Docker Registry

A Docker registry is a service for storing and distributing Docker images (OCI images). Public registries like Docker Hub are common, but private registries offer more control and security. By using a registry, you can version images, enforce access policies, and simplify deployment, making it a key part of your infrastructure.

If you only have one Docker server, running a registry might be kind of pointless. But you may want to run it for any of these reasons:

• You have multiple Docker servers and you want an image cache that they can all share.
• You have built your own custom images that you want to distribute.
• You want to run faasd and need a place to store your function container images.
• You want to store images for any reason.

Configure registry

pi make registry config

Configure the registry hostname:

REGISTRY_TRAEFIK_HOST: Enter the registry domain name (eg. registry.example.com)

: registry.pi.example.com

It is highly recommended to turn on HTTP Basic Authentication or Mutual TLS, in order to protect the registry from unauthorized use:

? Do you want to enable sentry authorization in front of this app (effectively making the entire site private)?
  No
> Yes, with HTTP Basic Authentication
  Yes, with Oauth2
  Yes, with Mutual TLS (mTLS)

Enter the username for HTTP Basic Authentication

: ryan

Enter the passphrase for ryan (leave blank to generate a random passphrase)

: hunter2

Hashed password: ryan:$apr1$Rav9J1xZ$oKMnqMzcEequ6H2VBha6N0
Url encoded: https://ryan:hunter2@example.com/...

> Would you like to create additional usernames (for the same access privilege)? No

> Would you like to export the usernames and cleartext passwords to the file passwords.js
n? No

Install registry

pi make registry install

Add a new route on the sentry

sentry route set pi registry.pi.example.com

Configure Docker client

To use the registry, configure the docker client on the pi:

docker login registry.pi.example.com

Username: ryan
Password:
WARNING! Your password will be stored unencrypted in /home/ryan/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores

Login Succeeded

Test pushing an image:

Pull an image from the normal Docker registry for testing purposes:

docker pull docker.io/traefik/whoami:latest

Retag the image so that it belongs to your registry now:

docker tag docker.io/traefik/whoami:latest registry.pi.example.com/traefik/whoami:latest

docker push registry.example.com/traefik/whoami:latest

The push refers to repository [registry.example.com/traefik/whoami]
298b6a4a6489: Pushed
a1b937ed548c: Pushed
01d1702a867e: Pushed
latest: digest: sha256:c899811bc4a1f63a1273c612e15f1bea6514a19c7b08143dbbdef3e8f882c38d size: 948

Configure Docker client for Mutual TLS

If you choose the mTLS sentry authorization with step-ca, you can configure your docker client to use your client certificate and key:

On the client computer:

• Create a directory under /etc/docker/certs.d matching the registry hostname (e.g., /etc/docker/certs.d/registry.pi.example.com/).

• Copy three files into the new directory:

  ca.crt - the Step-CA public CA cert. client.cert - the client’s public cert. client.key - the client’s private key.

Restrict access by IP address

In addition to (or in lieu of) sentry authorization, you can restrict access by source IP address. By default the access is allowed to 0.0.0.0/0 which allows all traffic. For example, you may restrict access to only a specific list of subnets:

pi make registry reconfigure var=REGISTRY_IP_SOURCERANGE=192.168.1.10/24,10.13.13.10/32

Make to re-install after all config changes:

pi make registry install