Launch Private Registry with SSL

Step 1 - Starting Registry

The Registry is deployed as a container and accessible via port 5000. Docker clients will use this domain to access the registry and push/pull images. By specifying a domain, a client can access multiple registries.

In this example our Docker registry is located at registry.test.training.katacoda.com.

docker run -d -p 5000:5000 \
    -v /root/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.test.training.katacoda.com.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/registry.test.training.katacoda.com.key \
    -v /opt/registry/data:/var/lib/registry \
    --name registry registry:2

Mounting the volume /var/lib/registry is important. This is where the Registry will store all of the pushed images. Mounting the directory will allow you to restart and upgrade the container in future.

Step 2 - SSL

Securing access to the Registry via TLS is important. If the Registry is insecure, then you'll need to configure every Docker daemon accessing the Registry to allow access.

To secure the Registry, we'll use SSL certificates combined with NGINX to manage the SSL termination. We've added the certificate and key to the certs directory on the client.

ls /root/certs/

When creating the Registry container, the certs where mounted in with the correct environment variables set for the Registry to pickup the certificates.

-v /root/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.test.training.katacoda.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.test.training.katacoda.com.key \

Important

These certificates are only for test purposes and not production use. Visit letsencrypt.org to obtain a certificate for your domain.

Step 3 - Testing

We can test access to the registry using curl. The response should provide headers, for example Docker-Distribution-API-Version, indicating the request was processed by the Registry server.

curl -i https://registry.test.training.katacoda.com:5000/v2/

Step 4 - Pushing Images

The Registry is now running.

We now need to push images to our new Registry. To push/pull images from non-default Registries we need to include the URL in the image name. Generally, an image follows a <name>:<tag> format as Docker defaults to the public registry. The full format is <registry-url>:<name>:<tag>.

We can use the docker tag to add additional tags to existing images. In this case the Redis image.

docker pull redis:alpine; docker tag redis:alpine registry.test.training.katacoda.com:5000/redis:alpine

Once tagged we can push the image. The different layers of the image will be pushed.

docker push registry.test.training.katacoda.com:5000/redis:alpine

Step 5 - Pulling Images

First, remove images so they need to be pulled again

docker rmi redis:alpine && docker rmi registry.test.training.katacoda.com:5000/redis:alpine

As with push, pulling also includes the URL of our target Registry.

docker pull registry.test.training.katacoda.com:5000/redis:alpine

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Congratulations!

You've completed the scenario!

Scenario Rating

Steps for production

Steps