self-host a private Docker registry

You can create a private Docker registry to serve as your own “Docker Hub” for internal use, which can be cost-effective and give you full control over your images. Setting up a self-hosted Docker registry is straightforward and can be hosted on your own infrastructure, on-premises servers, or even your private cloud. Here’s how you can do it:

---

1. Use Docker’s Official Registry Image

Docker provides an official image to set up your private registry.

Steps:

1. Run the Registry Container:

   docker run -d -p 5000:5000 --name registry --restart=always registry:2
   

   This starts a registry on port 5000.

2. Test the Registry:

   • Tag a local image:

     docker tag your-image localhost:5000/your-image
     

   • Push the image:

     docker push localhost:5000/your-image
     

   • Pull the image:

     docker pull localhost:5000/your-image
     

3. Persist Data:
   By default, data is not persistent. Use a volume to store images:

   docker run -d -p 5000:5000 --name registry --restart=always -v /path/to/registry/data:/var/lib/registry registry:2
   

---

2. Secure the Registry with HTTPS

To use the registry in a production environment, secure it with HTTPS.

Steps:

1. Generate SSL Certificates:
   Use a trusted certificate or generate a self-signed certificate:

   openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
   

2. Configure Docker Registry with HTTPS:
   Mount the certificate and key to the container:

   docker run -d -p 443:5000 --name registry \
     --restart=always \
     -v /path/to/registry/data:/var/lib/registry \
     -v /path/to/domain.crt:/certs/domain.crt \
     -v /path/to/domain.key:/certs/domain.key \
     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
     -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
     registry:2
   

3. Access Your Secure Registry:
   Use the registry with HTTPS:

   docker tag your-image your-domain.com/your-image
   docker push your-domain.com/your-image
   

4. Handle Self-Signed Certificates:
   If using self-signed certificates, configure Docker clients to trust them:

   • Copy the .crt file to /etc/docker/certs.d/your-domain.com/ca.crt.

---

3. Use Authentication for Access Control

Add authentication to secure the registry further.

Steps:

1. Create a Password File:
   Use htpasswd to create a password file:

   docker run --rm --entrypoint htpasswd registry:2 -Bbn username password > /path/to/auth/htpasswd
   

2. Run the Registry with Authentication:
   Mount the password file and configure the registry:

   docker run -d -p 443:5000 --name registry \
     --restart=always \
     -v /path/to/registry/data:/var/lib/registry \
     -v /path/to/domain.crt:/certs/domain.crt \
     -v /path/to/domain.key:/certs/domain.key \
     -v /path/to/auth:/auth \
     -e REGISTRY_AUTH=htpasswd \
     -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
     -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
     -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
     registry:2
   

3. Access the Registry with Authentication:
   Log in to the registry before pushing/pulling images:

   docker login your-domain.com
   

---

4. Add a Frontend (Optional)

For large enterprises, providing a user-friendly interface can be beneficial. Consider using a registry frontend like:

• Portus: An open-source Docker registry UI with user management.
  • GitHub: https://github.com/SUSE/Portus
• Harbor: A cloud-native container registry with advanced features.
  • Official Site: https://goharbor.io/

---

5. Scale and High Availability (Optional)

For large enterprises, ensure the registry is scalable and resilient.

Options:

1. Cluster Setup:
   Use tools like Kubernetes or Docker Swarm to manage multiple registry instances.

2. Object Storage Backend:
   Configure the registry to use object storage (e.g., MinIO, AWS S3, Alibaba OSS) for scalability:

   • Update config.yml for the registry:

     storage:
       s3:
         accesskey: <your-access-key>
         secretkey: <your-secret-key>
         region: <region>
         bucket: <bucket-name>
     

---

By self-hosting a private Docker registry, you gain full control over your images, avoid cloud service fees, and comply with organizational policies. This approach is scalable and cost-effective for enterprises.

原文地址：https://blog.csdn.net/fareast_mzh/article/details/143844017

免责声明：本站文章内容转载自网络资源，如本站内容侵犯了原著者的合法权益，可联系本站删除。更多内容请关注自学内容网（zxcms.com）！