Building a Docker private repository is an important practice that helps you securely store and manage Docker images without publishing them to the public Docker Hub. By using a privatized repository, you can:
- Improve security: Mirrored images are stored in a controlled environment.
- Improve efficiency: Transmit mirrors within the company's network, faster.
- Implement automation: cooperate with the CI/CD system to realize automatic mirroring management.
This article will introduce in detail how to build a Docker private repository in different environments and provide configuration and optimization suggestions.
1. The basic principle of Docker privatization warehouse
Docker private repository (also known as Docker Registry) is a software application that allows users to store and distribute Docker images. Docker officially provides an open source Docker Registry image that can be run easily locally or on a server.
Registry and Repository
- Registry: It is a service that stores and manages Docker images.
-
Repository: It is a specific mirror collection in Registry, such as
nginx。
Mirror tags
-
Tag: is a tag pointing to a mirror, such as
nginx:latest。
2. Build a Docker private warehouse
Method 1: Use Docker's official Registry image
Docker officially provides an open source Docker Registry image that can be used directly.
1. Pull and run the official Registry image
First, pull the official Registry image and run:
docker pull registry:2
Run the privatized repository:
docker run -d -p 5000:5000 --name my-registry registry:2
-
-d: Run containers in the background. -
-p 5000:5000: Map the 5000 port of the host to the 5000 port of the container. -
--name my-registry: Name the containermy-registry。
2. Push the image to the privatized warehouse
Push local images to a private repository:
Tag the mirror:
docker tag <IMAGE_ID> localhost:5000/my-image:latest
For example:
docker tag ubuntu:latest localhost:5000/ubuntu:latest
Push the mirror to a private repository:
docker push localhost:5000/ubuntu:latest
3. Pull the mirror from the privatized warehouse
On other Docker hosts, pull images from the private repository:
docker pull localhost:5000/ubuntu:latest
Note: When accessing a private repository on other machines, you need tolocalhostReplace it with the IP address or domain name of the machine where the private repository is located.
4. Verify the mirror in the warehouse
usecurlVerify the image stored in the warehouse:
curl http://localhost:5000/v2/_catalog
Return result:
{
"repositories": [
"ubuntu"
]
}
5. Use docker-compose to start a private repository
You can usedocker-composeTo simplify the startup process:
version: '3'
services:
registry:
image: registry:2
ports:
- "5000:5000"
volumes:
- ./data:/var/lib/registry
Rundocker-compose:
docker-compose up -d
Method 2: Use Harbor to build an enterprise-level private warehouse
HarborIt is an open source enterprise-level Docker Registry that provides richer functions, such as user management, access control, mirror replication, etc.
1. Install Docker and Docker Compose
Make sure Docker and Docker Compose are installed on your system.
2. Download the Harbor installation package
VisitHarbor official download pageDownload the latest version.
wget /goharbor/harbor/releases/download/v2.9.0/harbor-online-installer-v2.9.
Unzip the installation package:
tar xzvf harbor-online-installer-v2.9. cd harbor
3. Configure Harbor
existharborIn the directory, there is oneConfiguration file. Configure as needed:
hostname: # Modify to your domain name or IP https: port: 443 certificate: /your/certificate/path private_key: /your/private/key/path harbor_admin_password: Harbor12345 # Set the administrator password
Notice: Make sure to use the correct domain name and certificate path. Can be passedLet’s EncryptGet a free SSL certificate.
4. Install and start Harbor
Run the following command to install and start Harbor:
./
Start Harbor Service:
docker-compose up -d
5. Access the Harbor Web UI
Visit in the browser, use the configured administrator account to log in, the default user name isadmin, the password is set in the configuration fileharbor_admin_password。
6. Push mirror to Harbor
Log in to Harbor:
docker login
Tag the mirror:
docker tag <IMAGE_ID> /myproject/my-image:latest
Push the image to Harbor:
docker push /myproject/my-image:latest
7. Pull the mirror from Harbor
On other machines, log in to Harbor and pull the image:
docker login docker pull /myproject/my-image:latest
Method 3: Use GitLab Container Registry
GitLabProvides an integrated Container Registry that can be used as a private Docker repository.
1. Install GitLab
refer toGitLab official documentationInstall GitLab.
