On your machines inside a , there are use-cases where a private docker registry is handy especially if you want to have a customized image built for your stack. VPN The caveat is that automatically assumes that all your connections are encrypted via https . And that means you need to have domain to encrypt your traffic on https protocol. This guide will help you setup a registry without having a DNS and a valid SSL/TLS Certificate: docker Question: Ahm.. Ken there is already a Tutorial on docker official docs about creating a private registry _You need to install Docker version 1.6.0 or newer. Running on localhost Start your registry: docker run -d -p 5000:5000…_docs.docker.com Deploying a registry server Answer: The docker official docs are a good enough starting point when you want to learn the basics and the theory. However you will need to dig around if you want to make it registry work without a proper SSL Certificate and DNS. Also my stuff are easy to follow and copy paste-able Approach: Self Signed Certificate Since our machines are already inside VPN using a self signed certificate is good enough method for securing your Docker Registry. 1. On your Host Machine and Client Machine install Docker Engine sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo apt-key fingerprint 0EBFCD88 sudo apt-get update sudo apt-get install docker-ce 2. Get a self signed certificate for your docker registry # Important# Add your IP in subjectAltName in the openssl.cnf before generating # certs sudo vi /etc/ssl/openssl.cnf # Add this line #subjectAltName=IP:192.168.0.2 mkdir -p /certs openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt # Press enter to everything except CN add your ip address thereGenerating a 4096 bit RSA private key ...............................................................................................................................................................................................................................++ ............................................................++ writing new private key to 'certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:192.168.0.2 Email Address []: What it did is it created two files and in directory. and /certs domains.crt domains.key 3. Create your docker registry sudo docker run -d -p 5000:5000 --restart=always --name registry \ -v /certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2 What this does is it. First downloads the image. Second it mounts the directory that we just created in host machine to a directory on the docker machine. Also this command adds 2 environment variables to the docker machine to use the newly created certificates. Finally it binds the application running on in docker machine and exposes it to in host machine. means that this docker machine too will restart if the docker daemon restarts registry:2 /certs /certs REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY 5000 5000 --restart=always To check if it is running properly: sudo docker ps# Should display CONTAINER ID IMAGE COMMAND ... 4b6bcbadf307 registry:2 entrypoint... # now get the container id sudo docker logs <container-id> # if you didn't see any obvious error messages then you are good to go 4. Test the docker registry Get a sample image, tag then push to the registry. # get busybox image from public dockerhub sudo docker pull busybox # check the busybox image id sudo docker images # tag the image for pushing sudo docker tag <image-id> 192.168.0.2:5000/busybox # test pushing the image sudo docker push 192.168.0.2:5000/busybox #! ERRORThe push refers to a repository [192.168.0.2:5000/busybox]Get https://192.168.0.2:5000/v1/_ping: x509: certificate signed by unknown authority What happened? Since our certificate is self signed the connection encryption is not trusted by docker. How do we make docker engine trust our x509 certicate? Go back to and copy it to docker’s trusted certificate /certs/domain.crt mkdir -p /etc/docker/certs.d/192.168.0.2:5000cd /certscp /certs/domain /etc/docker/certs.d/192.168.0.2:5000/cd /etc/docker/certs.d/192.168.0.2:5000/mv domains.crt ca.crt #reload docker daemon to use the certificatesudo service docker reload Essentially this forces docker to verify our self signed certificate even though it is not signed by a known authority. It doesn’t work However if you saw error message about IP Sans. unable to ping registry endpoint…x509: cannot validate certificate for … because it doesn’t contain any IP SANs . It means you skipped adding subjectAltName on openssl.cnf on Step two. So you have to follow back step 2 again Working now! If it worked you should be able to see message similar to below 4ac76077f2c7: Pushed latest: digest: sha256:c79345819a6882c31b41bc771d9a94fc52872fa651b36771fbe0c8461d7ee558 size: 527 Congrats! You now have a private docker repository :) Please feel free to leave comments and feedback below
