A Docker Adventure: Setting Up Your Own Private Docker Registry Inside A Docker Container

Photo by Ian Taylor on Unsplash

A Docker Adventure: Setting Up Your Own Private Docker Registry Inside A Docker Container

Have you ever wanted to have your own private Docker registry to store your Docker images? Well, look no further! This guide will show you how to set up a self-signed certificate for your Docker registry and make sure it's secure and authenticated.

Prerequisites

Before we start, make sure you have the following:

  • A Linux machine with Docker and Docker Compose installed

  • A text editor to modify files (e.g., nano or vim)

Installing Docker and Docker Compose

Let's start by checking if Docker and Docker Compose are already installed on your machine.

# Check if Docker is installed
if ! [ -x "$(command -v docker)" ]; then
  echo 'Docker is not installed. Installing...'

  # Update the apt package index and install Docker
  sudo apt-get update
  sudo apt-get install -y docker.io

  # Start the Docker service
  sudo systemctl start docker
  sudo systemctl enable docker
else
  echo 'Docker is already installed.'
fi

# Check if Docker Compose is installed
if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Docker Compose is not installed. Installing...'

  # Download the Docker Compose binary
  sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

  # Set the permissions for the Docker Compose binary
  sudo chmod +x /usr/local/bin/docker-compose
else
  echo 'Docker Compose is already installed.'
fi

If Docker or Docker Compose is not installed, this script will install them for you. If they're already installed, you'll see a message saying so.

Setting Up Permissions

Next, let's make sure the current user has the correct permissions to run Docker and Docker Compose.

# Add the current user to the Docker group
sudo usermod -aG docker $USER

# Create the Docker Compose group if it doesn't exist
if ! grep -q "^docker-compose:" /etc/group; then
  sudo groupadd docker-compose
fi

# Add the current user to the Docker Compose group
sudo usermod -aG docker-compose $USER

This will add the current user to the Docker and Docker Compose groups so that you can run Docker and Docker Compose commands without having to use sudo.

Generating a Self-Signed Certificate

Now let's generate a self-signed certificate for our Docker registry. This certificate will be used to authenticate the connection between the Docker registry and the Docker client.

#check if any env available then load it
if [ -f .env ]; then
  export $(echo $(cat .env | sed 's/#.*//g'| xargs) | envsubst)
fi
# Generate self-signed certificate
ip=$(curl ifconfig.me)
sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry.key -x509 -days 365 -out registry.crt -subj "/CN=docker-registry" -addext "subjectAltName = IP:$ip"

Starting the docker registry

Now that we have all of the prerequisites and permissions set up, we can start our Docker registry. To do this, we will use a Docker Compose file to create and start the registry service.

Here's an example Docker Compose file that starts a Docker registry using the self-signed certificate we generated earlier:

version: '3'
services:
  registry:
    image: registry:2
    ports:
      - "${REGISTRY_PORT}:5000"
    volumes:
      - ./:/certs/
    environment:
      REGISTRY_HTTP_ADDR: 0.0.0.0:5000
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
      REGISTRY_HTTP_TLS_KEY: /certs/registry.key

As we are taking REGISTRY_PORT from an external environment now we have to set up a .env file defining the port. Here is the .env file:

REGISTRY_PORT=6050

To start the Docker registry, save this file as docker-compose.yml and run the following command:

docker-compose up -d

This will start the Docker registry in the background using the self-signed certificate we generated earlier. You can check the status of the registry by running the following command:

docker-compose ps

Create a firewall rule to allow incoming traffic on the desired port

# Create firewall rule to allow incoming traffic to the Docker registry
sudo ufw allow from any to any port ${REGISTRY_PORT} proto tcp

This will create a firewall rule to allow incoming traffic on the port in the .env file which is 6050 in our case, which is the port the Docker registry is listening on.

Using the Self-Signed Certificate in the Docker Client

To use the self-signed certificate in the Docker client, you'll need to copy the "registry.crt" file to your machine and add it to the list of trusted certificates.

On Windows:

Open Windows Explorer, right-click the certificate registry.crt and choose Install certificate.

Then, select the following options:

  • Store location: local machine

  • Check place all certificates in the following store

  • Click Browser, and select Trusted Root Certificate Authorities

  • Click Finish

  • make folder C:/Users/Your_User/.docker/certs.d/<the_remote_machine_ip><port>/

  • Copy registry.crt and registry.key file from the remote server and paste it here

  • restart docker

On Linux:

sudo cp registry.crt /usr/local/share/ca-certificates/ 
sudo update-ca-certificates
sudo cp registry.crt /etc/docker/certs.d/remotemachineip:port/

restart the docker:

sudo systemctl restart docker

You may find this official documentation related to docker certificate setup useful in case anything changes in the future:

Once the certificate is installed, you can test the connection to the Docker registry by running the following command:

docker login https://<ip-of-your-registry>:port

Final Scripts:

You can either copy all code snippets or clone this repo in the remote machine and can execute all processes related to the remote machine by running the following commands:

git clone https://github.com/syedfahimabrar/privatedockerregistry.git
cd privatedockerregistry
cd project
sudo chmod +x run-registry.sh
./run-registry.sh

Conclusion

In this article, we have shown you how to set up your own private Docker registry using a self-signed certificate. This registry can be used to store your Docker images securely and make them available to your team or projects. You can copy the whole code snippets from this github repo I hope this article has been helpful to you, and that you enjoy your Docker adventure!

Did you find this article valuable?

Support Fahim's SketchBoard by becoming a sponsor. Any amount is appreciated!