Photo by Ian Taylor on Unsplash
A Docker Adventure: Setting Up Your Own Private Docker Registry Inside A Docker Container
Have you ever wanted to have your own private Docker registry to store your Docker images? Well, look no further! This guide will show you how to set up a self-signed certificate for your Docker registry and make sure it's secure and authenticated.
Prerequisites
Before we start, make sure you have the following:
A Linux machine with Docker and Docker Compose installed
A text editor to modify files (e.g., nano or vim)
Installing Docker and Docker Compose
Let's start by checking if Docker and Docker Compose are already installed on your machine.
# Check if Docker is installed
if ! [ -x "$(command -v docker)" ]; then
echo 'Docker is not installed. Installing...'
# Update the apt package index and install Docker
sudo apt-get update
sudo apt-get install -y docker.io
# Start the Docker service
sudo systemctl start docker
sudo systemctl enable docker
else
echo 'Docker is already installed.'
fi
# Check if Docker Compose is installed
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Docker Compose is not installed. Installing...'
# Download the Docker Compose binary
sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# Set the permissions for the Docker Compose binary
sudo chmod +x /usr/local/bin/docker-compose
else
echo 'Docker Compose is already installed.'
fi
If Docker or Docker Compose is not installed, this script will install them for you. If they're already installed, you'll see a message saying so.
Setting Up Permissions
Next, let's make sure the current user has the correct permissions to run Docker and Docker Compose.
# Add the current user to the Docker group
sudo usermod -aG docker $USER
# Create the Docker Compose group if it doesn't exist
if ! grep -q "^docker-compose:" /etc/group; then
sudo groupadd docker-compose
fi
# Add the current user to the Docker Compose group
sudo usermod -aG docker-compose $USER
This will add the current user to the Docker and Docker Compose groups so that you can run Docker and Docker Compose commands without having to use sudo.
Generating a Self-Signed Certificate
Now let's generate a self-signed certificate for our Docker registry. This certificate will be used to authenticate the connection between the Docker registry and the Docker client.
#check if any env available then load it
if [ -f .env ]; then
export $(echo $(cat .env | sed 's/#.*//g'| xargs) | envsubst)
fi
# Generate self-signed certificate
ip=$(curl ifconfig.me)
sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry.key -x509 -days 365 -out registry.crt -subj "/CN=docker-registry" -addext "subjectAltName = IP:$ip"
Starting the docker registry
Now that we have all of the prerequisites and permissions set up, we can start our Docker registry. To do this, we will use a Docker Compose file to create and start the registry service.
Here's an example Docker Compose file that starts a Docker registry using the self-signed certificate we generated earlier:
version: '3'
services:
registry:
image: registry:2
ports:
- "${REGISTRY_PORT}:5000"
volumes:
- ./:/certs/
environment:
REGISTRY_HTTP_ADDR: 0.0.0.0:5000
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
REGISTRY_HTTP_TLS_KEY: /certs/registry.key
As we are taking REGISTRY_PORT from an external environment now we have to set up a .env file defining the port. Here is the .env file:
REGISTRY_PORT=6050
To start the Docker registry, save this file as docker-compose.yml and run the following command:
docker-compose up -d
This will start the Docker registry in the background using the self-signed certificate we generated earlier. You can check the status of the registry by running the following command:
docker-compose ps
Create a firewall rule to allow incoming traffic on the desired port
# Create firewall rule to allow incoming traffic to the Docker registry
sudo ufw allow from any to any port ${REGISTRY_PORT} proto tcp
This will create a firewall rule to allow incoming traffic on the port in the .env file which is 6050 in our case, which is the port the Docker registry is listening on.
Using the Self-Signed Certificate in the Docker Client
To use the self-signed certificate in the Docker client, you'll need to copy the "registry.crt" file to your machine and add it to the list of trusted certificates.
On Windows:
Open Windows Explorer, right-click the certificate registry.crt and choose Install certificate.
Then, select the following options:
Store location: local machine
Check place all certificates in the following store
Click Browser, and select Trusted Root Certificate Authorities
Click Finish
make folder
C:/Users/Your_User/.docker/certs.d/<the_remote_machine_ip><port>/Copy
registry.crtandregistry.keyfile from the remote server and paste it hererestart docker
On Linux:
sudo cp registry.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo cp registry.crt /etc/docker/certs.d/remotemachineip:port/
restart the docker:
sudo systemctl restart docker
You may find this official documentation related to docker certificate setup useful in case anything changes in the future:
Once the certificate is installed, you can test the connection to the Docker registry by running the following command:
docker login https://<ip-of-your-registry>:port
Final Scripts:
You can either copy all code snippets or clone this repo in the remote machine and can execute all processes related to the remote machine by running the following commands:
git clone https://github.com/syedfahimabrar/privatedockerregistry.git
cd privatedockerregistry
cd project
sudo chmod +x run-registry.sh
./run-registry.sh
Conclusion
In this article, we have shown you how to set up your own private Docker registry using a self-signed certificate. This registry can be used to store your Docker images securely and make them available to your team or projects. You can copy the whole code snippets from this github repo I hope this article has been helpful to you, and that you enjoy your Docker adventure!