Set Up a Private Docker Registry (Secure) on Ubuntu 18.04 — Part 2
3 min readJun 12, 2020
Create self signed certificates using openssl.
root@kmaster-rj:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crtCan’t load /root/.rnd into RNG
139995833266624:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
Generating a RSA private key
…………………………………………………………++++
……………………….++++
writing new private key to ‘certs/domain.key’
— — -You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
— — -
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:repo.docker.local
Email Address []:# cd certs/root@kmaster-rj:~/certs# ls -la
total 16
drwxr-xr-x 2 root root 4096 Jun 12 07:28 .
drwx — — — 10 root root 4096 Jun 11 18:01 ..
-rw-r — r — 1 root root 2017 Jun 12 07:28 domain.crt
-rw — — — — 1 root root 3272 Jun 12 07:28 domain.keyroot@kmaster-rj:~/certs# cd /etc/docker/
root@kmaster-rj:/etc/docker# ls
key.json
root@kmaster-rj:/etc/docker# mkdir certs.d
root@kmaster-rj:/etc/docker# cd certs.d/
root@kmaster-rj:/etc/docker/certs.d# mkdir repo.docker.local:5000
root@kmaster-rj:/etc/docker/certs.d# ls
repo.docker.local:5000
root@kmaster-rj:/etc/docker/certs.d# cp ~/certs/domain.crt /etc/docker/certs.d/repo.docker.local\:5000/ca.crtroot@kmaster-rj:~# systemctl restart docker
Create Registry Container now -
root@kmaster-rj:~# docker container run -d -p 5000:5000 --name simple_registry -v $(pwd)/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry
95aa352e774a4a59af23b454c5f99eb47d17d1eedf5dd81b8a01516fb4952ecfroot@kmaster-rj:~# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
95aa352e774a registry “/entrypoint.sh /etc…” 4 seconds ago Up 3 seconds 0.0.0.0:5000->5000/tcp simple_registryroot@kmaster-rj:~# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:5000/redis latest 235592615444 46 hours ago 104MB
127.0.0.1:5000/nginx latest 2622e6cca7eb 2 days ago 132MB
mysql latest be0dbf01a0f3 3 days ago 541MB
172.42.42.200:5000/rabbitmq latest 8323c1c9f182 2 weeks ago 156MB
rabbitmq latest 8323c1c9f182 2 weeks ago 156MB
ubuntu latest 1d622ef86b13 7 weeks ago 73.9MB|
registry latest 708bc6af7e5e 4 months ago 25.8MB
Lets try to push an existing image to repository now.
root@kmaster-rj:~# docker push 172.42.42.200:5000/rabbitmqThe
push refers to repository [172.42.42.200:5000/rabbitmq]Get https://172.42.42.200:5000/v2/: x509: cannot validate certificate for 172.42.42.200 because it doesn’t contain any IP SANs
Image Tag should point to our local repository -
root@kmaster-rj:~# docker image tag mysql:latest repo.docker.local:5000/mysql:latestroot@kmaster-rj:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kmaster-rj.example.com kmaster-rj repo.docker.localroot@kmaster-rj:~# docker image push repo.docker.local:5000/mysql
The push refers to repository [repo.docker.local:5000/mysql]fd6eae62c2af: Pushed
815032910417: Pushed
d9f2d665b85e: Pushed
5fe2aef9ecd8: Pushed
2de987586bdb: Pushed
latest: digest: sha256:0ba38ea9c478d1e98b2f0bc0cee5a62345c9f06f78c4b48123bdc70d8d224686 size: 2828
Enabling User Authentication to use Docker Registry ->
root@kmaster-rj:~# mkdir authroot@kmaster-rj:~# docker container run — entrypoint htpasswd registry -bnB test password >auth/htpasswdroot@kmaster-rj:~# cat auth/htpasswd
test:$2y$05$GJ/Gy3U1/1gzmPr5FojD..AryKIo8mrRJMiE44ISIl35PKR7k6sC6
Create the container -
root@kmaster-rj:~# docker run -d \
> -p 5000:5000 \
> --restart=always \
> --name registry \
> -v “$(pwd)”/auth:/auth \
> -e “REGISTRY_AUTH=htpasswd” \
> -e “REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm” \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -v “$(pwd)”/certs:/certs \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> registry98ce2fbb88360f930e757beb0aba90b8b5f6750abc49918404916a5e262703caroot@kmaster-rj:~# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
98ce2fbb8836 registry “/entrypoint.sh /etc…” 50 seconds ago Up 48 seconds 0.0.0.0:5000->5000/tcp registry
Now try to push an image to registry ->
root@kmaster-rj:~# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
repo.docker.local:5000/mysql latest be0dbf01a0f3 3 days ago 541MB
rabbitmq latest 8323c1c9f182 2 weeks ago 156MB
ubuntu latest 1d622ef86b13 7 weeks ago 73.9MB
registry latest 708bc6af7e5e 4 months ago 25.8MBroot@kmaster-rj:~# docker push repo.docker.local:5000/mysql
The push refers to repository [repo.docker.local:5000/mysql]
fd6eae62c2af: Preparing
815032910417: Preparing
d9f2d665b85e: Preparing
5fe2aef9ecd8: Preparing
2de987586bdb: Preparing
no basic auth credentialsroot@kmaster-rj:~# docker login repo.docker.local:5000
Username: test
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Now again try to push the image ->
root@kmaster-rj:~# docker push repo.docker.local:5000/mysql
The push refers to repository [repo.docker.local:5000/mysql]
fd6eae62c2af: Pushed
815032910417: Pushed
d9f2d665b85e: Pushed
5fe2aef9ecd8: Pushed
2de987586bdb: Pushed
latest: digest: sha256:0ba38ea9c478d1e98b2f0bc0cee5a62345c9f06f78c4b48123bdc70d8d224686 size: 2828That’s All!
Hope you like the tutorial. Please let me know your feedback in the response section.
Happy learning!
