Introduction
Most IT companies won't provide Internet facility to production systems, but Docker hub needs internet and it is less secure (available to all). In order to secure our Docker images, we have to save Images locally in a Private Docker Registry.
When we have a large number of docker hosts in our environment, creating our own Private Docker Registry within internal network helps us to manage images from a private server without the need to provide internet access to docker clients.
Required
- Docker Registry Host: k8s-master.com
- Client: k8s-client.com
- Operating system: CentOS
- Docker Version: 18.06
- Internet: Required on Registry server to pull images from Docker hub
Note: Docker setup is mandatory on both Docker Registry and client machines For Docker Private Registry.
Private Docker Registry Setup
- Create a directory and place your TTL certificates in that directory if you don't have TTL Certificates, create SSL certificate to secure our Docker private registry:
mkdir -p /data/certs
cp domain.crt domain.key /data/certs/
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout /data/certs/domain.key \
-x509 -days 365 -out /data/certs/domain.crt (if you don't have original TTL Certificates).
- Create a directory to store Docker images:
mkdir -p /data/images
- Run Docker registry container in docker host machine:
docker run -d -p 6000:5000 \
-v /data/images:/var/lib/registry \
-v /data/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
--restart on-failure \
--name registry \
docker.io/registry
- Check the Docker registry container status on Host machine and the listening port in linux:
docker ps
netstat -tulpn | grep 6000
- Pull images from Docker hub and push them to private Docker hub:
docker pull nginx
docker tag nginx localhost:6000/nginx
- Verify the Docker images pushed to private registry:
ll data/images/docker/registry/v2/repositories/
- Copy the TTL Certificates from host machine to client machines:
scp -r /data/certs/* <IP-Addr-Clent>:/root/
Operations Required on Client Machine
- Docker client to use our TTL/SSL certificate.
mkdir -p /etc/docker/certs.d/k8s-master.com:6000/
cp -rf /root/tcsmkrishi.crt /etc/docker/certs.d/k8s-master.com:6000/
- Pull the image from docker private registry and use it.
docker pull k8s-master.com:6000/nginx
docker push k8s-master.com:6000/nginx