Documente Academic
Documente Profesional
Documente Cultură
Docker Registry
Docker Trusted Registry (DTR) is a commercial product that enables complete image
management workflow, featuring LDAP integration, image signing, security scanning, and
integration with Universal Control Plane. DTR is offered as an add-on to Docker Enterprise
subscriptions of Standard or higher.
What it is
The Registry is a stateless, highly scalable server side application that stores and lets you
distribute Docker images. The Registry is open-source, under the permissive Apache license.
Why use it
You should use the Registry if you want to:
1. tightly control where your images are being stored
2. fully own your images distribution pipeline
3. integrate image storage and distribution tightly into your in-house development
workflow
Alternatives
Users looking for a zero maintenance, ready-to-go solution are encouraged to head-over to the
Docker Hub, which provides a free-to-use, hosted Registry, plus additional features
(organization accounts, automated builds, and more).
Users looking for a commercially supported version of the Registry should look into Docker
Trusted Registry.
Requirements
The Registry is compatible with Docker engine version 1.6.0 or higher.
Basic commands
Start your registry
$docker run -d -p 5000:5000 --restart=always -v
/reg:/var/lib/registry --name registry registry:2
-d = runs container in the background
-p = maps port 5000 of the container with localhost:5000
Images pushed into the registry will be saved in ‘/var/lib/registry’
directory internally, so use -v /reg:/var/lib/registry to mount local
storage directory to persist image permanently.
Infrastructure
IP Address OS Purpose
10.54.41.67 Redhat Acts as Docker private registry server
10.54.41.68 Redhat Acts as Docker engine node where the developers will build the Docker images either
with dockerfile or docker compose, and then upload those images to above docker
private registry server.
10.54.41.69 Redhat Acts as Docker engine node where we deploy containers downloaded (pull) from
private registry server.
Setup SSL
Edit SSL file in /etc/pki/tls/openssl.cnf on the 10.54.41.67 host and added
subjectAltName = IP:10.54.41.67 into the [v3_ca] section. Like the following:
…
[ v3_ca ]
subjectAltName = IP:10.54.41.67
...
Setup Docker Private Registry
edit ‘/lib/systemd/system/docker.service’.
#vi /lib/systemd/system/docker.service
#mkdir -p /docker_data/certs
#openssl req -newkey rsa:4096 -nodes -sha256 -keyout
/docker_data/certs/domain.key -x509 -days 365 -out
docker_data/certs/domain.crt
Replace “registry.itzgeek.local” with the FQDN of your registry server. Generated certificate
“domain.crt” need to be placed on all of your build/deploy nodes for trusting this certificate.
Start Docker registry container with certificate information.
#docker ps
Distributing X.509 Certificates
If the registry host uses a self-signed X.509 certificate, you must distribute the certificate to all
hosts in your deployment that you intend to use the local Docker registry. Perform the following
steps on each host that needs to access the local registry. Substitute registry_hostname with the
name of the registry host, and port with the port number you selected for your Docker registry
server (5000 by default).
To distribute a self signed X.509 certificate:
1. Create the /etc/docker/certs.d/registry_hostname:port directory.
# mkdir -p /etc/docker/certs.d/registry_hostname:port
2. Tag the image so that it points to the local registry. For example:
# docker tag container-registry.oracle.com/os/oraclelinux:latest \
localhost:5000/ol7image:v1
In this example, localhost is the hostname where the local registry is located and 5000 is the
port
number that the registry listens on. If you are working on a Docker Engine located on a different
host to the registry, you must change the hostname to point to the correct host. Note the
repository and tag name, ol7image:v1 in the example, must all be in lower case to be a valid tag.
3. Push the image to the local registry. For example:
# docker push localhost:5000/ol7image:v1
Download the docker image to private registry server using the following command.