Docker tutorials sinhala
DevOps Red hat linux

Deploy a Docker registry server with Authentication

Prabath ThalangamaComment(0)

Before you can deploy a registry, you need to install Docker on the host. A registry is an instance of the registry image, and runs within Docker.

Install docker service with bellow commands.

dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf install -y docker-ce --nobest
systemctl enable --now docker
dockerstatus=`systemctl status docker | grep "active (running)"`
echo "Docker Service Status = $dockerstatus"

Run a local registry

docker pull registry
docker run -d -p 5000:5000 --restart=always --name registry registry:2

Secure Docker Private Registry

By default, Docker node uses a secure connection over TLS to upload or download images to or from the private registry. You can use TLS certificates signed by CA or self-signed on Registry server.

Here, I will use a self-signed certificate for securing Docker Registry. Let’s create a self-signed certificate using the following command.

[root@registry ~]# mkdir -p /certs

[root@registry ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/ca.key -x509 -days 365 -out /certs/ca.crt

Generating a 4096 bit RSA private key
............................................++
.....................................................................................................++
writing new private key to '/certs/ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:LK
State or Province Name (full name) []:Western Province
Locality Name (eg, city) [Default City]:Colombo
Organization Name (eg, company) [Default Company Ltd]:Sysadmin.lk
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:dockerhub.sysadmin.lk
Email Address []:inbox@sysadmin.lk

Start Docker registry container with certificate information.

docker run -d -p 443:5000 --restart=always --name dockerhub -v docker-registry:/var/lib/registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/certs/ca.key registry:latest

Allow ports on Firewall service
If your Docker Registry is on CentOS 7,8 or 9

[root@registry ~]# firewall-cmd --permanent --add-port=80/tcp
[root@registry ~]# firewall-cmd --permanent --add-port=443/tcp
[root@registry ~]# firewall-cmd --reload

Set up Authentication for a Private Registry
Docker allows us to store the images locally on a centralized server, but sometimes, it’s necessary to protect the images from external abuse. In that case, we’ll need to authenticate the registry with the basic htpasswd authentication.

Let’s first create a separate directory to store the Docker registry credentials and let’s run an httpd container to create a htpasswd protected user with a password:

docker run --entrypoint htpasswd httpd:2 -Bbn Prabath Password@123 > /usr/certs/users

Now, let’s run the same Docker registry container using the auth/htpasswd authentication file:

docker run -d -p 443:5000 --restart=always --name dockerhub -v docker-registry:/var/lib/registry -v /usr/certs:/usr/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/usr/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/usr/certs/ca.key  -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/usr/certs/users registry: latest

Since the Docker registry is running with the basic authentication, we can now test the login using:

$ docker login  localhost-u Prabath -p Password@123
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded

Create and upload a Docker Image to a Private Registry server

NOTE: If the image name does not match with given format then docker push or pull command will try to upload or download the image from the public registry, not from the private registry.

To rename the docker image use docker tag command.

root@build:~# docker tag nginx:v1 dockerhub.sysadmin.lk/nginx:v1

Upload a Docker Image
Depends on the communication mode (Secure or Non-Secure) of Docker Registry, follow any one of the below methods.

Non-Secure (Plain Http Registry)
Edit/Create the file “daemon.json” in “/etc/docker/” directory.

root@build:~# vi /etc/docker/daemon.json

{
  "insecure-registries" : ["dockerhub.sysadmin.lk"]
}

If you are using Secure (Self-signed) certificate, you have to follow below steps.

mkdir /etc/docker/certs.d/dockerhub.sysadmin.lk/ && cd /etc/docker/certs.d/dockerhub.sysadmin.lk/
scp root@dockerhub.sysadmin.lk:/usr/certs/ca.crt .

In both cases, you would need to restart the Docker engine service.

systemctl restart docker

now you can upload a Docker Images as below.

root@build:~# docker push dockerhub.sysadmin.lk/nginx:v1

Download the docker image to private registry server using the following command.

[root@deploy ~]# docker pull dockerhub.sysadmin.lk/nginx:v1

Docker Registry API – Listing
At the time of writing, V2 is the current version of the Registry API. Let’s explore how to use it to list images and tags from a remote registry.

Let’s assume we have a registry deployed at the URL https://my-registry.io. We’ll use curl to execute the HTTP requests.

$ curl -X GET my-registry.io/v2/_catalog
{"repositories":["centos","ubuntu"]}

We should note that authentication may be required to access certain repositories if it has been enabled. In such cases, we can pass in the username and password as parameters to the curl command using the -u option.

$ curl -u user:password -X GET my-registry.io/v2/_catalog 
{"repositories":["centos","ubuntu"]}

Listing Tags

The method to list tags is similar to the v2 API. However, the output is different in this case:

$ curl -X GET https://registry.hub.docker.com/v1/repositories/baeldung/mesos-marathon-demo/tags
[{"layer": "", "name": "32"}, {"layer": "", "name": "33"}, {"layer": "", "name": "34"}]

As we can see, instead of a single array of tags, we have an array of objects. Each object includes the name of the tag and the layer ID of the image.

If needed, we can convert the response to an array. To do so, let’s pipe the output into the jq command and parse the JSON:

$ curl -s GET https://registry.hub.docker.com/v1/repositories/baeldung/mesos-marathon-demo/tags | jq -r '[.[].name]'
[
  "32",
  "33",
  "34"
]

Let’s understand the jq command and expressions used here:

  • The -r flag returns the output as raw text.
  • The expression .[].name returns the name property from each object from the curl output.
  • The square brackets [] around the expression indicate that we want to collect the output in an array.

Finally, the -s flag used with the curl command is required to suppress the progress bar output.

Loading

Prabath Thalangama
Web: sysadmin.lk
Email: inbox [at] sysadmin.lk
LinkedIn: https://www.linkedin.com/in/prabatht
Facebook: https://www.facebook.com/prabath.hinoize

Related Articles

Sysadmin profile picture
Kubernetes Red hat linux

Deploy NGINX Ingress Controller on AKS Kubernetes using Helm

Prabath Thalangama

Step 1 – Allocate Public IP for Ingress The following command will allocate Public IP : az network public-ip create –resource-group [resource-group] –name [name for public IP] –sku Standard –allocation-method static –query publicIp.ipAddress -o tsv Step 2 – Install NGINX Ingress Controller using Helm An ingress controller, because it is a core component of Kubernetes, […]

Loading
Red hat linux

Docker Cheat Sheet

Prabath Thalangama

Docker Terms This section defines some of the most useful Docker terms. Docker Image: A set of read-only files. These files are a part of an operating system that is required to run a Docker container. Dockerfile: A simple text file that contains all the commands a user could call in the command line to […]

Loading

Securing Asterisk IP-PBX with Fail2Ban
Asterisk Red hat linux

Securing Asterisk IP-PBX with Fail2Ban

Prabath Thalangama

What is Fail2Ban? Any service that is exposed to the internet is susceptible to attacks from malicious parties. If your service requires authentication, illegitimate users and bots will attempt to break into your system by repeatedly trying to authenticate using different credentials. A common example of this is with SSH, which will be the subject […]

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *