deploy docker registry under private network

Tags docker registry ssl nginx


2021-02-15 15:30:35


Docker registry is an essential infrastructure of docker daemon or Kubernetes. We package project artifacts by docker image while storage and distribution by registry service. Today we will show you how we are setting up a straightforward and small registry implementation by docker official. It convenience a docking workflow for CI/CD.

Deploy structure:

image

Deploy services

Container

docker run -d -p 5000:5000 --restart=always --name registry -v /data/registry:/var/lib/registry registry:2
docker run -d -p 5001:80 --name registry-ui -e DELETE_IMAGES=true joxit/docker-registry-ui:static
  1. Replace path /data/registry to your own storage path
  2. -e DELETE_IMAGES=true intends docker images can delete through UI operation
    1. Reference document by link https://hub.docker.com/r/joxit/docker-registry-ui
    2. In paragraph Run the static interface
  3. Code review image joxit/docker-registry-ui:static docker file we can know:
    1. The HTTP service is just an nginx process with a bunch of static HTTP static files.
    2. The cross region and registry_url and SSL config can be moved to our nginx deploy for more flexible and clean config management.

Host nginx deploy

Generally, we install nginx by Linux package management such as apt.

We can install nginx under ubuntu by the command sudo apt-get update && sudo apt-get install -y nginx

Then we install the following config file under your config dir. The default path is /etc/nginx/sites-enabled/

Here we storage the config file in /etc/nginx/sites-enabled/registry

server {
    listen 443 ssl;
    server_name [[REPLACE: YOUR OWN DOMAIN NAME]];
    ssl_certificate     /etc/ssl/[[REPLACE: YOUR DOMAIN SSL CRT FILE]];
    ssl_certificate_key /etc/ssl/[[REPLACE: YOUR DOMAIN SSL KEY FILE]];
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    client_max_body_size 2048M;
    location / {
        proxy_pass http://127.0.0.1:5001;
    }
    location /v2 {
        proxy_pass http://127.0.0.1:5000;
    }
}

server{
    listen 80;
    server_name [[REPLACE: YOUR OWN DOMAIN NAME]];
    return 301 https://$host$request_uri;
}

ATTENTION: please replace the config with your environment situation.

  1. The parameter server_name must replace with your domain name.
  2. We recommend using Let’s encrypt DNS-01 challenge to verify your domain and get an SSL cert file.
  3. The parameter ssl_certificate must replace with your domain crt file.
  4. The parameter ssl_certificate_key must replace with your domain key file.
  5. The parameter client_max_body_size at 2GB since we usually push a large docker image layer in practice.
  6. location / route to registry UI container.
  7. location /v2 route to registry service.
  8. Don’t forget to set A record for your domain.
  9. We highly recommend setting up nginx HTTPS for your service since the docker daemon or kubelet needs other configs to trust your registry.
  10. The second server under the config file which helps us force switch from HTTP to HTTPS

SAFETY WARNING:

  1. Do not deploy this solution in the public network.
  2. Use it in a small team under a private network.

本人博客文章采用CC Attribution-NonCommercial协议: CC Attribution-NonCommercial 必须保留原作者署名,并且不允许用于商业用途,其他行为都是允许的。