12.03.2015 Autor Mike 445 24

I am switching more and more to Docker with all my projects. Due to that i setup a private docker registry. I am using puppet for the configuration of the docker registry on my ubuntu server. Basically it is looking like this:

class docker::registry {
    package {['build-essential', 'python-dev', 'libevent-dev', 'python-pip', 'liblzma-dev']:
        ensure => present
    }

    package {'docker-registry':
        ensure => present,
        provider => pip,
        require => [
            Package['python-pip'],
            Package['build-essential'],
            Package['python-dev'],
            Package['libevent-dev'],
            Package['liblzma-dev']
        ]
    }

    file {'/usr/local/lib/python2.7/dist-packages/config/config.yml':
        ensure => file,
        mode => '0640',
        owner => 'root',
        group => 'root',
        source => 'puppet:///modules/docker/config.yml',
        require => Package['docker-registry']
    }

    file {'/var/log/docker-registry':
        ensure => directory,
        mode => '755',
        owner => root,
        group => root
    }

    file {'/etc/init/docker-registry.conf':
        ensure => file,
        mode => '0755',
        owner => 'root',
        group => 'root',
        source => 'puppet:///modules/docker/docker-registry.conf',
    }

    service {'docker-registry':
        ensure => running,
        require => [
            File['/etc/init/docker-registry.conf'],
            File['/var/log/docker-registry'],
            File['/usr/local/lib/python2.7/dist-packages/config/config.yml'],
            Package['docker-registry']
        ]
    }
}

The docker-registry.conf is a simple upstart script:

description "Docker Registry"

start on runlevel [2345]
stop on runlevel [016]
respawn
respawn limit 10 5

script
exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b 127.0.0.1:5000 -w 8 docker_registry.wsgi:application
end script

I did not change anything in the configuration. You can get the sample config.yml here: https://github.com/docker/docker-registry/blob/master/config/config_sample.yml

Afterwords the docker registry should be running on the port 5000 and only be reachable via 127.0.0.1. I use nginx to proxy the requests and only allow https connections to the registry. The nginx vhost config looks like this:

# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
    server 127.0.0.1:5000;
}

server {
    listen 443 ssl;
    server_name YOUR_DOCKER_SERVER_NAME;

    # ssl on;
    ssl_certificate YOUR_SSL_CRT;
    ssl_certificate_key YOUR_SSL_KEY;

    proxy_set_header Host       $http_host;   # required for Docker client sake
    proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
    chunked_transfer_encoding on;

    location / {
            # let Nginx know about our auth file
            auth_basic              "Restricted";
            auth_basic_user_file    docker-registry.htpasswd;

            proxy_pass http://docker-registry;
    }

    location /_ping {
            auth_basic off;
            proxy_pass http://docker-registry;
    }

    location /v1/_ping {
            auth_basic off;
            proxy_pass http://docker-registry;
    }
}

It is also secured with basic auth. Create an appropriate htpasswd file and put it here /etc/nginx/docker-registry.htpasswd

Now you can login to your private docker registry with:

docker login YOURDOCKERSERVER_NAME

Afterwords enter the credentials from your htpasswd file.