Docker Registry is a content storage and delivery system, that stores different tagged versions of Docker images. Users interact with Docker Registry by means of a Push or Pull methods. Docker Hub is a public docker registry that provides millions of images to trillions of users. But there are scenarios, where we are required to setup a private and secure in-premises Docker Registry.
We have already configured a Private Docker Registry on CentOS 7 in our previous article using Docker technology, where we have created a Docker Registry container using Docker Engine CE.
Now, we are using an alternate method to create a Secure Docker Registry without using containers technology. In this article, we will configure a Secure Registry with Docker-Distribution on CentOS 7 and then test it by using it through Docker hosts.
It is highly recommended that you should read Docker Deep Dive for some basic to advance level understanding of Docker technology. It will also help you to better understand this article.
This Article Provides:
System Specification:
We have configured a CentOS 7 virtual machine with following specification.
- Hostname - docker-distribution-01.example.com
- IP Address - 192.168.116.153/24
- Operating System - CentOS 7.6
- CPU - 3.4 Ghz (1 Core)
- Memory - 1 GB
- Storage - 40 GB
We are also using a Docker Host with following specification to test our Secure Docker Registry.
- Hostname - docker-manager-01.example.com
- IP Address - 192.168.116.150/24
- Operating System - CentOS 7.6
- Docker Version - Docker Engine CE 18.09
Installing Docker-Distribution on CentOS 7:
Connect with docker-distribution-01.example.com using ssh as root user.
Docker-Distribution package is available in extras yum repository.
Check the available version of Docker-Distribution package.
[root@docker-distribution-01 ~]# yum info docker-distribution
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.ges.net.pk
* extras: mirrors.ges.net.pk
* updates: mirror1.ku.ac.th
Installed Packages
Name : docker-distribution
Arch : x86_64
Version : 2.6.2
Release : 2.git48294d9.el7
Size : 12 M
Repo : installed
From repo : extras
Summary : Docker toolset to pack, ship, store, and deliver content
URL : https://github.com/docker/distribution
License : ASL 2.0
Description : Docker toolset to pack, ship, store, and deliver content
Install Docker-Distribution package as follows.
[root@docker-distribution-01 ~]# yum install -y docker-distribution
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* extras: mirrors.ges.net.pk
* updates: mirror2.totbb.net
Resolving Dependencies
--> Running transaction check
---> Package docker-distribution.x86_64 0:2.6.2-2.git48294d9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
docker-distribution x86_64 2.6.2-2.git48294d9.el7 extras 3.5 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 3.5 M
Installed size: 12 M
Downloading packages:
docker-distribution-2.6.2-2.git48294d9.el7.x86_64.rpm | 3.5 MB 00:08
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : docker-distribution-2.6.2-2.git48294d9.el7.x86_64 1/1
Verifying : docker-distribution-2.6.2-2.git48294d9.el7.x86_64 1/1
Installed:
docker-distribution.x86_64 0:2.6.2-2.git48294d9.el7
Complete!
Docker-Distribution package has been installed on CentOS 7.
Configuring Secure Registry with Docker-Distribution:
We are configuring a Secure Docker Registry, therefore, we have to create a SSL/TLS certificate for our Docker Registry Service.
[root@docker-distribution-01 ~]# openssl req \
> -newkey rsa:2048 \
> -nodes -sha256 \
> -x509 -days 365 \
> -keyout /etc/pki/tls/private/registry.key \
> -out /etc/pki/tls/registry.crt
Generating a 2048 bit RSA private key
..............+++
.............................................................+++
writing new private key to '/etc/pki/tls/private/registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Ahmer's SysAdmin Recipes
Organizational Unit Name (eg, section) []:ITLAB
Common Name (eg, your name or your server's hostname) []:docker-distribution-01.example.com
Email Address []:root@docker-distribution-01.example.com
To restrict anonymous access, we will setup basic HTTP authentication for our Docker Registry Service. For this purpose, we need to install htpasswd utility to create a HTTP password file.
