Menu
Article

Private docker registry with authentication

Adam Miler

Adam Miler

• 3 min read

Docker is a popular platform for developing, packaging, and deploying applications using containers. Docker Registry is a service that allows you to store and distribute Docker images. However, by default, Docker Registry is public and lacks authentication, which can be a security concern in some cases. In this blog post, i will show to set up a private Docker registry with authentication.

Why Set up a Private Docker Registry?

A private Docker registry provides many benefits. Here are a few reasons why you might want to set up a private Docker registry:

  1. Control over the images: A private registry gives you control over your Docker images, and you can restrict who can access them.
  2. Security: A private Docker registry with authentication provides an extra layer of security to your images.
  3. Compliance: If your organization needs to comply with specific regulations, a private registry helps you meet compliance requirements.

Setting up a Private Docker Registry

To set up a private Docker registry, you can use the Docker registry image, which is an open-source project that provides a secure and scalable registry for storing Docker images. The following steps will guide you through setting up a private Docker registry with authentication.

Step 1: Install Docker on the host machine.

To set up a Docker registry, you will need to have Docker installed on the host machine. You can follow the installation instructions on the Docker website to install Docker on your machine.

Step 2: Generate a TLS certificate.

To secure the communication between the Docker client and the registry, you will need to generate a TLS certificate. In my case I am using letsencrypt certificate which is managed by host machine. I will devote decicated blog post of how to setup private nginx proxy with letsencrypt (you can check this site certificate and and notice registry.services.org.pl as one of the alternative DNS dns name). Please note if you go thorugh nginx the client_max_body_size is reguired to set, in my case i put client_max_body_size 200M; so that images can go thorugh proxy, otherwise nginx will block it due to size has been exceeded.

Step 3: Create a Docker Compose file.

Next, you will need to create a Docker Compose file that defines the configuration for the Docker registry. Here is an example Docker Compose file:

registry:
  restart: always
  image: registry:2
  ports:
    - 127.0.0.1:5000:5000
  environment:
    REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
    REGISTRY_HTTP_TLS_KEY: /certs/domain.key
    REGISTRY_AUTH: htpasswd
    REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
    REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
  volumes:
    - /pathA/fullchain.pem:/certs/domain.crt
    - /pathA/services.org.pl/privkey.pem:/certs/domain.key
    - /pathB:/var/lib/registry
    - /pathB/auth/htpasswd:/auth/htpasswd

This Docker Compose file defines a service called "registry" that uses the "registry:2" image. It exposes port 5000 on the host machine on localhost interface only (nginx will take care to expose it) and uses TLS encryption to secure the connection. It also sets up authentication using htpasswd and specifies the path to the authentication file.

Step 4: Generate an htpasswd file.

To set up authentication, you will need to generate an htpasswd file that contains the username and password for the registry. You can use a tool like htpasswd to generate the file or docker . Once you have generated the file, you will need to attach the volume with file.

# to generate password using docker image httpd:2
# The -Bbn options are used to specify the password generation algorithm (-B for bcrypt) and to suppress prompts for username and password entry (-b for batch mode)
sudo docker run --entrypoint htpasswd httpd:2 -Bbn your_user your_password > auth/htpasswd

Step 5: Start the Docker registry.

To start the Docker registry, you can run the following command:

sudo docker-compose -f docker-registry.yml up -d

The "-f" option specifies the location of the Compose file, which is in the current directory. The "up" command creates and starts the containers defined in the Compose file in detached mode ("-d"), which means the containers will run in the background.

Step 6: Veryfiy registry.

I've put upfront example helloservice  to registry so that it's returing non epty array.

curl --user "your_user:your_password" -s https://registry.services.org.pl/v2/_catalog  | jq
{
  "repositories": [
    "helloservice"
  ]
}

Now that you have set up a private Docker registry with authentication, you can push and pull Docker images to and from the registry.

Share
Show Comments

Topics

AbuseIPDB Contributor Badge LinkedIn Profile