How to set up a private docker registry

July 20, 2022 devops

On the registry server, which is on the network over http, accessible over port 5000, you can start it as:

docker run -d \
  -p 5000:5000 \
  --restart=always \
  --name registry \
  -v /srv/registry:/var/lib/registry \
  registry:2

or with authentication, you do this instead:

cd ~
mkdir registry
cd registry/
mkdir auth
docker run --entrypoint htpasswd registry:2 -Bbn myusernamehere mysecretpasswordhere > auth/htpasswd
cat auth/htpasswd
docker run -d -p 5000:5000 --restart=always --name registry_private  -v `pwd`/auth:/auth  -e "REGISTRY_AUTH=htpasswd"  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" -v /srv/registry:/var/lib/registry registry:2

(only change myusernamehere and mysecretpasswordhere )

Once you’ve created the registry, leave that server and go to another server and try to log in:

docker login registry.research.example.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /home/myusernamehere /.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

On the gateway server, have your SSL set up right:

cat registry.research.example.com
server {
#       listen 80;
#       listen   [::]:80 ipv6only=on;
    listen 443 ssl;
    listen [::]:443;
    ssl_certificate /etc/letsencrypt/live/registry.research.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/registry.research.example.com/privkey.pem;
    include /etc/nginx/snippets/ssl.conf;
    client_max_body_size 999M;

    server_name registry.research.example.com;

    # docker registry on gamma: docker run -d -p 5000:5000 --restart=always --name registry registry:2
    location / {
        proxy_pass                         http://10.1.10.123:5000;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP         $remote_addr;
    }
}

# force 80 to go to 443 SSL
server {
    listen 80;
    server_name registry.research.example.com;
    return 301 https://$host$request_uri;
}

Having the proper proxy_set_headers, either in the gatway server, or if you use gitlab’s registry, then in the gitlab config files, is important, and eliminates the unknown blob error.

Ex:

docker push registry.research.example.com/helloworld
The push refers to repository [registry.research.example.com/helloworld]
a464c54f93a9: Pushing [==================================================>]  5.533MB/5.533MB
unknown blob

You can also check that you can access the docker registry server over http, using URL: https://registry.research.example.com/v2/_catalog

To view an actual image’s tags, use this URL: https://registry.research.example.com/v2/imagenamehere/tags/list