Setup private docker registry

I am switching more and more to Docker with all my projects. Due to that i setup a private docker registry. I am using puppet for the configuration of the docker registry on my ubuntu server. Basically it is looking like this:

class docker::registry {
package {[‘build-essential’, ‘python-dev’, ‘libevent-dev’, ‘python-pip’, ‘liblzma-dev’]:
ensure => present

package {‘docker-registry’:
ensure => present,
provider => pip,
require => [Package[‘python-pip’], Package[‘build-essential’], Package[‘python-dev’], Package[‘libevent-dev’], Package[‘liblzma-dev’]]

file {‘/usr/local/lib/python2.7/dist-packages/config/config.yml’:
ensure => file,
mode => ‘0640’,
owner => ‘root’,
group => ‘root’,
source => ‘puppet:///modules/docker/config.yml’,
require => Package[‘docker-registry’]

file {‘/var/log/docker-registry’:
ensure => directory,
mode => ‘755’,
owner => root,
group => root

file {‘/etc/init/docker-registry.conf’:
ensure => file,
mode => ‘0755’,
owner => ‘root’,
group => ‘root’,
source => ‘puppet:///modules/docker/docker-registry.conf’,

service {‘docker-registry’:
ensure => running,
require => [File[‘/etc/init/docker-registry.conf’], File[‘/var/log/docker-registry’], File[‘/usr/local/lib/python2.7/dist-packages/config/config.yml’], Package[‘docker-registry’]]

The docker-registry.conf is a simple upstart script:

description “Docker Registry”

start on runlevel [2345]
stop on runlevel [016]

respawn limit 10 5

exec gunicorn –access-logfile /var/log/docker-registry/access.log –error-logfile /var/log/docker-registry/server.log -k gevent –max-requests 100 –graceful-timeout 3600 -t 3600 -b -w 8 docker_registry.wsgi:application
end script

I did not change anything in the configuration. You can get the sample config.yml here:

Afterwords the docker registry should be running on the port 5000 and only be reachable via I use nginx to proxy the requests and only allow https connections to the registry. The nginx vhost config looks like this:

# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {

server {
listen 443 ssl;

# ssl on;
ssl_certificate YOUR_SSL_CRT;
ssl_certificate_key YOUR_SSL_KEY;

proxy_set_header Host       $http_host;   # required for Docker client sake
proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

# required to avoid HTTP 411: see Issue #1486 (
chunked_transfer_encoding on;

location / {
# let Nginx know about our auth file
auth_basic              “Restricted”;
auth_basic_user_file    docker-registry.htpasswd;

proxy_pass http://docker-registry;

location /_ping {
auth_basic off;
proxy_pass http://docker-registry;

location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;

It is also secured with basic auth. Create an appropriate htpasswd file and put it here /etc/nginx/docker-registry.htpasswd

Now you can login to your private docker registry with:


Afterwords enter the credentials from your htpasswd file.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *