Your own Docker Registry

Wed 30 May 2018

Docker is the virtualization technique to go for in this tech era. It is quick and amazing when using a Linux or Mac system. Windows is a little bit more tricky, but they have made big leaps to make it more user-friendly.

I've set up a registry and there are a few things I want to give you a head start in. These took me some good hours of research to find out and did not know these. Not all of these are docker things perse.

I will be adding to this article as I headbutt my way through problems.

What is a registry?

Well, lets briefly start with that. A registry is a place where you can store your build images before deploying or rolling back. It's the perfect place to centralize your build for a team. Some tools, like Gitlab, come standard with registries attached to the repositories. Self-hosting is a great way to go when your tools don't or you want to do it yourself to have control over data.

I've done this and it has been great! There are a few general things to consider when creating a registry and I will try and sum my time-consuming issues up in this post.

When using a CI tool, check your consistency!

This one will be stupid. I catch myself being inconsistent all the time! It drives me nuts haha.

I've been in the situation where the port number was on/off throughout my CI configuration. Each occurrence of the repository either had the port number or not within the CI file. While it only occurs twice or three times max, check if you are being consistent in the way you use the registry. It had me butting my head against the wall!

Why? Let me explain. I host my registry on the https 443 port. I can configure this differently later but for now, I do... Why is this an issue? The docker commands, rightfully so, respects when you define a custom port. It will also save this port when using docker login to the respective ~/.docker/config.json file. Thus resulting in issues further down the road when using any command utilizing this config like pull, build, push...

It may sound like a goofy thing, yet I didn't know where to start sanity checking when I ran into this issue.

When protecting your registry, use SHA for Basic Auth

I'm using Nginx in my setup to proxy to the registry. I'm also assuming that most people will be rocking a Unix/BSD setup. In this setup adding Basic Auth is easy peasy. I guess I did not realize that SHA for Basic Auth is the way to go, due to me not having applied Basic Auth in a huge while.

The recommended way for protecting your registry is Basic Auth at the moment of writing. I've got peace with this though to me this could've been different. However, I've found that the SHA works the best for me. It's widely available, and by that I mean, standard implemented in virtually any distro these days because of checksums being made in SHA.

As with any (password) protection, make it complex. I recommend making both username and password into a hash as these will most of the time be used pragmatically or shared electronically.