Configure Docker Registry on Dev Server

Docker Registry
Docker Trusted Registry (DTR) is a commercial product that enables complete image
management workflow, featuring LDAP integration, image signing, security scanning, and
integration with Universal Control Plane. DTR is offered as an add-on to Docker Enterprise
subscriptions of Standard or higher.

What it is
The Registry is a stateless, highly scalable server side application that stores and lets you
distribute Docker images. The Registry is open-source, under the permissive Apache license.

Why use it
You should use the Registry if you want to:
1. tightly control where your images are being stored
2. fully own your images distribution pipeline
3. integrate image storage and distribution tightly into your in-house development
workflow

Alternatives
Users looking for a zero maintenance, ready-to-go solution are encouraged to head-over to the
Docker Hub, which provides a free-to-use, hosted Registry, plus additional features
(organization accounts, automated builds, and more).
Users looking for a commercially supported version of the Registry should look into Docker
Trusted Registry.

Requirements
The Registry is compatible with Docker engine version 1.6.0 or higher.

Basic commands
Start your registry
$docker run -d -p 5000:5000 --restart=always -v
/reg:/var/lib/registry --name registry registry:2
-d = runs container in the background
-p = maps port 5000 of the container with localhost:5000
Images pushed into the registry will be saved in ‘/var/lib/registry’
directory internally, so use -v /reg:/var/lib/registry to mount local
storage directory to persist image permanently.
 Infrastructure

IP Address OS Purpose
10.54.41.67 Redhat Acts as Docker private registry server
10.54.41.68 Redhat Acts as Docker engine node where the developers will build the Docker images either
with dockerfile or docker compose, and then upload those images to above docker
private registry server.
10.54.41.69 Redhat Acts as Docker engine node where we deploy containers downloaded (pull) from
private registry server.

Setup SSL
Edit SSL file in /etc/pki/tls/openssl.cnf on the 10.54.41.67 host and added
subjectAltName = IP:10.54.41.67 into the [v3_ca] section. Like the following:
…

[ v3_ca ]

subjectAltName = IP:10.54.41.67

...
Setup Docker Private Registry
edit ‘/lib/systemd/system/docker.service’.

#vi /lib/systemd/system/docker.service

Append this ‘-insecure-registry ip_address:5000’ at the end of this line:

‘ExecStart=/usr/bin/dockerd -H fd:// –insecure-registry ip_address:5000’
ip_address is the ip of your machine running the service, in my case it is localhost.
Now lets restart the docker service by running this command:
#service docker restart

Confirm the docker registry is up and running:

#curl -v ip_address:5000/v2/

Secure Docker Private Registry

By default, Docker node uses a secure connection over TLS to upload or download images to or
from the private registry. You can use TLS certificates signed by CA or self-signed on Registry
server.
Here, I will use a self-signed certificate for securing Docker Registry. Let’s create a self-signed
certificate using the following command.

#mkdir -p /docker_data/certs
#openssl req -newkey rsa:4096 -nodes -sha256 -keyout
/docker_data/certs/domain.key -x509 -days 365 -out
docker_data/certs/domain.crt

Replace “registry.itzgeek.local” with the FQDN of your registry server. Generated certificate
“domain.crt” need to be placed on all of your build/deploy nodes for trusting this certificate.
Start Docker registry container with certificate information.

# docker run -d -p 5000:5000 --restart=always --name registry

-v /certs:/certs -e
REGISTRY_HTTP_TLS_CERTIFICATE=docker_data/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=docker_data/certs/domain.key
registry

Now, you have a registry server container named “registry” running on

“10.54.41.67“.

#docker ps
Distributing X.509 Certificates

If the registry host uses a self-signed X.509 certificate, you must distribute the certificate to all
hosts in your deployment that you intend to use the local Docker registry. Perform the following
steps on each host that needs to access the local registry. Substitute registry_hostname with the
name of the registry host, and port with the port number you selected for your Docker registry
server (5000 by default).
To distribute a self signed X.509 certificate:
1. Create the /etc/docker/certs.d/registry_hostname:port directory.
# mkdir -p /etc/docker/certs.d/registry_hostname:port

2. Copy the X.509 certificate from the registry host using:

# scp root@registry_hostname:/var/lib/registry/conf.d/domain.crt \
/etc/docker/certs.d/registry_hostname:port/ca.crt

3. Restart the docker service.

# systemctl restart docker.service

Create and upload a Docker Image to a Private Registry server

Importing Images into a Registry
When you have set up a Docker registry server, you can import images into the registry so that
they can be used to deploy containers. You may either pull images from a registry, such as the
Oracle Container Registry, and then commit them to your local registry, or you may wish to
create your own images based on upstream images.
To import images into a local Docker registry:
1. Pull an image from a registry. For example, you can pull an image from the Oracle Container
Registry:
# docker pull container-registry.oracle.com/os/oraclelinux:latest

2. Tag the image so that it points to the local registry. For example:
# docker tag container-registry.oracle.com/os/oraclelinux:latest \
localhost:5000/ol7image:v1

In this example, localhost is the hostname where the local registry is located and 5000 is the
port
number that the registry listens on. If you are working on a Docker Engine located on a different
host to the registry, you must change the hostname to point to the correct host. Note the
repository and tag name, ol7image:v1 in the example, must all be in lower case to be a valid tag.
3. Push the image to the local registry. For example:
# docker push localhost:5000/ol7image:v1

Copy the certificate “ca.crt” from registry server “10.54.41.67” to

“/etc/docker/certs.d/10.54.41.68:5000/domain.crt” and
“/etc/docker/certs.d/10.54.41.69:5000/domain.crt” on “docker-host.tamburin.net“.
# mkdir -p /etc/docker/certs.d/10.54.41.67:5000/

restart the Docker engine service.

# systemctl restart docker

Download the docker image to private registry server using the following command.