当前位置: 首页 > article >正文

self-host a private Docker registry

You can create a private Docker registry to serve as your own “Docker Hub” for internal use, which can be cost-effective and give you full control over your images. Setting up a self-hosted Docker registry is straightforward and can be hosted on your own infrastructure, on-premises servers, or even your private cloud. Here’s how you can do it:


1. Use Docker’s Official Registry Image

Docker provides an official image to set up your private registry.

Steps:
  1. Run the Registry Container:

    docker run -d -p 5000:5000 --name registry --restart=always registry:2
    

    This starts a registry on port 5000.

  2. Test the Registry:

    • Tag a local image:
      docker tag your-image localhost:5000/your-image
      
    • Push the image:
      docker push localhost:5000/your-image
      
    • Pull the image:
      docker pull localhost:5000/your-image
      
  3. Persist Data:
    By default, data is not persistent. Use a volume to store images:

    docker run -d -p 5000:5000 --name registry --restart=always -v /path/to/registry/data:/var/lib/registry registry:2
    

2. Secure the Registry with HTTPS

To use the registry in a production environment, secure it with HTTPS.

Steps:
  1. Generate SSL Certificates:
    Use a trusted certificate or generate a self-signed certificate:

    openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
    
  2. Configure Docker Registry with HTTPS:
    Mount the certificate and key to the container:

    docker run -d -p 443:5000 --name registry \
      --restart=always \
      -v /path/to/registry/data:/var/lib/registry \
      -v /path/to/domain.crt:/certs/domain.crt \
      -v /path/to/domain.key:/certs/domain.key \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
      registry:2
    
  3. Access Your Secure Registry:
    Use the registry with HTTPS:

    docker tag your-image your-domain.com/your-image
    docker push your-domain.com/your-image
    
  4. Handle Self-Signed Certificates:
    If using self-signed certificates, configure Docker clients to trust them:

    • Copy the .crt file to /etc/docker/certs.d/your-domain.com/ca.crt.

3. Use Authentication for Access Control

Add authentication to secure the registry further.

Steps:
  1. Create a Password File:
    Use htpasswd to create a password file:

    docker run --rm --entrypoint htpasswd registry:2 -Bbn username password > /path/to/auth/htpasswd
    
  2. Run the Registry with Authentication:
    Mount the password file and configure the registry:

    docker run -d -p 443:5000 --name registry \
      --restart=always \
      -v /path/to/registry/data:/var/lib/registry \
      -v /path/to/domain.crt:/certs/domain.crt \
      -v /path/to/domain.key:/certs/domain.key \
      -v /path/to/auth:/auth \
      -e REGISTRY_AUTH=htpasswd \
      -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
      registry:2
    
  3. Access the Registry with Authentication:
    Log in to the registry before pushing/pulling images:

    docker login your-domain.com
    

4. Add a Frontend (Optional)

For large enterprises, providing a user-friendly interface can be beneficial. Consider using a registry frontend like:

  • Portus: An open-source Docker registry UI with user management.
    • GitHub: https://github.com/SUSE/Portus
  • Harbor: A cloud-native container registry with advanced features.
    • Official Site: https://goharbor.io/

5. Scale and High Availability (Optional)

For large enterprises, ensure the registry is scalable and resilient.

Options:
  1. Cluster Setup:
    Use tools like Kubernetes or Docker Swarm to manage multiple registry instances.

  2. Object Storage Backend:
    Configure the registry to use object storage (e.g., MinIO, AWS S3, Alibaba OSS) for scalability:

    • Update config.yml for the registry:
      storage:
        s3:
          accesskey: <your-access-key>
          secretkey: <your-secret-key>
          region: <region>
          bucket: <bucket-name>
      

By self-hosting a private Docker registry, you gain full control over your images, avoid cloud service fees, and comply with organizational policies. This approach is scalable and cost-effective for enterprises.


http://www.kler.cn/a/402254.html

相关文章:

  • 学习笔记023——Ubuntu中设置Java项目的 jar 包自启动
  • STM32单片机CAN总线汽车线路通断检测-分享
  • Linux下,修改环境变量的几种方法
  • oracle配置
  • Spring Boot参数处理秘籍:从手动到自动的华丽蜕变
  • css:浮动
  • 服务器上部署并启动 Go 语言框架 **GoZero** 的项目
  • C++ —— 剑斩旧我 破茧成蝶—C++11
  • macOS 的目录结构
  • 苹果ASA归因对接以及API接入
  • Linux高阶——1116—环形队列生产者消费者
  • 优选算法 - 4 ( 链表 哈希表 字符串 9000 字详解 )
  • 【Android】线程池的解析
  • 【西瓜书】机器学习的模型评估
  • Spark RDD 中的 repartition 和 coalesce 是两种常用的分区调整算子的异同点
  • MMaction2:常见问题解答
  • 【AI+教育】一些记录@2024.11.16
  • 从0开始学习机器学习--Day26--聚类算法
  • vxe-table 表格多选启用快捷选择功能,鼠标滑动范围选择功能
  • 【Java系列】优化spring boot项目的启动加载,减少启动时的资源耗费的几种方案