preloader
  • Home
  • Crafting Your Own Docker Registry: A Step-by-Step Guide

Private system for storing container images

blog-thumb

A private Docker Registry can be useful for storing container images.

Container images can be stored in an internal infrastructure, for better control and security of your applications’ code.

Using public registries such as Docker Hub may not be a good option. Even when you create private repositories, security is not guaranteed.

In this article I will teach you how to create a secure private registry ready for SSL/TLS encrypted access, which can be used to store containers in general, as well as integrate with Red Hat OpenShift in order to perform disconnected deployments.

Ready? Then let’s get started!


Requirements

We will need the following requirements:

- FQDN: registry.rhbrlabs.com

- OS: RHEL8.6+

- SELinux: Enforcing

- Firewalld: Enabled

- Registry: Podman

- Apache Tools

- Volume: 100Gb mounted under /data


Installation

Create the necessary directories:

[root@registry ~]# mkdir -p /data/registry/{auth,certs,data}

Certificates

Generate certificates for the private registry. In this example, we are creating certificates that are valid for 10 years.

[root@registry ~]# openssl req -newkey rsa:4096 -nodes -sha256 \
-keyout /data/registry/certs/registry.rhbrlabs.com.key -x509 -days 3650 -out /data/registry/certs/registry.rhbrlabs.com.crt \
-subj "/C=US/ST=NorthCarolina/L=Raleigh/O=Red Hat/OU=Engineering/CN=registry.rhbrlabs.com" \
-addext "subjectAltName = DNS:registry.rhbrlabs.com"

Copy the generated certificate to the trusted anchors directory, and run update-ca-trust:

[root@registry ~]# cp /data/registry/certs/registry.rhbrlabs.com.crt /etc/pki/ca-trust/source/anchors/
[root@registry ~]# update-ca-trust

Authentication

Generate an authentication file for the image registry:

[root@registry ~]# dnf -y install httpd-tools
[root@registry ~]# htpasswd -bBc /data/registry/auth/htpasswd registry redhat12345678

Generate a random password to increase reliability:

[root@registry ~]# date | md5sum

10f207a4cbba51bf00755b5a50718966 -

Registry

Create the container registry using docker.io/library/registry:2 image.

[root@registry ~]# dnf -y install podman
[root@registry ~]# podman create --name ocp-registry --net host -p **5000:5000** \
-v /data/registry/data:/var/lib/registry:z -v /data/registry/auth:/auth:z \
-e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
-e "REGISTRY_HTTP_SECRET=**10f207a4cbba51bf00755b5a50718966**" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /data/registry/certs:/certs:z \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.rhbrlabs.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.rhbrlabs.com.key docker.io/library/registry:2

The above command will generate messages like this:

Trying to pull docker.io/library/registry:2...
Getting image source signatures\
Copying blob fd4a5435f342 done\
Copying blob 213ec9aee27d done\
Copying blob 4583459ba037 done\
Copying blob b136d5c19b1d done\
Copying blob 6f6a6c5733af done\
Copying config dcb3d42c17 done\
Writing manifest to image destination\
Storing signatures\
Port mappings have been discarded as one of the Host, Container, Pod, and None network modes are in use\
22633f37262a4ab2d64fc8beb44bb80618b11802974fb2f45d31d98db3cf14e8

Unit File

Create a UNIT file so that the private registry automatically starts the container registry during the boot of the operating system.

[root@registry ~]# cat /etc/systemd/system/ocp-registry.service

[Unit] 
Description=OCP Registry

[Service] 
Restart=always ExecStart=/usr/bin/podman start -a ocp-registry ExecStop=/usr/bin/podman stop -t 10 ocp-registry

[Install] 
WantedBy=network-online.target

Service

Start the private registry container:

[root@registry ~]# systemctl daemon-reload
[root@registry ~]# systemctl enable --now ocp-registry.service
Registry Running


Firewall

Allow TCP port 5000 in Firewalld:

[root@registry ~]# firewall-cmd --permanent --add-port=5000/tcp\
[root@registry ~]# firewall-cmd --reload

Testing

Check that SSL/TLS authentication and encryption are working:

[root@registry ~]# curl -u 'registry:redhat12345678' https://registry.rhbrlabs.com:5000/v2/_catalog
{"repositories":[]}

Generate a temporary file with the authentication information for disconnected OpenShift installations:

[root@registry ~]# cat <<EOF > ~/registry-secret.json
"registry.rhbrlabs.com:5000": {
"email": "[email protected]",
"auth": "$(echo -n 'registry:redhat12345678' | base64 -w0)"
}
EOF

By the way, if you want to install Docker on Ubuntu 22.04, the process is the same. Just use the apt command instead of dnf to install the software.


End of story

That’s it. Now your new private Docker Registry is up and running. Enjoy!


Did you like the content? Check out these other interesting articles! 🔥



Support us 💖

Do you like what you find here? With every click on a banner, you help keep this site alive and free. Your support makes all the difference so that we can continue to bring you the content you love. Thank you very much! 😊

comments powered by Disqus