Docker: What is the simplest way to secure a private registry?

Question

Our Docker images ship closed sources, we need to store them somewhere safe, using own private docker registry. We search the simplest way to deploy a private docker registry with a simple authentication layer.

I found :

• this manual way http://www.activestate.com/blog/2014/01/deploying-your-own-private-docker-registry
• and the shipyard/docker-private-registry docker image based on stackbrew/registry and adding basic auth via Nginx - https://github.com/shipyard/docker-private-registry

I think use shipyard/docker-private-registry, but is there one another best way?

Answer 1

I'm still learning how to run and use Docker, consider this an idea:

# Run the registry on the server, allow only localhost connection docker run -p 127.0.0.1:5000:5000 registry  # On the client, setup ssh tunneling ssh -N -L 5000:localhost:5000 user@server 

The registry is then accessible at localhost:5000, authentication is done through ssh that you probably already know and use.

Sources:

• https://blog.codecentric.de/en/2014/02/docker-registry-run-private-docker-image-repository/
• https://docs.docker.com/userguide/dockerlinks/

Answer 2

You can also use an Nginx front-end with a Basic Auth and an SSL certificate.

Regarding the SSL certificate I have tried couple of hours to have a working self-signed certificate but Docker wasn't able to work with the registry. To solve this I have a free signed certificate which work perfectly. (I have used StartSSL but there are others). Also be careful when generating the certificate. If you want to have the registry running at the URL registry.damienroch.com, you must give this URL with the sub-domain otherwise it's not going to work.

You can perform all this setup using Docker and my nginx-proxy image (See the README on Github: https://github.com/zedtux/nginx-proxy). This means that in the case you have installed nginx using the distribution package manager, you will replace it by a containerised nginx.

1. Place your certificate (.crt and .key files) on your server in a folder (I'm using /etc/docker/nginx/ssl/ and the certificate names are private-registry.crt and private-registry.key)
2. Generate a .htpasswd file and upload it on your server (I'm using /etc/docker/nginx/htpasswd/ and the filename is accounts.htpasswd)
3. Create a folder where the images will be stored (I'm using /etc/docker/registry/)
4. Using docker run my nginx-proxy image
5. Run the docker registry with some environment variable that nginx-proxy will use to configure itself.

Here is an example of the commands to run for the previous steps:

sudo docker run -d --name nginx -p 80:80 -p 443:443 -v /etc/docker/nginx/ssl/:/etc/nginx/ssl/ -v /var/run/docker.sock:/tmp/docker.sock -v /etc/docker/nginx/htpasswd/:/etc/nginx/htpasswd/ zedtux/nginx-proxy:latest sudo docker run -d --name registry -e VIRTUAL_HOST=registry.damienroch.com -e MAX_UPLOAD_SIZE=0 -e SSL_FILENAME=private-registry -e HTPASSWD_FILENAME=accounts -e DOCKER_REGISTRY=true -v /etc/docker/registry/data/:/tmp/registry registry 

The first line starts nginx and the second one the registry. It's important to do it in this order.

When both are up and running you should be able to login with:

docker login https://registry.damienroch.com