And that’s it! It is as simple as that!
There are other considerations as well since this is too simplistic. You will also have to mount volumes; otherwise, you will lose all the images when you restart the registry container. Also, there is no authentication in place, so anyone accessing this server can push or pull images, but we don’t desire this. Also, communication is insecure, and we want to encrypt the images during transit.
First, let’s create the local directories that we will mount to the containers:
$ sudo mkdir -p /mnt/registry/certs
$ sudo mkdir -p /mnt/registry/auth
$ sudo chmod -R 777 /mnt/registry
Now, let’s generate an htpasswd file for adding authentication to the registry. For this, we will run the htpasswd command from within a new Docker registry container to create a file on our local directory:
$ docker run –entrypoint htpasswd registry:2.7.0 \ -Bbn user pass > /mnt/registry/auth/htpasswd
The next step is to generate some self-signed certificates for enabling TLS on the repository. Add your server name or IP when asked for a Fully Qualified Domain Name (FQDN). You can leave the other fields blank or add appropriate values for them:
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout \ /mnt/registry/certs/domain.key -x509 -days 365 -out /mnt/registry/certs/domain.crt
Before we proceed further, let’s remove the existing registry:
$ docker rm -f registry
registry
Now, we are ready to launch our container with the required configuration:
$ docker run -d -p 443:443 –restart=always \
–name registry \
-v /mnt/registry/certs:/certs \
-v /mnt/registry/auth:/auth \
-v /mnt/registry/registry:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -e REGISTRY_AUTH=htpasswd \
-e “REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm” \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
registry:2
02bf92c9c4a6d1d9c9f4b75ba80e82834621b1570f5f7c4a74b215960
The container is now up and running. Let’s use https this time, but before that, let’s docker login to the registry. Add the username and password you set while creating the htpasswd file (in this case, user and pass):
$ docker login https://localhost
Username: user
Password:
WARNING! Your password will be stored unencrypted in /root/ .docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login
#credentials-store
Login Succeeded
Since the login succeeded, we can go ahead and push our image to the registry:
$ docker push localhost/<your_dockerhub_user>/nginx-hello-world
The push refers to repository [localhost/<your_dockerhub_user>/nginx-hello-world]
2b7de406bdcd: Pushed
5f70bf18a086: Pushed
845348333310: Pushed
96a9e6a097c6: Pushed
548a79621a42: Pushed
latest: digest: sha256:6ad07e7425331456a3b8ea118bce36c82af242ec14072d483b5dcaa3bd607e65
size: 1366
This time, it works the way we want it to.