Docker Private Registry + Let’s Encrypt on Ubuntu 18.04

Introduction

In this post I describe how to create a Docker private registry. with Let’s Encrypt. As environment we will use vagrant and Ubuntu 18.04

Environment

Installation

We will need an installed docker and certbot

  • Docker installation
$ sudo apt-get remove docker docker-engine docker.io containerd runc
$ sudo apt-get update

$ sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli containerd.io
  • certbot instalaltion
$ sudo add-apt-repository ppa:certbot/certbot -y
$ sudo apt update
$ sudo apt install certbot -y

Creating a Docker registry

Now that we have all the necessary components installed, we can start creating our private registry

#Switch to root
$ sudo su
#Get files with certbot
$ certbot certonly --standalone --preferred-challenges http --non-interactive --staple-ocsp --agree-tos -m admin@testdomain.com -d registry.testdomain.com
#Setup Let's Encrypt automatic update settings
$ cat <<EOF > /etc/cron.d/letencrypt
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
30 2 * * 1 root /usr/bin/certbot renew >> /var/log/letsencrypt-renew.log && cd /etc/letsencrypt/live/example.com && cp privkey.pem domain.key && cat cert.pem chain.pem > domain.crt && chmod 777 domain.*
EOF
#SSL certificates
$ cd /etc/letsencrypt/live/registry.testdomain.com && \
cp privkey.pem domain.key && \
cat cert.pem chain.pem > domain.crt && \
chmod 777 domain.*
#Log in and push. The username is testuser and the password is Password123.
$ mkdir -p /mnt/docker-registry
$ docker run --entrypoint htpasswd registry:latest -Bbn testusesr Password123 > /mnt/docker-registry/passfile
docker run -d -p 443:5000 --restart=always --name registry \
-v /etc/letsencrypt/live/registry.testdomain.com:/certs \
-v /mnt/docker-registry:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-e REGISTRY_AUTH=htpasswd \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/var/lib/registry/passfile \
registry:2.7.1

Now we need to open port 443 and then we can check if everything works properly.

$ sudo ufw allow 80
$ sudo ufw allow 443
$ curl https://testuser:Password123@registry.testdomain.com/v2/_catalog

In result we should see something like this {“repositories”: []}

Push into registry

You need to log in to docker first.

$ docker login -u testuser -p Password123 registry.testdomain.com:443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

Now we can push docker images into our private registry

$ docker pull alpine:latest
$ docker tag alpine:latest registry.testdomain.com:443/alpineimage:latest
$ docker push registry.testdomain.com:443/alpineimage:latest
The push refers to repository [registry.testdomain.com:443/alpineimage:latest]
2831c86be5c6: Pushed

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maciej

Maciej

623 Followers

DevOps Consultant. I’m strongly focused on automation, security, and reliability.