Docker: What is the simplest way to secure a private registry?

I'm still learning how to run and use Docker, consider this an idea:

# Run the registry on the server, allow only localhost connectiondocker run -p 127.0.0.1:5000:5000 registry# On the client, setup ssh tunnelingssh -N -L 5000:localhost:5000 user@server

The registry is then accessible at localhost:5000, authentication is done through ssh that you probably already know and use.

Sources:

• https://blog.codecentric.de/en/2014/02/docker-registry-run-private-docker-image-repository/
• https://docs.docker.com/userguide/dockerlinks/

You can also use an Nginx front-end with a Basic Auth and an SSL certificate.

Regarding the SSL certificate I have tried couple of hours to have a working self-signed certificate but Docker wasn't able to work with the registry. To solve this I have a free signed certificate which work perfectly. (I have used StartSSL but there are others).Also be careful when generating the certificate. If you want to have the registry running at the URL registry.damienroch.com, you must give this URL with the sub-domain otherwise it's not going to work.

You can perform all this setup using Docker and my nginx-proxy image (See the README on Github: https://github.com/zedtux/nginx-proxy).This means that in the case you have installed nginx using the distribution package manager, you will replace it by a containerised nginx.

1. Place your certificate (.crt and .key files) on your server in a folder (I'm using /etc/docker/nginx/ssl/ and the certificate names are private-registry.crt and private-registry.key)
2. Generate a .htpasswd file and upload it on your server (I'm using /etc/docker/nginx/htpasswd/ and the filename is accounts.htpasswd)
3. Create a folder where the images will be stored (I'm using /etc/docker/registry/)
4. Using docker run my nginx-proxy image
5. Run the docker registry with some environment variable that nginx-proxy will use to configure itself.

Here is an example of the commands to run for the previous steps:

sudo docker run -d --name nginx -p 80:80 -p 443:443 -v /etc/docker/nginx/ssl/:/etc/nginx/ssl/ -v /var/run/docker.sock:/tmp/docker.sock -v /etc/docker/nginx/htpasswd/:/etc/nginx/htpasswd/ zedtux/nginx-proxy:latestsudo docker run -d --name registry -e VIRTUAL_HOST=registry.damienroch.com -e MAX_UPLOAD_SIZE=0 -e SSL_FILENAME=private-registry -e HTPASSWD_FILENAME=accounts -e DOCKER_REGISTRY=true -v /etc/docker/registry/data/:/tmp/registry registry

The first line starts nginx and the second one the registry. It's important to do it in this order.

When both are up and running you should be able to login with:

docker login https://registry.damienroch.com

I have create an almost ready to use but certainly ready to function setup for running a docker-registry: https://github.com/kwk/docker-registry-setup .

Maybe it helps.

Everything (Registry, Auth server, and LDAP server) is running in containers which makes parts replacable as soon as you're ready to. The setup is fully configured to make it easy to get started. There're even demo certificates for HTTPs but they should be replaced at some point.

If you don't want LDAP authentication but simple static authentication you can disable it in auth/config/config.yml and put in your own combination of usernames and hashed passwords.