDRESS>:5000/test:tag1
# docker push <IP ADDRESS>:5000/test:tag1

ManagedKube built k8sBot, a point-and-click interface for Kubernetes in Slack. Now, software developers and novice k8s users can get meaningful Kubernetes information with just one click in Slack, where you’re already talking with your team. With k8sBot, you can retrieve pod status, get pod logs, and get troubleshooting recommendations based on real-time information from your cluster’s Kubernetes API.

Learn more and start a free trial of k8sBot at managedkube.com

Docker
Tech
Registry

--

--

ManagedKube

Written by ManagedKube

368 Followers

We’re making Kubernetes easier to use with a point-and-click interface in Slack. Get meaningful k8s information with one click. Learn more at ManagedKube.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams