Skip to content

Private Registry

Intro

Docker registry is a crucial component in the Docker ecosystem that serves as a storage and distribution platform for Docker container images. It allows developers and organizations to store, share, and manage Docker images securely and efficiently.

When you create a Docker image, it consists of layers that make up the file system for your container. These images can be quite large, and sharing them directly between developers or deploying them on various machines can be cumbersome. Docker registry provides a centralized and scalable solution for storing and sharing these images.

The Docker registry can be either a public registry, such as Docker Hub, which allows users to share images publicly, or it can be a private registry set up by organizations for internal use or to secure their proprietary images.

Private Docker registries offer several compelling reasons for organizations to use them instead of relying solely on public registries like Docker Hub. Some of the key reasons include:

  1. Security and Control: Private registries allow organizations to have full control over their container images and who can access them. This is particularly important for sensitive or proprietary applications where the code and configurations need to be tightly controlled.

  2. Intellectual Property Protection: Companies often have valuable intellectual property contained within their Docker images. A private registry ensures that these images are only accessible to authorized users, minimizing the risk of data leaks or unauthorized usage.

  3. Compliance and Data Privacy: In regulated industries or regions with strict data privacy laws, hosting sensitive data in public registries might not be compliant. Private registries enable organizations to adhere to regulatory requirements and keep their data within specific jurisdictions.

  4. Performance and Bandwidth: Hosting large-scale Docker deployments might require significant bandwidth for image pulls. Private registries hosted within an organization's infrastructure can offer faster image retrieval and reduce reliance on external networks.

  5. Offline Access: Private registries allow developers and systems to work with Docker images even when not connected to the internet, making it more convenient for internal development and testing.

  6. Customization and Custom Plugins: Organizations can customize and extend private registries to meet their specific needs. They can integrate with existing authentication systems, implement custom security measures, and develop plugins to enhance functionality.

  7. Dependency Management: Public registries might experience changes or removal of images, leading to unexpected issues for applications reliant on those images. A private registry can help manage dependencies more effectively by hosting specific versions of required images.

  8. Quality Control: In a private registry, an organization can perform thorough testing and validation before making an image available for deployment. This ensures that only stable and tested images are used in production environments.

  9. Reduced Vulnerabilities: Using public images from unknown sources can pose security risks. With a private registry, organizations can curate a set of trusted images, reducing the chance of deploying vulnerable or malicious containers.

  10. Network Isolation: In certain scenarios, network isolation might be necessary. Private registries can be deployed within specific network boundaries, making it easier to control access and maintain security.

Installing and configuring

This procedure provides basic installation and configuration instructions for learning purposes and should not be used for production.

Below is a step-by-step procedure to install and configure a private Docker registry using the open-source distribution of Docker called Docker CE (Community Edition). We'll assume you are setting up the registry on a Linux-based system.

Make sure you have Docker installed on your system. If you don't have Docker already installed, you can follow the official Docker installation instructions for your Linux distribution: https://docs.docker.com/engine/install/.

First let's create a file contains the registry username and password:

mkdir auth

You can obtain the htpasswd utility by installing the apache2-utils package. Do so by running: 

sudo apt install apache2-utils -y

Create a user, replacing username with the username you want to use. The -B flag orders the use of the bcrypt algorithm, which Docker requires:

htpasswd -Bc registry.password <username>

Now, let's run the Docker registry container command using the auth/htpasswd authentication file:

docker run -itd \
  -p 5000:5000 \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry.password \
  registry

To verify the Docker registry, you can navigate to the http://localhost:5000/v2.

Pushing to private registry

Now that your Docker Registry server is running, you can try pushing an image to it. Docker, by default, attempts to push and pull from Docker Hub. Therefore, you need to log in to the new registry before using it.

docker login localhost:5000

The login has failed because we did not set up SSL/TLS for the private registry. To add security, you can generate a self-signed SSL certificate to secure your private registry. For the simplicity of the test, we can configure the Docker engine to deploy a plain HTTP registry. read more here!

This procedure configures Docker to entirely disregard security for your registry. This is very insecure and is not recommended. It exposes your registry to trivial man-in-the-middle (MITM) attacks. Only use this solution for isolated testing or in a tightly controlled, air-gapped environment.

Edit the daemon.json file, whose default location is /etc/docker/daemon.json. If the daemon.json file does not exist, create it. Assuming there are no other settings in the file, it should have the following contents:

{
  "insecure-registries" : ["localhost:5000"]
}

Replace ip/url with the proper registry address/IP.

Now try to login again: 

docker login localhost:5000

You can simply push images to your private Docker registry:

docker push localhost:5000/my_image

Comments