Docker registry does not have authentication nor certificate mechanism so in case you have docker registry on the internet, you need something that support those in front of the registry. You can find examples using Nginx for it on the web and this is yet another one.
Client talks to Nginx. Nginx proxies the request to the docker registry. The nginx is on the host OS - not as a container.
+-----------+ +--------------------------------------------------------+
| | | Server Docker container |
| | | +---------------------+ +------------+ |
| | | | Nginx on hostOS | | Docker | |
| Client | HTTPS | * Basic Auth | Proxy to | Registry | |
| +--------> * SSL certificate +----------------> | |
| | | | | localhost:5000 | | |
| | | +---------------------+ +------------+ |
+-----------+ +--------------------------------------------------------+
docker run -d -p 5000:5000 -v /images/docker-registry:/tmp/registry -e STORAGE_PATH=/tmp/registry registry
Let’s test if working on localhost.
curl localhost:5000
"\"docker-registry server\"
Good.
This git repo has preset files for this configurations let’s use it.
sudo apt-get install nginx
git clone https://github.com/docker/docker-registry
sudo cp docker-registry/contrib/nginx/nginx_1-3-9.conf /etc/nginx/conf.d/.
sudo cp docker-registry/contrib/nginx/docker-registry.conf /etc/nginx/.
sudo apt-get install apache2-utils
sudo htpasswd -bc /etc/nginx/docker-registry.htpasswd <username> <password>
Adding password for user <username>
Modify the nginx_1-3-9.conf matching with your environment such as server_name. Place certificate and key file to the right place with right name. The place is defined in the nginx_1-3-9.conf
sudo cp your.crt /etc/ssl/certs/docker-registry
sudo cp your.key /etc/ssl/private/docker-registry
Restart nginx
service nginx restart
Let’s test
$ curl -k --user <username>:<password> https://<domain_name> | python -m json.tool
"\"docker-registry server\""
Good. Basic authentication, certificate and http proxy are working. Now let’s login with docker client.
$ docker login <domain_name>
Username:
Password:
Email:
WARNING: login credentials saved in /home/ubuntu/.dockercfg.
Login Succeeded
If you success, the credential will be stored in .dockercfg file.
Done. now you can pull, push, whatever.
docker push <domain_name>/ubuntu
Check inside of the registry
REST API
curl --user <user_name>:<password> https://<domain_name>/v1/search | python -m json.tool
https://<domain_name>/v1/repositories/<name_space>/<image_name>/tags
CLI
ubuntu@sensor-docker-registry:~$ sudo docker search localhost:5000/sensor
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
sensors/kippo 0
sensors/dionaea 0
sensors/zabbix_agentd 0
sensors/suricata 0
sensors/p0f 0
sensors/datastore 0
When you commit an image:
[user@analyze-001 ~]$ docker commit 8a5ee6989c37 <domain_name>/<image_name>
ce63a9ab63a6a7fdd6564ebb68e991d67029e37f6daf83cd988f2eb3b5e6f82d
[user@analyze-001 ~]$ docker push <domain_name>/<image_name>
The push refers to a repository [<domain_name>/<image_name>] (len: 1)
Sending image list
Please login prior to push:
Username: <user_name>
Password:
Email: <email>
WARNING: login credentials saved in /home/<name>/.dockercfg.
Login Succeeded
The push refers to a repository [<domain_name>/<image_name>] (len: 1)
Sending image list
Pushing repository <domain_name>/<image_name> (1 tags)
e9e06b06e14c: Pushing [============================================> ] 174.8 MB/197.2 MB