How to set up a secure Docker registry on Linux using a TLS SSL certificate

If you are creating custom images in the Docker registry for your enterprise, you have two choices about where to host your Docker images:

  1. Docker Hub – This registry hosting service is free and provided by Docker Inc. They also have several enterprise-level features where you can create multiple accounts for organizations, set up an automated build, etc.
  2. Self contained Docker registry – You can set up a Docker registry in your organization that will host your own images.

This guide explains how to set up a secure self-written Docker registry.

1. Setting up a TLS certificate and key

Copy the existing certificate and key file to the ~ / docker-certs directory.

# mkdir /root/docker-certs

# cd /root/docker-certs

# ls -1
andreyex.crt
andreyex.key
intermediateCA.pem

In this example, I am using the certificate file andreyex.crt and the file andreyex.key that was generated for my Apache web server.

For more information on how to create your own certificate and key file, refer to the following guide: How to Install SSL and SPDY Certificate on Ubuntu Using Let’s Encrypt.

2. Management of the intermediate certificate file

In this case, I also had Let’s Ensrypt certificate from my CA.

For the Docker registry, you have to combine both certificates and the intermediate certificate into the same certificate file.

those. add the content of your intermediate certificate to the certificate file as shown below.

cd /root/docker-certs

cat intermediateCA.pem >> andreyex.crt

3. Run your secure Registry Docker

Now start secure Docker as shown below.

docker run -d -p 5000:5000 --restart=always --name registry 
  -v /root/docker-certs:/certs 
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/root/docker-certs/andreyex.crt 
  -e REGISTRY_HTTP_TLS_KEY=/root/docker-certs/andreyex.key 
  registry:2

In the above command:

  • Docker registry started working on port 5000
  • Docker container name “registry”
  • The local directory that contains the / root / docker-cert certificate appears as / certs inside the Docker registry container.
  • The REGISTRY_HTTP_TLS_CERTIFICATE variable points to the certificate file with the full path
  • The REGISTRY_HTTP_TLS_KEY variable points to the name of the key file with the full path

After starting the Docker registry, you will now see a running registry container as shown below:

# docker ps
CONTAINER ID  IMAGE       COMMAND                  CREATED         STATUS         PORTS                    NAMES
v347s8c5dest  registry:2  "/entrypoint.sh /etc/"   25 seconds ago  Up 1 seconds   0.0.0.0:5000->5000/tcp   registry

4. Access to secure Docker registry

Once the secure Docker registry is set up, you can access it from other servers on your network (or from the outside) and use all the standard Docker commands on it.

For example, you can push or pull the image for this secure Docker registry as shown below.

docker pull andreyex.com:5000/mongodb

docker push andreyex.com:5000/mongodb

5. Setting up an insecure Docker registry

Note: If you have any problems with the Secure Docker Registry, for debugging purposes, start the registry without a certificate and see how it works as shown below:

docker run -d -p 5000:5000 --restart=always --name registry registry:2

When trying to display an image (or perform any other operation) from your Docker registry, you may receive the following error message “oversized record received with length”.

For example, when we run the following command on a remote server (not on the server where the docker registry is installed), we receive the following error message:

# docker pull 192.168.51.1:5000/mongodb
Using default tag: latest
Error response from daemon: Get https://192.168.51.1:5000/v1/_ping: tls: oversized record received with length 20527

In this case, 192.168.51.1 is the server running the secure docker registry (we are without security certificates).

In this case, on the remote server, you must allow unsafe operations in the registry. To do this, you must pass the “-insecure-registry” parameter to the DOCKER_OPTS environment variable.

On the remote server, modify this file and add the following line:

vi /etc/default/docker
DOCKER_OPTS="--insecure-registry 192.168.101.1:5000"

Now restart docker on the remote server.

systemctl daemon-reload
systemctl stop docker
systemctl start docker

Now, docker will pull (or any other docker command) will work without any problems, as there is an insecure registry setting option.

docker pull 192.168.101.1:5000/mongodb

Sidebar