Docker is a nice low-cost virtualization solution that is more and more popular.
A very nice use case is to use it to create images of enterprise systems, images that can be used for testing without having to bother to delete databases and reinitialize testing environment. You just simply have to fire up another set of containers and your test environment starts again in a predefined set.
The problem in using the default infrastructure is due to security concerns. I do not want to upload company sensitive data to the public docker.io repository.
In the next steps I am going to show how to install and use a simple local docker register.
Step 1: Get the registry docker image
Docker registry can be very easy deployed from a ready available docker image itself. Search the docker.io global repository for the image “registry:2”
Fetch the image on the local system.
STEP 2: Add a new local private registry
Start a new docker registry container. This will start a simple registry with no security enabled.
$ docker run -d -p 5000:5000 -v $HOME/registry:/var/lib/registry registry:2STEP 3: Allow the local docker daemon to access insecure registries
Edit on client the docker config file. On Fedora/RedHat/CentOS edit /etc/sysconfig/docker and add at the end of the file:
INSECURE_REGISTRY='--insecure-registry 10.0.0.245:5000'
In new versions of docker > 1.12, Create or modify /etc/docker/daemon.json
{ "insecure-registries":["10.0.0.245:5000"] }
where 10.0.0.245 is my local IP under which the custom registry will be accessible.
Restart docker daemon to activate the above configuration change.
service docker restart STEP 4: Tag and push local images to the new registry
List the existing images:
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/postgres latest f91e27f33f26 9 days ago 263.8 MB
docker.io/registry 2 541a6732eadb 9 days ago 33.27 MB
docker.io/mtuanp/glassfish latest 46d7536ed8af 7 months ago 700 MB
Tag local images to the new registry. Note the name used must correspond to the fully qualified name of the registry resources.
# docker tag postgres 10.0.0.245:5000/postgres
# docker tag demo 10.0.0.245:5000/demo
List the existing images after tagging. Note that now the tagged images have two aliases,
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.245:5000/postgres latest f91e27f33f26 4 days ago 263.8 MB
docker.io/postgres latest f91e27f33f26 9 days ago 263.8 MB
docker.io/registry 2 541a6732eadb 9 days ago 33.27 MB
10.0.0.245:5000/demo latest 46d7536ed8af 7 months ago 700 MB
docker.io/mtuanp/glassfish latest 46d7536ed8af 7 months ago 700 MB
Push the docker images to the new registry.
# docker push 10.0.0.245:5000/postgres
The push refers to a repository [10.0.0.245:5000/postgres]
13309175bebc: Pushed
f5a1e6b07efe: Mounted from postgres
43988ba6118f: Mounted from postgres
9e5b8222d901: Mounted from postgres
51bd5a3a4e97: Mounted from postgres
2d3580ed25cf: Mounted from postgres
57655c1c901b: Mounted from postgres
0df5ee6f45b1: Mounted from postgres
70df7c5241b7: Mounted from postgres
dd30fd70f347: Mounted from postgres
73c4fa66091a: Mounted from postgres
142a601d9793: Mounted from postgres
latest: digest: sha256:673ce41a6d5aabc3b4e66471db6382adf7399a9b384bf33372db74c439943d08 size: 2801
# docker push 10.0.0.245:5000/demo
The push refers to a repository [10.0.0.245:5000/demo]
a92c06ee234f: Pushed
b0aba84ddb59: Mounted from demo
20f085509075: Mounted from demo
3d57c68de034: Mounted from demo
5f70bf18a086: Mounted from demo
1ebdc7db829d: Mounted from demo
30e8d17937e7: Mounted from demo
867d7eaf330f: Mounted from demo
0a533a9b15d6: Mounted from demo
1976b08e9302: Mounted from demo
f34d5ba459d6: Mounted from demo
b22f38604eb8: Mounted from demo
162da15b5454: Mounted from demo
4badccf8a533: Mounted from demo
ddef881aeaff: Mounted from demo
latest: digest: sha256:fe8810fc932edc5718c841b915a8fec6554b5702fdc9565256077bdceb9646dc size: 5931
To connect to the new registry just login from any local client, no user/password required, just enter some info.
docker login http://10.0.0.245:5000
You should encourage SSL, we have letsencrypt now, it’s easy to get a free certificate.
Yes you are right, but if this is a private repository inside your DMZ for ease of use http is OK. I recommend reading this if https is necessary https://books.sonatype.com/nexus-book/reference/ssl-sect-ssl-direct.html they describe two ways of securing the repository.
Following your advice and having issues with the free CA I was using now the blog is using letsencrypt for the certificates. See my take on it in: Apache: Use letsencrypt.org certificates with an apache server behind a secure reverse proxy
I will give it a try. I use the described registry only for a small test setup. I plan to have a server deploy soon using some proper “enterprise” repository setup. Thank you for the suggestion.
Another option you might consider is using an open source application like Nexus Repository. Nexus is purpose built to manage artifacts required for builds and deployments, and can also act as a proxy to Docker Hub and other private warehouses. In addition to serving as a private Docker registry, you can use it to store other artifacts needed by Dev and Ops teams. You can read more about this at http://www.sonatype.com/docker
Thank you for the suggestion. I started to use it actively see here https://blog.voina.org/docker-install-a-nexus-repository/