The Wooden Stake

Setting up a docker registry

Viktor Hedefalk -

As part of my new "infrastructure setup" I need my own private docker registry. This is of course run as a docker container.

Prerequisites:

  • docker
  • docker-compose

Create and mount data storage on host machine

  • I create an NFS share on my NAS and mount it in fstab:
10.0.1.30:/raiden/docker   /var/lib/docker-registry   nfs    auto  0  0

Setup htpasswd:

I create a user woodenstake and a password in a subfolder of my mount-point:

htpasswd -Bbn woodenstake ************** > /var/lib/docker-registry/auth/htpasswd

Docker image:

I modify the docker-compose.yml example from https://docs.docker.com/registry/deploying/ to fit setup:

docker-compose.yml:

registry:
  restart: always
  image: registry:2
  name: registry
  ports:
    - 5000:5000
  environment:
    REGISTRY_AUTH: htpasswd
    REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
    REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
  volumes:
    - /var/lib/docker-registry:/var/lib/registry
    - /var/lib/docker-registry/auth:/auth

as you can see, the volumes are from my mount.

Now I can simply run:

  • docker-compose up -d
  • Try it with sudo docker login localhost:5000

Setup haproxy with SSL termination

As you can see, I have no SSL termination here. I do this separately with haproxy:

/etc/haproxy/haproxy.cfg:

frontend https

# SAN certificate from letsencrypt hat contains all my subdomains including docker.woodenstake.se
bind *:443 ssl crt /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem
 …
 acl host_docker hdr(host) -i docker.woodenstake.se
 use_backend docker if host_docker
 …

backend docker
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server docker_registry 127.0.0.1:5000

Now I can:

sudo docker login https://docker.woodenstake.se

from outside

Make this repository mirror main docker repo:

Add
--registry-mirror=http://localhost:5000

to /etc/default/docker

Then restart the deamon.

Push yourself to yourself (to see everything works)

viktor@i7:~$ sudo docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                          2                   5dfdbfb4ed57        3 weeks ago         224.5 MB
viktor@i7:~$ sudo docker tag 5dfdbfb4ed57 localhost:5000/woodenstake/docker-registry
viktor@i7:~$ sudo docker push localhost:5000/woodenstake/docker-registry

Yey!