This gist describes how to set up a private Docker Registry on an AWS EC2 instance and how to secure it with TLS using a certificate by Let's Encrypt.
A Docker registry is a server side application that stores and lets you distribute Docker images. It runs in an own Docker container and the image is freely available. Let's Encrypt is a Certificate Authority that gives away TLS certificates for free.
We require the following three items to be set up correctly before we start.
- An EC2 instance with Docker installed (
sudo apt-get install docker.io
) - A domain name associated with the EC2 instance (
docker.biodock.io
) - The EC2 instance's VPC and Security Group have been setup to expose the ssh, http, https, and the Docker Registry ports (22/TCP, 80/TCP, 443/TCP, 5000/TCP) publicly.
- Edit the
/etc/nginx/sites-available/default
configuration file changing the server name from_
to the docker.biodock.io domain name. - Edit the
/etc/nginx/sites-available/default
configuration file adding another server entry to listen on the 443/TCP port.
server {
listen 443;
listen [::]:443;
server_name docker.biodock.io;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
- Restart
nginx
- On the EC2 instance, install the certificate bot for obtaining the certificate from Let's Encrypt:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
- Run certbot for nginx. You must enter an administrative email address and your domain.
sudo certbot --nginx
This generates the following four files in /etc/letsencrypt/live/YOUR_DOMAIN
cert.pem chain.pem fullchain.pem privkey.pem
Copy the files into into a local certs
directory. Change their ownership to your local user and change permissions as
appropriate.
- Still on the EC2 instance, we will need the
fullchain.pem
andprivkey.pem
in our registry. Therefore, we create a directory/certs/
to be mounted as volume in the next step. For consistency with the Docker Registry documentation we rename the files todomain.crt
anddomain.key
, respectively. - Run the registry as follows.
docker run -d -p 5000:5000 -p 443:443 \
--restart=always \
--name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \
registry:2
- Download and tag an image so that it points to the new registry:
docker pull hello-world && docker tag hello-world docker.biodock.io/hello-world
- Push the image to the new registry.
docker push docker.biodock.io/hello-world
. If the upload succeeds all is fine. - Verify by viewing your registry's catalog in a web browser or POST-MAN https://docker.biodock.io/v2/_catalog.
- Stop the registry container with
docker stop registry
- Remove the registry container with
docker rm -v registry
- Re-run the start command without the
-d
flag and review output while testing.