Store Docker Images into Docker Registry (insecurely) Consideration for this example IP address of Registry server is 172.16.16.100 Step1:-...
Store Docker Images into Docker Registry (insecurely)
Consideration for this example
IP address of Registry server is 172.16.16.100
Step1:- Let's Tag an image with 172.16.16.100:5000 Run below commands on Registry server
Pull the docker image nginx ( you can take any image)
docker pull nginx
Tag the image with private ip adderss of Registry server
docker image tag nginx 172.16.16.100:5000/nginx
Verify Image got created
docker images
Create Docker registry container
docker container run -d -p 5000:5000 --name local_registry registry
Below command will throw the error because my repiostry is not secure
docker push 172.16.16.100:5000/nginx
Error:-> Get https://172.16.16.100:5000/v2/: http: server gave HTTP response to HTTPS client
If you want to push the insecure registry then create a file /etc/docker/daemon.json and enter below lines and save the file(Please change IP as per your docker host system ip
{
"insecure-registries": ["172.16.16.100:5000"]
}
Restart Docker daemon
systemctl restart docker
Start docker registry container
docker start local_registry
Push nginx repiostry , it should be pushed to docker registry without any error
docker push 172.16.16.100:5000/nginx
How to pull insecure registry on remote system
Take another Virtual Machine that is in the same network and install docker into that remote machine
Install docker
apt update && apt install docker.io -y
If you want to push the insecure registry then create a file /etc/docker/daemon.json and enter below lines and save the file(Please change IP as per your docker host system ip
{
"insecure-registries": ["172.16.16.100:5000"]
}
Restart Docker daemon
systemctl restart docker
Pull the Docker Registry image
docker pull 172.16.16.100:5000/nginx
Verify image is available on this system
docker images
How to create secure Regsitry
First remove daemon.json file on Docker Registry and Remote System
rm /etc/docker/daemon.json
Restart docker service
systemctl restart docker
On Docker Registry Server remove local_registry Container ( if it is in running state)
docker rm -f local_registry
Create a directory to keep the certificates on Docker Registry Server
mkdir /certs
Create a directory certs in /etc/docker directory
mkdir /etc/docker/certs.d
Create a directory for images
mkdir /my_repo
Create a self signed certificate with openssl utility.
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key -addext "subjectAltName = DNS:repo.docker.kmit" -x509 -days 365 -out /certs/domain.crt
it asks some optional questions but the mandatory step is to provide common name
Common Name :- repo.docker.kmit ( you can give any name)
Create a directory with repo.docker.kmit:5000 under /etc/docker/certs.d directory
mkdir -p /etc/docker/certs.d/repo.docker.kmit:5000
Goto /certs directory
cd /certs
Copy /certs/domain.crt file to /etc/docker/certs.d/repo.docker.kmit:5000 with name ca.crt
cp domain.crt /etc/docker/certs.d/repo.docker.kmit\:5000/ca.crt
When using authentication, some versions of Docker also require you to trust the certificate at the OS level.
cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
Run a secure registry
docker run -d -p 5000:5000 -v /my_repo:/var/lib/registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key --restart on-failure --name myregistry registry
Resolve repo.docker.kmit name by adding entry in /etc/hosts file (172.16.16.100 is docker host ip)
172.16.16.100 repo.docker.kmit
Download any image and tag it as repo.docker.kmit:5000
docker pull mysql
docker image tag mysql repo.docker.kmit:5000/mysql
Push it to docker registry
docker push repo.docker.kmit:5000/mysql
How to pull Images securely on Client or Remote System
Login to remote system which is on same network and docker is installed on it.
Resolve repo.docker.kmit name by adding entry in /etc/hosts file (172.16.16.100 is docker registry ip)
172.16.16.100 repo.docker.kmit
Create a directory /etc/docker/certs.d/repo.docker.kmit:5000
mkdir -p /etc/docker/certs.d/repo.docker.kmit:5000
Copy valid certificate domain.crt file from docker Registry server and keep it at /etc/docker/certs.d/repo.docker.kmit\:5000/
Pull docker image from docker registry and it will be sucessfull
docker pull repo.docker.kmit:5000/mysql
COMMENTS