Howto Setup Docker Private Registry with Basic HTTP Auth Support

In this post let’s see how to setup a docker private registry (ver 2.x) with TLS and HTTP authentication on an OpenPower server running RHEL 7.1 LE Linux distribution. Except the specific instruction related to registry package installation on RHEL, the instructions will work for most other Linux distributions (Ubuntu, Fedora etc) running on either Intel or OpenPower servers.

Install Docker Private Registry Package on RHEL LE
Pre-compiled packages for docker and docker-registry (ver 2.1) for RHEL 7.1 LE is available from Unicamp repository. Please note that these packages are provided on an as-is basis.

# cat > /etc/yum.repos.d/unicamp-docker.repo <<EOF
[unicamp-docker]
name=Unicamp Repo for Docker Packages
baseurl=http://ftp.unicamp.br/pub/ppc64el/rhel/7_1/docker-ppc64el/
enabled=1
gpgcheck=0
EOF
# yum install -y docker-distribution

Install Docker Private Registry on other Linux Distributions
On RHEL for Intel servers and Fedora for Intel and OpenPower servers, the registry ver 2.x package is named docker-distribution.
On Ubuntu for Intel and OpenPower the registry ver 2.x package is named docker-registry. Please install the respective package for your distribution.
The remaining set of instructions are same across distributions and servers.

Configure Storage
First, create a directory to store the images. This could be created on any mount point on the designated server, backed by either local disk or external disk.
In this example, /data/ is a separate partition on the disk which will be used for storing docker images.

# mkdir /data/registry_data

Create an HTTP access control file using ‘htpasswd’ command. The following command installs the httpd-tools package which contains the htpasswd tool and creates a file registry_passwd for the user ‘regimguser’. Replace the file name and user name as per your requirements. The option ‘-B’ is used for bcrypt encryption of passwords.

# yum install -y httpd-tools 
# mkdir -p /etc/registry/
# htpasswd -Bc /etc/registry/registry_passwd regimguser

Note that htpasswd is available as part of httpd-tools package on RHEL based systems and apache2-utils on Ubuntu based systems.

Create Registry Configuration File
Following is the config file used in this example setup on RHEL.

# cat /etc/registry/config.yml
version: 0.1
storage:
  filesystem:
    rootdirectory: /data/registry_data
  delete:
    enabled: true
http:
  addr: registry.kube.com:5000
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/registry/registry_passwd

Secure Registry using TLS

Create certificate for securing the registry using TLS and copy it to all docker hosts. Ensure you use the registry FQDN as the CN when generating the certificates.

# mkdir /certs/
# openssl req  -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key  -x509 -days 365 -out /certs/domain.crt
Generating a 4096 bit RSA private key
..........................................................................................++
[snip]

Copy the certificate to all the docker hosts, place it under the specific path as shown below:

# mkdir -p /etc/docker/certs.d/registry.kube.com:5000/
# cp domain.crt /etc/docker/certs.d/registry.kube.com:5000/ca.crt

Trust the certificate at OS level and update the CA list. The instructions varies between different Linux distributions.

On RHEL and Fedora perform the following steps:

# cp domain.crt /etc/pki/ca-trust/source/anchors/registry.kube.com.crt
# update-ca-trust

On Ubuntu perform the following steps:

# cp domain.crt /usr/local/share/ca-certificates/registry.kube.com.crt
# update-ca-certificates

Restart the docker daemon.

# service docker restart

Start the Registry Server

On RHEL, start the registry server using the following command line:

# REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt  REGISTRY_HTTP_TLS_KEY=/certs/domain.key screen -dmS registry registry /etc/registry/config.yml

The REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY can also be specified as part of the registry configuration file. Given below is a sample configuration:

# cat /etc/registry/config.yml
version: 0.1
storage:
  filesystem:
    rootdirectory: /data/registry_data
  delete:
    enabled: true
http:
  addr: registry.kube.com:5000
  host: https://registry.kube.com:5000
  tls:
      certificate: /certs/domain.crt
      key: /certs/domain.key
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/registry/registry_passwd

Start the registry server using the following command line:

# screen -dmS registry registry /etc/registry/config.yml

On Ubuntu systems, the registry binary is named as docker-registry. Further, Ubuntu also ships service definition file. So, you can make the configuration changes to the default registry configuration file found in /etc/docker/registry/config.yml and restart the docker-registry service.

# service docker-registry restart

Alternatively, you can run it in a screen session like shown above for RHEL, but using docker-registry as the binary name instead of registry.

# screen -dmS registry docker-registry /etc/registry/config.yml

From any docker host, validate if you can login or not. Use the userid and password that was created with htpasswd tool.

# docker login https://registry.kube.com:5000

You are now all set to use docker private registry in your environment.

Pradipta Kumar Banerjee

I'm a Cloud and Linux/ OpenSource enthusiast, with 16 years of industry experience at IBM. You can find more details about me here - Linkedin

You may also like...