Install Private Docker Registry on Centos 7

A Docker Registry is a service which you can push Docker images to for storage and sharing. We can deploy our own private Docker Registry behind our firewall with SSL encryption and HTTP authentication. Here we can use centos 7 to install docker registry and using apache for secure connection with htpasswd.

Install Private Docker Registry on Centos 7

Update all packages and install docker registry

#yum update
#yum install docker-registry
#systemctl enable docker-registry.service
#service docker-registry start

Change your customized registry storage path if you need.

vi /etc/docker-registry.yml

search the storage path location and change it.

local
storage_path =

Once the changes are completed restart docker registry.

To verify the docker registry, use curl command

#curl 192.168.1.88:5000
“\”docker-registry server\””

Thats it!! You’re insecure registry is working now.

Browse your Insecure Registry docker registry

http://192.168.1.88:5000/
Tag your images to push to registry

Example

#docker tag <imageID> 192.168.1.88:5000/centos

Run your insecure docker registry with docker

#service docker stop
#docker -d --insecure-registry 192.168.1.88:5000 &

or

change your docker startup script with insecure registry

#vi /usr/lib/systemd/system/docker.service

add insecure registry url on ExecStart

–insecure-registry 192.168.1.88:5000

Example entry

ExecStart=/usr/bin/docker -d $OPTIONS \
 $DOCKER_STORAGE_OPTIONS \
 $DOCKER_NETWORK_OPTIONS \
 $ADD_REGISTRY \
 $BLOCK_REGISTRY \
 --insecure-registry 192.168.1.88:5000

Push your images

#docker push 192.168.1.88:5000/centos

Your images will successfully pushed to insecure registry

Pull your images

change your docker startup script with insecure registry as per previous step

#docker pull 192.168.1.88:5000/centos

You are done with insecure registry

Secure Docker Private Registry

In order to use docker registry with secure URL, try to install apache and configure SSL.

install apache with mod SSL.

#yum install httpd mod_ssl

Create user authentication using htpasswd for docker registry

# htpasswd -c /etc/httpd/.htpasswd USERNAME

create your SSL certificate whether Self Signed or valid SSL cert, open your ssl.conf and add proxy settings before </VirtualHost>

#vi /etc/httpd/conf.d/ssl.conf

ProxyRequests off
 ProxyPreserveHost on
 ProxyPass / http://127.0.0.1:5000/
 ProxyPassReverse / http://127.0.0.1:5000/
<Location />
 Order deny,allow
 Allow from all
AuthName "Registry Authentication"
 AuthType basic
 AuthUserFile "/etc/httpd/.htpassword"
 Require valid-user
 </Location>
# Allow ping and users to run unauthenticated.
 <Location /v1/_ping>
 Satisfy any
 Allow from all
 </Location>
 # Allow ping and users to run unauthenticated.
 <Location /_ping>
 Satisfy any
 Allow from all
 </Location>

Change the valid SSL certificate paths

SSLCertificateFile
SSLCertificateKeyFile
Now you try to restart httpd service.

# service httpd restart

Browse your registry with SSL and make sure it works.

https://192.168.1.88/
Now you can login to private registry server

docker login https://192.168.1.88/

provide your username and password, the same you provided when creating the htpasswd file.

-Push your images to docker registry

#docker push 192.168.1.88/centos

 

  • Khoi Thinh

    This is the content of my docker.service file.

    [Unit]

    Description=Docker Application Container Engine

    Documentation=https://docs.docker.com

    After=network.target docker.socket

    Requires=docker.socket

    [Service]

    Type=notify

    ExecStart=/usr/bin/docker daemon -H fd://

    MountFlags=slave

    LimitNOFILE=1048576

    LimitNPROC=1048576

    LimitCORE=infinity

    –insecure-registry 192.168.1.88:5000

    [Install]

    WantedBy=multi-user.target

    But it didn’t work. When running the command to push images, it said:

    The push refers to a repository [52.69.22.183:5000/centos] (len: 0)

    Repository does not exist: 52.69.22.183:5000/centos

    What should i do now?

    • Please remove your unnecessary settings.

      • Khoi Thinh

        This step: create your SSL certificate whether Self Signed or valid SSL cert.
        So i used these following command

        # Generate private key
        openssl genrsa -out ca.key 2048

        # Generate CSR
        openssl req -new -key ca.key -out ca.csr

        # Generate Self Signed Key
        openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

        The point is when i opened the ssl.conf I didn’t see any line which has Proxy. What should i do?

      • Khoi Thinh

        Can you tell me more in detailed about this step “create your SSL certificate whether Self Signed or valid SSL cert,”, edit the ssl.conf and change the SSL certificate please? I was kind of confused when see a lot of [localtion].

        • in httpd

          copy your ssl certificates in /etc/httpd and go to your ssl.conf
          add these configuration in it and update ssl cert path SSLCertificateFile
          SSLCertificateKeyFile

          ProxyRequests off
          ProxyPreserveHost on
          ProxyPass / http://127.0.0.1:5000/
          ProxyPassReverse / http://127.0.0.1:5000/

          # Allow ping and users to run unauthenticated.

          Satisfy any
          Allow from all

          # Allow ping and users to run unauthenticated.

          Satisfy any
          Allow from all

          • Khoi Thinh

            So here’s what happend after i put in username, password and email in order to login to private docker registry.

            Error response from daemon: invalid registry endpoint https://52.68.193.13/v0/: unable to ping registry endpoint https://52.68.193.13/v0/
            v2 ping attempt failed with error: Get https://52.68.193.13/v2/: dial tcp 52.68.193.13:443: i/o timeout
            Can you tell me what happend?

          • Dirk

            Like Khoi I can follow along the exact steps you wrote down all the way to “Change the valid SSL certificate paths” where there is a lack of detail. Now as a programmer I in theory know what you are saying, but as a total noob in linuxland you in no way cleared anything up in your reply. Worse, on Centos the security OS, this smells of bad security.

            Here is a nice link instead: https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7

            Next, were we supposed to replace USERNAME with root, myUserName, something else?

            The reason we are using Centos is to be secure, so using the default MD5 hash is unacceptable. Would “htpasswd -c -B /etc/httpd/.htpasswd USERNAME” not be better (use bcrypt)?

  • Dirk

    So after hacking through this I backspaced it all and used the Docker store to download the registry as a container. Seems like the best way to do this?

  • Binh Thanh Nguyen

    Thanks, nice tips