Linux, Windows, Virtualization, OpenSource & Blogging

How to Setup Docker Private Registry on CentOS 7 / Ubuntu 16.04 / Fedora 25

7

Docker registry is a piece of application that lets you store and distribute the Docker images internally (within your organization). Docker even has a public registry, known as Docker Hub, free to store Docker images.

But, the problem with Docker public registry is that the images you upload on it becomes public. This is not what you or your organization expect when you worked for long hours to build an image and that goes public.

To overcome this hurdle, you can set up a Docker registry for your project privately so that only you or your organization can store the Docker images on it and distribute among your co-worker.

Here, in this tech guide, we will discuss on how to setup Docker Private Registry on CentOS 7/ Ubuntu 16.04 / Fedora 25.

Infrastructure:

Setup Docker Private Registry on CentOS 7
Setup Docker Private Registry on CentOS 7
HostName IP Address Operating System Purpose
registry.itzgeek.local 192.168.12.10 CentOS 7 Acts as Docker private registry server
build.itzgeek.local 192.168.12.20 Ubuntu 16.04 Acts as Docker engine node where the developers will build the Docker images either with dockerfile or docker compose, and then upload those images to above docker private registry server.
deploy.itzgeek.local 192.168.12.30 Fedora 25 Acts as Docker engine node where we deploy containers downloaded (pull) from private registry server.
Here, I’m using mixed (OS) environment to demonstrate. I recommend you to use only homogeneous environment which is easy for troubleshooting issues that arise.

Prerequisites:

Install Docker engine on all of your nodes and make sure Docker service is up and running.

READ: How to install Docker CE on CentOS 7
READ: How to install Docker CE on Ubuntu 16.04
READ: How to install Docker CE on Fedora 25

Setup Docker Private Registry:

Login to registry node and pull the registry image from Docker Hub.

[root@registry ~]# docker pull registry

Choose whether you want to go with plain or secured Docker registry.

Plain Docker Registry:

[root@registry ~]# docker run -dit -p 5000:5000 --name registry registry

Secure Docker Private Registry:

By default, Docker node uses a secure connection over TLS to upload or download images to or from the private registry. You can use TLS certificates signed by CA or self-signed on Registry server.

Here, I will use a self-signed certificate for securing Docker Registry. Let’s create a self-singed certificate using the following command.

[root@registry ~]# mkdir -p /certs

[root@registry ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key -x509 -days 365 -out /certs/ca.crt

Generating a 4096 bit RSA private key
............................................++
.....................................................................................................++
writing new private key to '/certs/ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:TN
Locality Name (eg, city) [Default City]:CHN
Organization Name (eg, company) [Default Company Ltd]:ITzGeek
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:registry.itzgeek.local
Email Address []:itzgeek.web@gmail.com

Replace “registry.itzgeek.local” with the FQDN of your registry server.

Generated certificate “ca.crt” need to be placed on all of your build/deploy nodes for trusting this certificate.

Start Docker registry container with certificate information.

[root@registry ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry

Now, you have a registry server container named “registry” running on “registry.itzgeek.local“.

[root@registry ~]# docker ps

Output:

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
8641fbc895f5        registry            "/entrypoint.sh /e..."   44 seconds ago      Up 41 seconds       0.0.0.0:5000->5000/tcp   registry

Firewall:

You would need to open following ports on firewall for Docker registry to be available outside network (to build.itzgeek.local/deploy.itzgeek.local)

You need to run the following command on Docker Registry server (registry.itzgeek.local), depends on your operating system.

If your Docker Registry is on CentOS 7,

[root@registry ~]# firewall-cmd --permanent --add-port=5000/tcp
[root@registry ~]# firewall-cmd --reload

If your Docker Registry is on Ubuntu 16.04,

root@registry:~# ufw status
root@registry:~# ufw allow 5000/tcp
root@registry:~# ufw reload ufw enable

Now the Docker Registry is ready for distributing Docker images.

Create and upload a Docker Image to a Private Registry server:

Login into your build Docker engine node, Ex. “build.itzgeek.local

Build a Docker Image:

Let’s create a docker image (for customized docker container) for uploading it into the private registry server. In three ways you can build/create a container images.

1. Commit
2. Dockerfile
3. Docker Compose.

Build and keep your docker image ready for upload by following any one of the methods listed above.

