Deploying a private docker registry
source link: https://willschenk.com/labnotes/2023/private_docker_registry/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
I wanted to see how hard it was to deploy my own docker registry. It's not that hard and we have the benefit of living in our own little eco system. Here's the final script to deploy a private registry server on a stock debian/Ubuntu instance. Lets walk through it.
Deploy the registry container
The idea is that you copy this script over to the remote machine and run it. We setup a couple of things
- First check to see if
docker
is installed, and install it if not.
#!/bin/bash
HOST=registry.willschenk.com
[email protected]
echo Checking to see if docker is installed
if ! docker -v ; then
curl -fsSL https://get.docker.com | sh
fi
Caddy
We are going to use caddy-docker-proxy
as our main webserver. This
will watch the host system for docker containers that contain the
caddy
label, and automatically configure Caddy
to serve them up. We
also get https out of this so that's cool.
- Create the network
caddy
if it doesn't exist - Create
caddy_data
andcaddy_config
so certs and other things survive containers - Finally, start up the
caddy
container itself.
####
# Caddy
echo Checking for caddy network
if [[ -z $(docker network ls | grep caddy) ]]; then
echo -n Creating
docker network create caddy
fi
echo Checking for caddy_data volume
if [[ -z "$(docker volume ls | grep caddy_data)" ]]; then
echo -n Creating
docker volume create caddy_data
fi
echo Checking for caddy_config volume
if [[ -z "$(docker volume ls | grep caddy_config)" ]]; then
echo -n Creating
docker volume create caddy_config
fi
docker pull lucaslorentz/caddy-docker-proxy:ci-alpine
echo Stopping caddy if already started
docker stop caddy && docker rm caddy
echo Starting caddy
docker run \
--detach \
--name caddy \
--network caddy \
--publish 80:80 \
--publish 443:443 \
--publish 443:443/udp \
--label caddy.email=${EMAIL} \
--env CADDY_INGRESS_NETWORKS=caddy \
--volume /var/run/docker.sock:/var/run/docker.sock \
--volume caddy_data:/data \
--volume caddy_config:/config \
lucaslorentz/caddy-docker-proxy:ci-alpine
Registry container
Now on to the registry itself.
registry_data
is where the images get storedregistry_auth
is where the username/passwords live
##### Registry
# Create the data volume
# This is where the push images will live
echo Checking for registry_data volume
if [[ -z "$(docker volume ls | grep registry_data)" ]]; then
echo -n Creating
docker volume create registry_data
fi
echo Checking for registry_auth volume
if [[ -z "$(docker volume ls | grep registry_auth)" ]]; then
echo -n Creating
docker volume create registry_auth
fi
####
# Registry user file
# Create a htpasswd file in registry_auth container
# This will get mounted in the registry container later
# Needs to use -B for bcrypt
docker run \
--rm \
--volume registry_auth:/auth \
httpd:2 htpasswd -Bcb /auth/htpasswd registry-user password
docker pull registry:latest
echo Removing the old registry if started
docker stop registry && docker rm registry
echo Creating the registry container
docker run \
--detach \
--name registry \
--volume registry_data:/registry_data \
--volume registry_auth:/auth \
--network caddy \
--label caddy=${HOST} \
--label caddy.reverse_proxy='/v2/* {{upstreams 5000}}' \
--env REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/registry_data \
--env REGISTRY_AUTH=htpasswd \
--env "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
--env REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
--publish 5000:5000 \
registry
Copy and run
scp registry.sh [email protected]:/root && \
ssh [email protected] bash /root/registry.sh
Basic test
curl https://registry.willschenk.com/v2/_catalog | jq
{
"errors": [
{
"code": "UNAUTHORIZED",
"message": "authentication required",
"detail": [
{
"Type": "registry",
"Class": "",
"Name": "catalog",
"Action": "*"
}
]
}
]
}
OK, so lets try and log in
docker login registry.willschenk.com -u registry-user -p password
Login Succeeded
Then:
curl -u registry-user:password https://registry.willschenk.com/v2/_catalog | jq
{
"repositories": [
]
}
Tag and push
Lets first log into the server and see what's in the registry_data
volume.
Server:
root@apple:~# docker volume inspect registry_data | awk '/Mountpoint/ {print $2}'
"/var/lib/docker/volumes/registry_data/_data",
root@apple:~# du -sh /var/lib/docker/volumes/registry_data/_data
4.0K /var/lib/docker/volumes/registry_data/_data
Now lets try to actually push something there. We'll pull down
hello-world
, tag it with the new name
registry.willschenk.com/hello-world
and then push it.
Client:
docker pull hello-world
docker tag hello-world:latest registry.willschenk.com/hello-world
docker push registry.willschenk.com/hello-world
Now back on the server:
root@apple:~# du -sh /var/lib/docker/volumes/registry_data/_data
148K /var/lib/docker/volumes/registry_data/_data
We've gone from 4.0K
to 148K
so something happened!
And if we check over the api itself:
curl -u registry-user:password https://registry.willschenk.com/v2/_catalog | jq
{
"repositories": [
"hello-world"
]
}
Notes
- Right now
registry.willschenk.com
specified at the top of the file - Also you need to change the email address
- Probably want to update that user/password combo
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK