How to setup a Private Docker Registry on Ubuntu / Debian
Introduction
Docker Registry is a powerful tool that helps manage the storage and distribution of Docker container images. While Docker Hub provides a free public registry for hosting custom Docker images, there are scenarios where it is necessary to have a private registry to keep sensitive or proprietary images secure. By setting up a private Docker Registry, developers can have full control over their container images and restrict access to authorized users.
In this tutorial, we will walk you through the process of setting up and securing your own private Docker Registry on an Ubuntu 22.04 / 20.04 / 18.04 server. You will learn how to configure Docker Compose to define the registry’s settings and use Nginx to forward traffic from the internet to the running Docker container. By the end of this tutorial, you will be able to push and pull Docker images securely from your private registry. Setting up How to setup a Private Docker Registry on Ubuntu / Debian provides enhanced control and security over your container images.
Prerequisites
To follow along with this tutorial, you will need the following:
- An Ubuntu 22.04 / 20.04 / 18.04 server
- A registered domain name (optional, but recommended for HTTPS access)
- Docker installed on your server
- Docker Compose installed on your server
Step 1: Installing and Configuring the Docker Registry
To start, we need to set up the Docker Registry using Docker Compose. Docker Compose allows you to define and manage the configuration of your Docker containers easily.
$ mkdir ~/docker-registrycd ~/docker-registry$ mkdir data$ nano docker-compose.ymlversion: '3'
services:
registry:
image: registry:latest
ports:
- "5000:5000"
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- ./data:/dataThis configuration sets up a Docker Registry service called registry, using the registry:latest image. It maps port 5000 on the host to port 5000 in the container. The REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY environment variable specifies the directory where the images will be stored within the container. Finally, it mounts the ./data directory on the host to the /data directory in the container to persist the image data.
$ docker-compose up -dThe -d flag runs the containers in the background.
At this point, your private Docker Registry is up and running on your host server. The registry is accessible via the domain name or IP address of your server on port 5000.
Step 2: Configuring Nginx as a Reverse Proxy
To securely access the Docker Registry over HTTPS and route traffic from the internet to the registry container, we’ll use Nginx as a reverse proxy. The reverse proxy will handle SSL termination and forward requests to the Docker Registry service.
$ sudo nano /etc/nginx/sites-available/your_domainserver {
listen 80;
listen [::]:80;
server_name your_domain;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your_domain;
ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Replace your_domain with your registered domain name. This configuration sets up Nginx to redirect HTTP requests to HTTPS and listens for incoming HTTPS requests. It specifies the SSL certificate and key locations provided by Let’s Encrypt. The location / block proxies requests to http://localhost:5000, which corresponds to the Docker Registry service running on the host.
$ sudo ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/$ sudo nginx -tIf the configuration file has no syntax errors, you will see syntax is ok and test is successful messages.
$ sudo systemctl restart nginxNginx is now configured as a reverse proxy for your Docker Registry, handling SSL termination and forwarding requests to the registry service.
Step 3: Pushing and Pulling Images from the Private Docker Registry
Now that your private Docker Registry is set up and accessible via your domain name over HTTPS, you can push and pull Docker images to and from the registry.
To push an image to the registry, use the following command:
$ docker push your_domain/image_name:tagReplace your_domain with your registered domain name, image_name with the name of your image, and tag with a specific version or tag for the image.
To pull an image from the registry, use the following command:
$ docker pull your_domain/image_name:tagAgain, replace your_domain, image_name, and tag with the appropriate values.
Step 4: Enable Authentication
By default, the Docker Registry we set up does not require authentication for pushing and pulling images. However, enabling authentication adds an extra layer of security to your private Docker Registry. With authentication enabled, only authorized users will be able to access and interact with the registry.
To enable authentication, you can choose from several authentication methods depending on your requirements. One common method is to use a username and password-based authentication system. Docker Registry supports a basic authentication mechanism using an htpasswd file. Here’s how you can enable authentication:
Create an htpasswd file:
$ sudo apt-get install apache2-utils$ sudo htpasswd -Bc /path/to/htpasswd <username>Configure Docker Registry to use authentication:
environment:
- REGISTRY_AUTH=htpasswd
- REGISTRY_AUTH_HTPASSWD_PATH=/path/to/htpasswd
- REGISTRY_AUTH_HTPASSWD_REALM=Registry RealmSave the changes and restart the Docker Registry:
$ docker-compose down
$ docker-compose up -dOnce authentication is enabled, users will need to provide valid credentials (username and password) to push and pull images from the registry.
Remember to manage user accounts and passwords securely. Regularly review and update user access as necessary. You can also explore other authentication methods such as token-based authentication or integrating with external authentication providers like LDAP or OAuth.
That’s it! You now have your own private Docker Registry set up with SSL encryption and accessible via a domain name. You can use this registry to securely store and manage your Docker images.
Conclusion:
In this article, we discussed the process of setting up a private Docker Registry. We covered the installation of Docker, creating a Docker Compose file, enabling SSL/TLS encryption, and enabling authentication for authorized access. By following these steps, you can establish a secure Docker Registry to manage and distribute your containerized applications within your organization. Remember to stay updated on security best practices and regularly review your registry’s configuration. Enjoy the benefits of a well-secured Docker Registry for streamlined application deployment. This guide provides a fundamental understanding of How to setup a Private Docker Registry on Ubuntu / Debian.
Alternative Solutions for Setting Up a Private Docker Registry
While the Docker Compose method with Nginx is a solid approach, here are two alternative solutions for setting up a private Docker Registry on Ubuntu/Debian, offering different trade-offs in complexity, features, and management:
1. Using the Docker Registry Operator in Kubernetes
If you are already using Kubernetes for container orchestration, leveraging the Docker Registry Operator provides a more integrated and scalable solution. The operator automates the deployment, configuration, and management of the Docker Registry within your Kubernetes cluster. This approach eliminates the need for separate Docker Compose configurations and Nginx reverse proxy setups. The operator also often integrates with Kubernetes’ security features, such as RBAC (Role-Based Access Control), for fine-grained access control.
Explanation:
The Docker Registry Operator simplifies the deployment and maintenance of a private registry within a Kubernetes environment. It manages the registry as a Kubernetes resource, allowing you to define its configuration declaratively through YAML manifests. The operator then ensures that the registry is deployed and remains in the desired state. This simplifies upgrades, scaling, and monitoring compared to the Docker Compose method. Security is also enhanced by leveraging Kubernetes’ built-in authentication and authorization mechanisms.
Implementation Example (Conceptual):
This example assumes you have a Kubernetes cluster running and kubectl configured. It demonstrates a simplified example of how you might define a Docker Registry using a hypothetical Custom Resource Definition (CRD) provided by a Docker Registry Operator. Specific CRDs and configurations will vary based on the chosen operator.
apiVersion: registry.example.com/v1alpha1 # Replace with your operator's API version
kind: DockerRegistry
metadata:
name: my-private-registry
spec:
storage:
type: filesystem
path: /data/registry
volumeClaimTemplate: # Uses persistent volume claim
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 100Gi
service:
type: LoadBalancer # Expose via a LoadBalancer
auth:
type: htpasswd
htpasswdSecret: registry-htpasswd # Points to the Kubernetes Secret containing htpasswd fileSteps:
- Install a Docker Registry Operator: (e.g., using Helm). Research and choose an appropriate operator for your needs.
- Create a PersistentVolumeClaim: This will provision storage for your registry images.
- Create an
htpasswdfile and store it as a Kubernetes Secret: This is for authentication, as shown in the original article. - Define a
DockerRegistryresource using the Operator’s CRD (example above): Adjust thespecto match your requirements. - Apply the YAML manifest:
kubectl apply -f registry.yaml - Access the Registry: The Operator will create a Kubernetes Service (e.g., LoadBalancer or NodePort) to expose the registry.
Benefits:
- Simplified Management: The operator handles deployment, scaling, and updates.
- Integration with Kubernetes: Leverages existing Kubernetes infrastructure and security features.
- Scalability: Easily scale the registry as needed by adjusting the resource definitions.
Drawbacks:
- Requires Kubernetes Expertise: This approach is only suitable if you are already familiar with Kubernetes.
- Operator Dependency: You are dependent on the specific features and support provided by the chosen operator.
2. Using a Cloud-Based Container Registry (e.g., AWS ECR, Google Container Registry, Azure Container Registry)
Another alternative is to utilize a managed container registry service provided by cloud providers like AWS, Google Cloud, or Azure. These services offer fully managed, scalable, and secure container registries, eliminating the need for you to manage the underlying infrastructure. They typically provide features such as:
- High Availability: Guaranteed uptime and reliability.
- Scalability: Automatically scales to handle increasing storage and bandwidth demands.
- Security: Integration with cloud provider’s IAM (Identity and Access Management) systems for fine-grained access control, vulnerability scanning, and image signing.
- Integration with other Cloud Services: Seamless integration with other cloud services like CI/CD pipelines, container orchestration platforms (e.g., AWS ECS, Google Kubernetes Engine, Azure Kubernetes Service), and serverless functions.
Explanation:
Cloud-based container registries offload the operational overhead of managing a private registry. You benefit from the cloud provider’s expertise in security, scalability, and reliability. Integration with other cloud services simplifies your overall application development and deployment workflow.
Implementation Example (AWS ECR):
This example shows how to create and use a private repository in AWS ECR using the AWS CLI.
# 1. Create a private repository
aws ecr create-repository --repository-name my-private-repo --image-scanning-configuration scanOnPush=true
# 2. Authenticate Docker with ECR
aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <your-account-id>.dkr.ecr.<your-region>.amazonaws.com
# 3. Tag your image
docker tag my-image:latest <your-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-private-repo:latest
# 4. Push the image
docker push <your-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-private-repo:latest
# 5. Pull the image (on another machine or after removing the local image)
docker pull <your-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-private-repo:latestSteps:
- Create an Account with the Cloud Provider: If you don’t already have one.
- Create a Private Repository: Use the cloud provider’s console or CLI to create a private container registry repository.
- Authenticate Docker: Use the cloud provider’s CLI to obtain authentication credentials and log in to the registry.
- Tag and Push Images: Tag your Docker images with the registry URL and push them to the repository.
- Configure Access Control: Use IAM roles and policies to control who can push, pull, and manage images in the repository.
Benefits:
- Fully Managed: No need to manage infrastructure, security, or scaling.
- High Availability and Reliability: Backed by the cloud provider’s infrastructure.
- Security: Integration with cloud provider’s IAM and security services.
- Scalability: Automatically scales to meet demand.
- Integration: Seamless integration with other cloud services.
Drawbacks:
- Vendor Lock-in: You are tied to the specific cloud provider’s service.
- Cost: Cloud-based registries can be more expensive than self-managed solutions, especially for large amounts of storage or bandwidth.
- Internet Dependency: Requires a reliable internet connection to push and pull images.
These alternative solutions offer different advantages and disadvantages compared to the Docker Compose method. The best choice depends on your specific requirements, existing infrastructure, and expertise. Consider factors such as ease of management, scalability needs, security requirements, and budget when making your decision. Properly setting up How to setup a Private Docker Registry on Ubuntu / Debian can significantly improve your Docker workflow.