Skip to main content

Create private Docker Registry (TLS + authentication)


All below commands invoked as user root.


Prepare folder structure

mkdir -p /root/{auth,certs,storage}


Generate self-signed SSL certificate

Create san.cnf file with the following content.

[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = IE
ST = Leinster
L = Dublin
O = Docker Labs
OU = DevOPS
CN = docker-registry.internal.lab

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = docker-registry.internal.lab


Use openssl command to generate self-signed public/private key pair.

openssl req -new -x509 -nodes -sha256 -days 3650 \
    -config san.cnf \
    -keyout /root/certs/domain.key -out /root/certs/domain.crt


Create credentials

In the example below username is myadmin, password is redhat321.

htpasswd -Bbn myadmin redhat321 > /root/auth/htpasswd


Create and start registry container


docker run -d -p 5000:5000 --restart=always --name registry \
   -v /root/certs:/certs \
   -v /root/auth:/auth \
   -v /root/storage:/var/lib/registry \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
   -e REGISTRY_AUTH=htpasswd \
   -e REGISTRY_AUTH_HTPASSWD_REALM='Registry Realm' \
   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2

If you want registry to respond on port 443/TCP instead, use:

... -p 443:443 -e REGISTRY_HTTP_ADDR=0.0.0.0:443 ...

 

 

 

Docker Client and TLS Trust

Solution 1: Configure docker client to trust this custom TLS certificate.


The URL to my registry is: docker-registry.internal.lab:5000

Create folder that reflects this URL.

mkdir -p /etc/docker/certs.d/docker-registry.internal.lab:5000/


Create ca.crt file inside above directory. The ca.crt is the same file as certs/domain.crt file created in earlier step.

Restart docker service.

systemctl restart docker


If you're using podman utility instead, the directory path is /etc/containers/certs.d/docker-registry.internal.lab:5000/.

mkdir -p /etc/containers/certs.d/docker-registry.internal.lab:5000

Like with the docker, create ca.crt file inside above directory.

Solution 2 (not recommended): Configure docker client with insecure registries

Create /etc/docker/daemon.json file with content:

{
    "insecure-registries": ["docker-registry.internal.lab:5000"]
}


Restart docker service.

systemctl restart docker.service


Verify connectivity from docker client

docker login docker-registry.internal.lab:5000


Back to top