How to deploy a self-hosted Docker registry with self-signed certificates – TechRepublic

Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
How to deploy a self-hosted Docker registry with self-signed certificates
Your email has been sent
Jack Wallen walks you through the process of deploying a self-hosted Docker registry and how to access it from a remote machine.
When you need a Docker registry hosted on your LAN and you don’t want to go through the trouble of purchasing certificates from a Certificate Authority, what do you do? You deploy a registry using self-signed certificates.
SEE: Hiring Kit: JavaScript Developer (TechRepublic Premium)
Although that process is a bit more complicated, it’s not so challenging that any IT admin can’t pull it off.
And I’m going to show you just how to do it.
To make this work, you’ll need at least two machines, both of which have Docker installed. I’m going to demonstrate on Ubuntu Server 20.04 and Pop!_OS desktop. If you’re using a different operating system, you’ll need to alter the process accordingly.
The first thing we’re going to do is create some directories to house the repository and the necessary certificates. I’m going to demonstrate this on my users’ home directory, but you can place them in any directory to which your user has access.
Create the base directory with:
mkdir ~/registry
Create the two subdirectories with:
mkdir ~/registry/certs
mkdir ~/registry/auth
Change in the certs directory with:
cd ~/registry/certs
Generate a private key with:
openssl genrsa 1024 > domain.key
Change the permissions for the new key with:
chmod 400 domain.key
Next, we need to generate our certificate. However, because of the way the authorization process now works, we must first create a san.cnf file with:
nano san.cnf
In that file, paste the following contents (making sure to edit accordingly):
[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = 120.0.0.1: Self-signed certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]

IP.1 = 192.168.1.191
Make sure to change (at least) IP.1 = to match the IP address of your hosting server.
Save and close the file.
Generate the key with:
openssl req -new -x509 -nodes -sha1 -days 365 -key domain.key -out domain.crt -config san.cnf
Change into the auth directory with:
cd ../auth
We now must pull down the registry container and have it generate an htpasswd file. This is done with the command:
docker run --rm --entrypoint htpasswd registry:2.7.0 -Bbn USERNAME PASSWORD > htpasswd
Where USERNAME is a unique username and PASSWORD is a unique/strong password.
It’s now time to deploy the registry server. Change back to the base registry directory with:
cd ~/registry
Deploy the registry container with the command:
docker run -d
--restart=always
--name registry
-v `pwd`/auth:/auth
-v `pwd`/certs:/certs
-v `pwd`/certs:/certs
-e REGISTRY_AUTH=htpasswd
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
-e REGISTRY_HTTP_ADDR=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
-p 443:443
registry:2.7.0
Your registry should now be running and accessible from the local machine. If, however, you want to access it from a remote system, we need to add a ca.crt file. You need to copy the contents of the ~/registry/certs/domain.crt file.
Log into your second machine and create a new directory with:
sudo mkdir -p /etc/docker/certs.d/SERVER:443
Where SERVER is the IP address of the machine hosting the registry.
Create the new file with:
sudo nano /etc/docker/certs.d/SERVER:443/ca.crt
Where SERVER is the IP address of the machine hosting the registry.
Paste the contents from the domain.crt file (from the hosting server) into this new file. Save and close the file.
From the second machine, open a terminal window and log into your new Docker registry with the command:
docker login -u USER -p https://SERVER:443
Where USER is the user you added when you generated the htpasswd file above and SERVER is the IP address of the machine hosting the registry.
You should be prompted for a password. Upon successful authentication, you’ll see Login Succeeded.
Congratulations, you’re now able to use that self-hosted Docker registry for your container images.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.
You don’t want to miss our tips, tutorials, and commentary on the Linux OS and open source applications.
How to deploy a self-hosted Docker registry with self-signed certificates
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jumpstart your career or next project.
Antivirus software protects your data against cybercriminals, ransomware and malware. Compare the best software now.
The conflict we all feared is expected to bring an increase of cyberattacks, but experts agree that all hope isn’t lost.
Advances in graphics processing technology have slashed the time needed to crack a password using brute force techniques, says Hive Systems.
With so many project management software options to choose from, it can seem daunting to find the right one for your projects or company. We’ve narrowed them down to these nine.
Business intelligence drives decisions that enable companies to thrive, and Microsoft’s Power BI is a popular tool for the job – but it’s worth considering the alternatives. See what the BI space has to offer.
This hiring kit from TechRepublic Premium contains a job description, sample interview questions and a basic want ad to help you find, interview, recruit and hire the best candidates for an open FinTech Engineer position. From the hiring kit’s introduction: Over the past decade or so, particularly after the general proliferation of smartphones at the …
This hiring kit from TechRepublic Premium contains a job description, sample interview questions and a basic want ad to help you find, interview, recruit and hire the best candidates for an open Virtual Reality Designer position. From the hiring kit’s introduction: While the concept of virtual and augmented reality applications has been around for decades, …
It’s critical to plan Microsoft 365 apps and services deployments on Macs properly to avoid end-user frustrations. There are so many elements to consider that forward-thinking IT professionals should consider employing a checklist. With proper administration, IT departments can ensure important tasks aren’t overlooked, and users don’t need to return systems to the help desk …
Results from the latest TechRepublic Premium survey suggest that businesses continue to deploy multicloud solutions, but the IT pros who support them are uncertain how they’ll change in the future. From the introduction: Heading into the third year of the COVID-19 global pandemic, industries, businesses, consumers and the information technology professionals who support them are …

source