2. Enable Container Registry
Edit GitLab configuration file/etc/gitlab/, enable Registry:
registry_external_url ''
Reconfigure GitLab:
gitlab-ctl reconfigure
3. Log in to GitLab Container Registry
docker login
4. Push image to GitLab Container Registry
Tag the mirror:
docker tag <IMAGE_ID> /mygroup/myproject/my-image:latest
Push mirror:
docker push /mygroup/myproject/my-image:latest
5. Pull the image from GitLab Container Registry
docker pull /mygroup/myproject/my-image:latest
3. Configure the security of privatized warehouses
1. Protect the transport using HTTPS
In production environments, it is highly recommended to configure HTTPS for Docker's private repository to protect data transfer security.
Generate a self-signed certificate
useopensslGenerate a self-signed certificate:
mkdir -p certs openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/ -x509 -days 365 -out certs/
The generation process prompts for input information, as shown below:
Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Guangdong Locality Name (eg, city) []:Shenzhen Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:IT Common Name (. server FQDN or YOUR name) []:localhost Email Address []:admin@
Mount the certificate into the container:
docker run -d -p 5000:5000 --name my-registry \ -v `pwd`/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ \ -e REGISTRY_HTTP_TLS_KEY=/certs/ \ registry:2
2. Configure authentication access
Docker private repository supports the use of Basic Auth protection access.
Create user and password files
usehtpasswdCreate user and password files:
apt-get install apache2-utils -y htpasswd -cB htpasswd myuser
-
myuser:username. - You will be prompted to enter your password and confirm.
Start Registry with Certification
Mount the authentication file into the container:
docker run -d -p 5000 :5000 --name my-registry \ -v `pwd`/certs:/certs \ -v `pwd`/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/ \ -e REGISTRY_HTTP_TLS_KEY=/certs/ \ registry:2
3. Configure the firewall
To ensure the security of a private repository, it is recommended to configure firewall rules to allow only specific IPs or subnets to access the repository.
# Allow 192.168.1.0/24 subnet accessiptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 5000 -j ACCEPT # Denied other IP accessiptables -A INPUT -p tcp --dport 5000 -j DROP
4. Manage and monitor privatized warehouses
1. View the mirror in the warehouse
usecurlView the mirror in the warehouse:
curl -u myuser:mypassword https://localhost:5000/v2/_catalog
2. View the mirror tag
View the tags for the specified image:
curl -u myuser:mypassword https://localhost:5000/v2/<repository>/tags/list
For example:
curl -u myuser:mypassword https://localhost:5000/v2/ubuntu/tags/list
3. Delete the mirror
Delete the tags for the specified image:
curl -X DELETE -u myuser:mypassword https://localhost:5000/v2/<repository>/manifests/<digest>
Getdigest:
curl -u myuser:mypassword -I -H "Accept: application/.v2+json" \ https://localhost:5000/v2/<repository>/manifests/<tag>
For example:
curl -u myuser:mypassword -I -H "Accept: application/.v2+json" \ https://localhost:5000/v2/ubuntu/manifests/latest
4. Configure the mirror cleaning policy
Regularly clean images and tags that are no longer in use to save storage space. Can be usedRegistry GCtool.
Stop Registry:
docker stop my-registry
Run garbage collection:
docker run --rm -v /var/lib/registry:/var/lib/registry registry:2 garbage-collect /etc/docker/registry/
Restart Registry:
docker start my-registry
5. Use monitoring tools
Prometheus and Grafana can be used to monitor the performance and usage of Registry.
5. Frequently Asked Questions and Solutions
1. Docker client cannot connect to private repository
- Check the network configuration and firewall rules of the private repository.
- Make sure to use the correct domain name or IP address.
- If using a self-signed certificate, make sure the client trusts the certificate.
2. Push image failed
- Check user permissions and authentication configuration.
- Check if the storage space in the warehouse is full.
- Make sure the Docker client version is compatible with the Registry version.
3. The mirror pull speed is slow
- Use CDN or mirror acceleration services.
- Configure cache proxy to reduce duplicate downloads.
Summarize
Through the introduction of this article, you should have mastered the basic steps and configuration methods for building a Docker privatization warehouse. Whether using the official Docker Registry image or the more powerful Harbor or GitLab Container Registry, a private repository can bring greater security and efficiency to your image management.
This is the article about the implementation steps of Docker building a privatized warehouse. For more related content on Docker privatized warehouse, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!