[root@docker-distribution-01 ~]# yum install -y httpd-tools
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* extras: mirror.nbrc.ac.in
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.4.6-88.el7.centos will be installed
--> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-tools-2.4.6-88.el7.centos.x86_64
--> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-tools-2.4.6-88.el7.centos.x86_64
--> Running transaction check
---> Package apr.x86_64 0:1.4.8-3.el7_4.1 will be installed
---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
httpd-tools x86_64 2.4.6-88.el7.centos base 90 k
Installing for dependencies:
apr x86_64 1.4.8-3.el7_4.1 base 103 k
apr-util x86_64 1.5.2-6.el7 base 92 k
Transaction Summary
================================================================================
Install 1 Package (+2 Dependent packages)
Total download size: 286 k
Installed size: 584 k
Downloading packages:
(1/3): apr-1.4.8-3.el7_4.1.x86_64.rpm | 103 kB 00:03
(2/3): httpd-tools-2.4.6-88.el7.centos.x86_64.rpm | 90 kB 00:03
(3/3): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:04
--------------------------------------------------------------------------------
Total 69 kB/s | 286 kB 00:04
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.8-3.el7_4.1.x86_64 1/3
Installing : apr-util-1.5.2-6.el7.x86_64 2/3
Installing : httpd-tools-2.4.6-88.el7.centos.x86_64 3/3
Verifying : httpd-tools-2.4.6-88.el7.centos.x86_64 1/3
Verifying : apr-util-1.5.2-6.el7.x86_64 2/3
Verifying : apr-1.4.8-3.el7_4.1.x86_64 3/3
Installed:
httpd-tools.x86_64 0:2.4.6-88.el7.centos
Dependency Installed:
apr.x86_64 0:1.4.8-3.el7_4.1 apr-util.x86_64 0:1.5.2-6.el7
Complete!
Now, create a HTTP password file as follows:
[root@docker-distribution-01 ~]# htpasswd -c -B /etc/docker-distribution/dockerpasswd ahmer
New password:
Re-type new password:
Adding password for user ahmer
We have used –B switch above to create an entry with bcrypt encryption because it is the only supported format right now, and the entries with other hash types will be ignored.
Edit Docker Registry configuration file.
[root@docker-distribution-01 ~]# vi /etc/docker-distribution/registry/config.yml
and update it as follows:
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: 192.168.116.153:5000
tls:
certificate: /etc/pki/tls/registry.crt
key: /etc/pki/tls/private/registry.key
auth:
htpasswd:
realm: example.com
path: /etc/docker-distribution/dockerpasswd
Warning: Avoid use of TAB key for indention of lines. Otherwise, the docker-distribution service will give you following error during startup.
configuration error: error parsing /etc/docker-distribution/registry/config.yml: yaml: line 12: found character that cannot start any token
Please refer to Docker Documentation for more configuration options in config.yml.
Start and Enable docker-distribution service.
[root@docker-distribution-01 ~]# systemctl start docker-distribution
[root@docker-distribution-01 ~]# systemctl enable docker-distribution
Created symlink from /etc/systemd/system/multi-user.target.wants/docker-distribution.service to /usr/lib/systemd/system/docker-distribution.service.
Allow Docker Registry service port 5000/tcp in Linux Firewall.
[root@docker-distribution-01 ~]# firewall-cmd --permanent --add-port=5000/tcp
success
[root@docker-distribution-01 ~]# firewall-cmd --reload
success
Our Secure Docker Registry has been configured.
Use Secured Docker Registry on Docker Hosts:
Connect with Docker Host docker-manager-01.example.com using ssh as root user.
Add an entry in Local DNS Resolver to setup name resolution of our Secured Registry Server.
[root@docker-manager-01 ~]# cat >> /etc/hosts << EOF
> 192.168.116.153 docker-distribution-01.example.com docker-distribution-01
> EOF
Install Docker Registry Service TLS/SSL certificate on Docker Host.
[root@docker-manager-01 ~]# mkdir -p /etc/docker/certs.d/docker-distribution-01.example.com:5000
[root@docker-manager-01 ~]# scp root@docker-distribution-01:/etc/pki/tls/registry.crt /etc/docker/certs.d/docker-distribution-01.example.com\:5000/
root@docker-distribution-01's password:
registry.crt
Pull an image from Docker Hub. We will later push this image to our Secured Docker Registry.
[root@docker-manager-01 ~]# docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
8e402f1a9c57: Pull complete
Digest: sha256:644fcb1a676b5165371437feaa922943aaf7afcfa8bfee4472f6860aad1ef2a0
Status: Downloaded newer image for alpine:latest
Tag alpine image before pushing it to Secure Docker Registry.
[root@docker-manager-01 ~]# docker tag alpine docker-distribution-01.example.com:5000/alpine
Login to Secured Docker Registry.
[root@docker-manager-01 ~]# docker login docker-distribution-01.example.com:5000
Username: ahmer
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Push alpine image to our Secured Docker Registry.
[root@docker-manager-01 ~]# docker push docker-distribution-01.example.com:5000/alpine
The push refers to repository [docker-distribution-01.example.com:5000/alpine]
bcf2f368fe23: Pushed
latest: digest: sha256:d05ecd4520cab5d9e5d877595fb0532aadcd6c90f4bbc837bc11679f704c4c82 size: 528
We have Successfully configured a Secure Registry with Docker-Distribution on CentOS 7.
0 Comments