READ: How to Build Docker Images with Docker Commit
READ: How to Build Docker Images with DockerFile

I have built a docker image called “mycentos:httpdv1.0” on “build.itzgeek.local” and we will now upload it onto Private registry server.

root@build:~# docker images

Output:

Setup Docker Private Registry on CentOS 7 - List of Docker Images
Setup Docker Private Registry on CentOS 7 – List of Docker Images

Now, rename the docker image with the following format; “registryserver:portnumber/image name:tag“. If the image name does not match with given format then docker push or pull command will try to upload or download the image from the public registry, not from the private registry.

To rename the docker image use “docker tag” command.

root@build:~# docker tag mycentos:httpdv1.0 registry.itzgeek.local:5000/mycentos:httpdv1.0

Check again for the list of Docker images.

Setup Docker Private Registry on CentOS 7 - Updated list of Docker Images
Setup Docker Private Registry on CentOS 7 – Updated list of Docker Images

Upload a Docker Image:

Depends on the communication mode (Secure or Non-Secure) of Docker Registry, follow any one of the below methods.

Non-Secure (Plain Http Registry):

Edit/Create the file “daemon.json” in “/etc/docker/” directory.

root@build:~# vi /etc/docker/daemon.json

Add the following contents into it.

{
  "insecure-registries" : ["registry.itzgeek.local:5000"]
}

Secure (Self-signed):

Copy the certificate “ca.crt” from registry server “registry.itzgeek.local” to “/etc/docker/certs.d/registry.itzgeek.local:5000/ca.crt” on “build.itzgeek.local“.

root@build:~# mkdir -p /etc/docker/certs.d/registry.itzgeek.local:5000/

root@build:~# scp -pr root@registry.itzgeek.local:/certs/ca.crt /etc/docker/certs.d/registry.itzgeek.local:5000/

In both cases, you would need to restart the Docker engine service.

root@build:~# systemctl restart docker

Upload the docker image to private registry server using the following command.

root@build:~# docker push registry.itzgeek.local:5000/mycentos:httpdv1.0

Download and Deploy Docker Container image from Private Registry server:

Login into your deploy Docker engine node, Ex. “deploy.itzgeek.local“.

Depends on the communication mode (Secure or Non-Secure) of Docker Registry, follow any one of the below methods.

Non-Secure (Plain Http Registry):

Edit/Create the file “daemon.json” in “/etc/docker/” directory.

[root@deploy ~]# vi /etc/docker/daemon.json

Add the following contents into it.

{
  "insecure-registries" : ["registry.itzgeek.local:5000"]
}

Secure (Self-signed):

Copy the certificate “ca.crt” from registry server “registry.itzgeek.local” to “/etc/docker/certs.d/registry.itzgeek.local:5000/ca.crt” on “deploy.itzgeek.local“.

[root@deploy ~]# mkdir -p /etc/docker/certs.d/registry.itzgeek.local:5000/

[root@deploy ~]# scp -pr root@registry.itzgeek.local:/certs/ca.crt /etc/docker/certs.d/registry.itzgeek.local:5000/

In both cases, you would need to restart the Docker engine service.

[root@deploy ~]# systemctl restart docker

Download the docker image to private registry server using the following command.

[root@deploy ~]# docker pull registry.itzgeek.local:5000/mycentos:httpdv1.0

Now, check the list of available images using “docker images” command

[root@deploy ~]# docker images

Output:

Setup Docker Private Registry on CentOS 7 - Docker Images on Deploy Node
Setup Docker Private Registry on CentOS 7 – Docker Images on Deploy Node

Now the Docker image is ready for deployment.

READ: How to Deploy Docker Containers – Command Line Interface

That’s All.

You might also like
  • rahman sharif

    Very impressive document. i understood it very clear. i’m a start up level but your document explains me very clearly thanks you very much.

    • rahman sharif

      Iam haveing an error at the end:
      ssh:could not resolve hostname registry.rehan.local: name or service not know?????

      • Hello Rehman,

        Please put a host entry in /etc/hosts file so that it can resolve hostname

        • rahman sharif

          Thanks. yes i made an entry on host file
          even i change the name as:rehan.local before was registry.rehan,local
          know:
          it says:ssh:connect to host rehan.local port22: time out

          • When you are getting this error??

          • rahman sharif

            When i execute this commend i getting error: time out and even some time permission (Publickey, password):
            scp -pr root@registry.itzgeek.local:/certs/ca.crt /etc/docker/certs.d/registry.itzgeek.local:5000/

          • Hi, it may be due to firewall issue(may be iptables or corporate firewall)

            I request you to copy the content of certificate manually and paste it in your build or deployment node instead of using SCP.

Shares