Docker tutorials sinhala
DevOps Red hat linux

Deploy a Docker registry server with Authentication

Before you can deploy a registry, you need to install Docker on the host. A registry is an instance of the registry image, and runs within Docker.

Install docker service with bellow commands.

dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf install -y docker-ce --nobest
systemctl enable --now docker
dockerstatus=`systemctl status docker | grep "active (running)"`
echo "Docker Service Status = $dockerstatus"

Run a local registry

docker pull registry
docker run -d -p 5000:5000 --restart=always --name registry registry:2

Secure Docker Private Registry

By default, Docker node uses a secure connection over TLS to upload or download images to or from the private registry. You can use TLS certificates signed by CA or self-signed on Registry server.

Here, I will use a self-signed certificate for securing Docker Registry. Let’s create a self-signed certificate using the following command.

[root@registry ~]# mkdir -p /certs

[root@registry ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key -x509 -days 365 -out /certs/ca.crt

Generating a 4096 bit RSA private key
............................................++
.....................................................................................................++
writing new private key to '/certs/ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:LK
State or Province Name (full name) []:Western Province
Locality Name (eg, city) [Default City]:Colombo
Organization Name (eg, company) [Default Company Ltd]:Sysadmin.lk
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:dockerhub.linuxfever.com
Email Address []:[email protected]

Start Docker registry container with certificate information.

docker run -d -p 443:5000 --restart=always --name dockerhub -v docker-registry:/var/lib/registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry:latest

Allow ports on Firewall service
If your Docker Registry is on CentOS 7,8 or 9

[root@registry ~]# firewall-cmd --permanent --add-port=80/tcp
[root@registry ~]# firewall-cmd --permanent --add-port=443/tcp
[root@registry ~]# firewall-cmd --reload 

Set up Authentication for a Private Registry
Docker allows us to store the images locally on a centralized server, but sometimes, it’s necessary to protect the images from external abuse. In that case, we’ll need to authenticate the registry with the basic htpasswd authentication.

Let’s first create a separate directory to store the Docker registry credentials and let’s run an httpd container to create a htpasswd protected user with a password:

docker run --entrypoint htpasswd httpd:2 -Bbn Prabath Password@123 > /usr/certs/users

Now, let’s run the same Docker registry container using the auth/htpasswd authentication file:

docker run -d -p 443:5000 --restart=always --name dockerhub -v docker-registry:/var/lib/registry -v /usr/certs:/usr/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/usr/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/usr/certs/ca.key  -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/usr/certs/users registry: latest

Since the Docker registry is running with the basic authentication, we can now test the login using:

$ docker login  localhost-u Prabath -p Password@123
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded

Create and upload a Docker Image to a Private Registry server

NOTE: If the image name does not match with given format then docker push or pull command will try to upload or download the image from the public registry, not from the private registry.

To rename the docker image use docker tag command.

root@build:~# docker tag nginx:v1 dockerhub.linuxfever.com/nginx:v1

Upload a Docker Image
Depends on the communication mode (Secure or Non-Secure) of Docker Registry, follow any one of the below methods.

Non-Secure (Plain Http Registry)
Edit/Create the file “daemon.json” in “/etc/docker/” directory.

root@build:~# vi /etc/docker/daemon.json

{
  "insecure-registries" : ["dockerhub.linuxfever.com"]
}

If you are using Secure (Self-signed) certificate, you have to follow below steps.

mkdir /etc/docker/certs.d/dockerhub.linuxfever.com/ && cd /etc/docker/certs.d/dockerhub.linuxfever.com/
scp [email protected]:/usr/certs/ca.crt .

In both cases, you would need to restart the Docker engine service.

systemctl restart docker

now you can upload a Docker Images as below.

root@build:~# docker push dockerhub.linuxfever.com/nginx:v1

Download the docker image to private registry server using the following command.

[root@deploy ~]# docker pull dockerhub.linuxfever.com/nginx:v1

 18,121 total views,  9 views today

Leave a Reply

Your email address will not be published. Required fields are marked *