Self-hosted alternative to hub.docker.com?

Question

I'd like to set up a private version of hub.docker.com that would let me create a webhook pushed by my private gitlab instance. In other words - when I push to Gitlab, this Docker registry would check out the repository and build it.

I need this to be resistant to malicious Dockerfiles so that the server cannot easily be compromised, revealing contents of all hosted containers. Is there a way I could easily achieve that?

Answer 1

You need to seperately setup the registry and the build server separately. This way when you make a push to GitLab, it notifies the build system (via a POST) and builds the image. After the build is complete, the final image gets pushed to the registry (either self-hosted or to hub.docker.com).

Setting up the Registry

• First make sure that you have docker installed.

• Then run the following command, which will start an instance of the registry.

  sudo docker run --restart='always' -d -p 5000:5000 --name=registry \
  -e GUNICORN_OPTS=["--preload"] \
  -v /srv/registry:/tmp/registry \
  registry
  

• To expose a Web UI for the above registry, run the following. (Replace with the IP of the registry)

  sudo docker run  -d -P --restart='always' \
  -e ENV_DOCKER_REGISTRY_HOST=<REGISTRY_IP> \
  -e ENV_DOCKER_REGISTRY_PORT=5000 \
  konradkleine/docker-registry-frontend
  

Setting up the Build Server

• The ubiquitous Jenkins build server can fill in this gap.

• You'll need to install the GitLab CI plugin (for Jenkins) which partially emulates the GitLab CI API. Note than you need to also configure the CI plugin after installation from "Manage Jenkins" -> "Configure System". Note that the private token functionality is not implemented. So enter something random in that field.

  ---

  

• Now you can configure your GitLab repo to fire up a CI event after a PUSH to the repo using Services -> GitLab CI.
  Please Note: I have tried this out on GitLab v7.7.2. AFAIK the newer GitLab release has interated the earlier seperate GitLab CI.

  ---

  

• On the jenkins server, create a new freestyle project or edit an existing project. Then check Build on Push Events.

  ---

  

• Now for the final step, execute the following code snippet as a shell script. Note that you will need to start your docker daemon with the insecure registry option. Refer: https://docs.docker.com/registry/insecure/

  # Build and push image
  cd $WORKSPACE
  docker build -t <REGISTRY_IP>:5000/<PROJECT_NAME>:latest .
  docker push <REGISTRY_IP>:5000/<PROJECT_NAME>:latest
  

Alternatively

Have a look at tarzan. It works quite similar to docker hub but it needs to be triggered from a GitHub event (not GitLab). Also because I haven't tried it out, I can't vouch for it.

I suspect that even though tarzan is said to work only with GitHub, it might also work with GitLab.