Private (free of charge) image container registry #docker

Told you this post was coming. Save your app images sometimes can be costy, especially when you have tons of version over a development. here you have a simple way to create your own registry.

Assume that you own the domain (i.e. nuage.lab). Its DNS record points to the host where you are running your registry (i.e. registry.nuage.lab). I am using a couple of docker servers. One for registry and the other to push/pull images: And updated version of Centos 7.

Deploy your own self-signed certificates

Create your own certificates in your docker node assigned as registry. Also you have the option to manage trusted certs.

  1. Generate your certs into your registry server:
    mkdir -p /certs && openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key \
    -x509 -days 365 -out /certs/domain.crt
    
  2. Check out your domain and ensure you have a CN for it
    my case I have registry.nuage.lab (test it from every node it you can resolve the name)

Create your own registry

Check if port tcp 5000 is in used into your docker node assigned to be the registry

netstat -anp | grep 5000

Using /cert/domain.crt and /cert/domain.key we create registry:

docker run -d -p 5000:5000 --restart=always --name registry \
  -v /certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

Check if your service started

[root@docker01 certs]# netstat -anp | grep 5000
tcp6       0      0 :::5000                 :::*                    LISTEN      29822/docker-proxy  

Check if the registry server started ok as I did:

[root@docker01 ~]# docker logs 8ba39d5a20bd
time="2016-09-13T18:46:23Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.6.3 instance.id=51923803-75ee-406b-8b74-28b4fc060946 version=v2.5.1 
time="2016-09-13T18:46:23Z" level=info msg="redis not configured" go.version=go1.6.3 instance.id=51923803-75ee-406b-8b74-28b4fc060946 version=v2.5.1 
time="2016-09-13T18:46:23Z" level=info msg="Starting upload purge in 27m0s" go.version=go1.6.3 instance.id=51923803-75ee-406b-8b74-28b4fc060946 version=v2.5.1 
time="2016-09-13T18:46:23Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.6.3 instance.id=51923803-75ee-406b-8b74-28b4fc060946 version=v2.5.1 
time="2016-09-13T18:46:23Z" level=info msg="listening on [::]:5000, tls" go.version=go1.6.3 instance.id=51923803-75ee-406b-8b74-28b4fc060946 version=v2.5.1 

You can use “docker inspect ” alternatively.

push images to your own registry

Important: Add your insecure registry to every node in your cluster as following:

  1. Open /etc/sysconfig/docker for editing.
  2. Edit (or add) the DOCKER_OPTS line and add the –insecure-registry flag.
    This flag takes the URL of your registry:

    [root@k8snode01 ~]# cat /etc/sysconfig/docker | grep OPTIONS
    #OPTIONS='--selinux-enabled --log-driver=journald'
    OPTIONS='--selinux-enabled --log-driver=journald --insecure-registry registry.nuage.lab:5000'
    [root@k8snode01 ~]# ps -ef | grep registry
    root     23169     1  5 13:38 ?        00:06:42 /usr/bin/docker-current daemon --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald --insecure-registry registry.nuage.lab:5000
    
  3. Instruct every docker daemon to trust that certificate.
    This is done by copying the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt.
  4. Restart “docker”

Now, lets try to push any image from some node:

[root@k8snode01 ~]# docker pull python
Using default tag: latest
Trying to pull repository docker.io/library/python ... 
latest: Pulling from docker.io/library/python
357ea8c3d80b: Already exists 
52befadefd24: Pull complete 
3c0732d5313c: Pull complete 
ceb711c7e301: Pull complete 
4211bb537697: Pull complete 
1b2aa61e5968: Pull complete 
9a7217a507e4: Pull complete 
Digest: sha256:375c0b481e80219b311fdcf25d734fa1f8647eb31f2d6fc9f59c7117dd5c02fb
Status: Downloaded newer image for docker.io/python:latest
[root@k8snode01 ~]# docker tag python registry.nuage.lab:5000/python
[root@k8snode01 ~]# docker push registry.nuage.lab:5000/python
The push refers to a repository [registry.nuage.lab:5000/python]
c9b6a039cea4: Pushed 
8381abf68409: Pushed 
8b6193c4a133: Pushed 
04dc8c446a38: Pushed 
1050aff7cfff: Pushed 
66d8e5ee400c: Pushed 
2f71b45e4e25: Pushed 
latest: digest: sha256:375c0b481e80219b311fdcf25d734fa1f8647eb31f2d6fc9f59c7117dd5c02fb size: 1774

if you get the following message.

[root@k8snode01 ~]# docker push registry.nuage.lab:5000/python
The push refers to a repository [registry.nuage.lab:5000/python]
Put http://registry.nuage.lab:5000/v1/repositories/python/: dial tcp 10.10.10.16:5000: getsockopt: connection refused

That means your server didn’t started correctly. Check the logs again or check out your /etc/sysconfig/docker:

see ya!

3 thoughts on “Private (free of charge) image container registry #docker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s