Setting up Docker container registry and encrypting SSL with Podman

The container image private registry allows you to work locally securely because you can manage everything. Using the container registry, you can build a container image on any computer and then push it to the local container registry using Docker or the Podman CLI. This guide will show you how to use Podman to create a local Docker container image registry.

Podman is a daemonless container engine for developing, managing, and running OCI containers on Linux systems. We have many Podman installation guides.

Install Podman on CentOS 8

Install Podman on CentOS 7 / Fedora

Install Podman on Ubuntu

Install Podman on Debian

Once Podman is installed, you can continue to use it to build a local Docker registry.

Step 1: Create a domain for the Docker registry

I will create a subdomain for the container registry – Registry.computingforgeeks.com And update DNS records for it.

After enabling records, confirm that the records are populated.

$ dig A registry.computingforgeeks.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> A registry.computingforgeeks.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23567
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;registry.computingforgeeks.com.	IN	A

;; ANSWER SECTION:
registry.computingforgeeks.com.	300 IN	A	159.69.179.51

;; Query time: 14 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Thu Jan 16 11:25:14 CET 2020
;; MSG SIZE  rcvd: 75

Step 2: Create an insecure registry

If you host your domain locally, or want to use a registry without an SSL certificate, you can do this, although it is not recommended for production environments.

Confirm that podman is installed:

$ podman version
Version:            1.4.2-stable2
RemoteAPI Version:  1
Go Version:         go1.12.8
OS/Arch:            linux/amd64

Create a container data directory.

sudo mkdir -p /var/lib/registry

Create your insecure private registry as follows:

podman run --privileged -d 
  --name registry 
  -p 5000:5000 
  -v /var/lib/registry:/var/lib/registry 
  --restart=always 
  registry:2
  • Registry contents will be stored in / var / lib / container / registry On the host system.

This is my execution output:

Trying to pull docker.io/library/registry:2...Getting image source signatures
Copying blob c87736221ed0 done
Copying blob e8afc091c171 done
Copying blob 54d33bcb37f5 done
Copying blob b4541f6d3db6 done
Copying blob 1cc8e0bb44df done
Copying config f32a97de94 done
Writing manifest to image destination
Storing signatures
c99542d2802a85825cf75ecfa9ee34b5d4184b70f36acf110f75beaa4120b2aa

Check if the registry container is running.

$ podman ps
CONTAINER ID  IMAGE                         COMMAND               CREATED        STATUS            PORTS                   NAMES
c99542d2802a  docker.io/library/registry:2  /entrypoint.sh /e...  3 minutes ago  Up 3 minutes ago  0.0.0.0:5000->5000/tcp  registry

Using an insecure registry

By default, the Docker / Podman client will try to access the registry via HTTPS. Since we have the HTTP registry, we need to make some changes to use an insecure registry.

For Podman, edit /etc/containers/registries.conf File and add insecure registry below [registries.insecure] Piece.

$ sudo vi /etc/containers/registries.conf
registries = ['myregistry.local','registry.computingforgeeks.com:5000']

For Docker, edit / etc / sysconfig / docker and add the --insecure-registry option.

OPTIONS='--insecure-registry registry.computingforgeeks.com:5000 --selinux-enabled .....' 

After making changes, you need to restart the docker service.

sudo systemctl restart docker

Test the registry:

$ podman pull hello-world
$ podman  images
REPOSITORY                      TAG      IMAGE ID       CREATED         SIZE
docker.io/library/hello-world   latest   fce289e99eb9   12 months ago   6.14 kB
$ podman tag docker.io/library/hello-world registry.computingforgeeks.com:5000/hello-world
$ podman images
REPOSITORY                                        TAG      IMAGE ID       CREATED         SIZE
docker.io/library/hello-world                     latest   fce289e99eb9   12 months ago   6.14 kB
registry.computingforgeeks.com:5000/hello-world   latest   fce289e99eb9   12 months ago   6.14 kB

$ podman push registry.computingforgeeks.com:5000/hello-world
Getting image source signatures
Copying blob af0b15c8625b done
Copying config fce289e99e done
Writing manifest to image destination
Storing signatures

Check the contents of the registry on the registry server host.

$ ls /var/lib/registry/docker/registry/v2/repositories/
hello-world

You can tell the image to be pulled to another host by running the following command:

podman pull registry.computingforgeeks.com:5000/hello-world

Step 2: Create a secure registry with an "encrypted" certificate

Create a container data directory.

sudo mkdir -p /var/lib/registry

Install the certbot-auto tool, which we will use to obtain Let's Encrypt SSL certificate for the registry.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo firewall-cmd --add-service https --permanent
sudo firewall-cmd --reload

Get the encrypted SSL certificate:

export DOMAIN="registry.computingforgeeks.com"
export EMAIL="[email protected]"
sudo /usr/local/bin/certbot-auto --standalone certonly -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

  • Set your email address and domain name for registration

The path to save the certificate and private key is displayed.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for registry.computingforgeeks.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/registry.computingforgeeks.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/registry.computingforgeeks.com/privkey.pem
   Your cert will expire on 2020-04-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Set cron to autorenew:

# crontab -e
00 3 * * * /usr/local/bin/certbot-auto renew --quiet

Now create a secure Container Registry.

export REG_DOMAIN="registry.computingforgeeks.com"
podman run --privileged -d 
  --name registry 
  -p 5000:5000 
  -v /var/lib/registry:/var/lib/registry 
  -v /etc/letsencrypt/live/${REG_DOMAIN}/fullchain.pem:/certs/fullchain.pem 
  -v /etc/letsencrypt/live/${REG_DOMAIN}/privkey.pem:/certs/privkey.pem 
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem 
  -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem 
  registry:2 

Check if the container started successfully.

$ podman ps 
CONTAINER ID  IMAGE                         COMMAND               CREATED        STATUS            PORTS                   NAMES
d5ee3ead9d77  docker.io/library/registry:2  /entrypoint.sh /e...  7 seconds ago  Up 7 seconds ago  0.0.0.0:5000->5000/tcp  registry

Confirm it works:

$ podman pull nginx
$ podman images
REPOSITORY                TAG      IMAGE ID       CREATED      SIZE
docker.io/library/nginx   latest   c7460dfcab50   6 days ago   130 MB

$ podman tag docker.io/library/nginx registry.computingforgeeks.com:5000/nginx
$ podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED      SIZE
docker.io/library/nginx                     latest   c7460dfcab50   6 days ago   130 MB
registry.computingforgeeks.com:5000/nginx   latest   c7460dfcab50   6 days ago   130 MB

$ podman push registry.computingforgeeks.com:5000/nginx
Getting image source signatures
Copying blob 17fde96446df done
Copying blob c26e88311e71 done
Copying blob 556c5fb0d91b done
Copying config c7460dfcab done
Writing manifest to image destination
Storing signatures

You can now use the registry throughout your infrastructure. If you need a more advanced registry, check:

Install Harbor Docker Image Registry on CentOS / Debian / Ubuntu

How to set up Red Hat Quay registry on CentOS / RHEL / Ubuntu

More information about Podman:

How to publish a Docker image to Docker Hub using Podman

How to run Docker containers with Podman and Libpod

Sidebar