05.03.2017 Authorship by Mike 203 0

I am switching more and more to Docker with all my projects. Due to that i setup a private docker registry. I am using puppet for the configuration of the docker registry on my ubuntu server. Basically it is looking like this:

class docker::registry {
package {['build-essential', 'python-dev', 'libevent-dev', 'python-pip', 'liblzma-dev']:
ensure => present
}

package {'docker-registry':
ensure => present,
provider => pip,
require => [Package['python-pip'], Package['build-essential'], Package['python-dev'], Package['libevent-dev'], Package['liblzma-dev']]
}

file {'/usr/local/lib/python2.7/dist-packages/config/config.yml':
ensure => file,
mode => '0640',
owner => 'root',
group => 'root',
source => 'puppet:///modules/docker/config.yml',
require => Package['docker-registry']
}

file {'/var/log/docker-registry':
ensure => directory,
mode => '755',
owner => root,
group => root
}

file {'/etc/init/docker-registry.conf':
ensure => file,
mode => '0755',
owner => 'root',
group => 'root',
source => 'puppet:///modules/docker/docker-registry.conf',
}

service {'docker-registry':
ensure => running,
require => [File['/etc/init/docker-registry.conf'], File['/var/log/docker-registry'], File['/usr/local/lib/python2.7/dist-packages/config/config.yml'], Package['docker-registry']]
}
}

 

The docker-registry.conf is a simple upstart script:

description "Docker Registry"

start on runlevel [2345]
stop on runlevel [016]

respawn
respawn limit 10 5

script
exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b 127.0.0.1:5000 -w 8 docker_registry.wsgi:application
end script

 

I did not change anything in the configuration. You can get the sample config.yml here: https://github.com/docker/docker-registry/blob/master/config/config_sample.yml

Afterwords the docker registry should be running on the port 5000 and only be reachable via 127.0.0.1. I use nginx to proxy the requests and only allow https connections to the registry. The nginx vhost config looks like this:

# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
server 127.0.0.1:5000;
}

server {
listen 443 ssl;
server_name YOUR_DOCKER_SERVER_NAME;

# ssl on;
ssl_certificate YOUR_SSL_CRT;
ssl_certificate_key YOUR_SSL_KEY;

proxy_set_header Host       $http_host;   # required for Docker client sake
proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;

location / {
# let Nginx know about our auth file
auth_basic              "Restricted";
auth_basic_user_file    docker-registry.htpasswd;

proxy_pass http://docker-registry;
}

location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}

location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}

 

It is also secured with basic auth. Create an appropriate htpasswd file and put it here /etc/nginx/docker-registry.htpasswd

Now you can login to your private docker registry with:

docker login YOUR_DOCKER_SERVER_NAME

Afterwords enter the credentials from your htpasswd file.