A Private Registry for Container Images enables you to work locally in a secured manner since you manage everything. With container registry, you build your container images on any machine, and push them to the local Container Registry with the Docker or Podman CLI. This guide will show you how to create a local Docker container image registry with Podman.
Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System.
Step 1: Create domain for Docker registry
I’ll create a subdomain for container registry – registry.it.techlabzone.com and update DNS record for it.
Confirm the record is populated after you enable it.
$ dig A registry.it.techlabzone.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> A registry.it.techlabzone.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23567
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;registry.it.techlabzone.com. IN A
;; ANSWER SECTION:
registry.it.techlabzone.com. 300 IN A 159.69.179.51
;; Query time: 14 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Thu Jan 16 11:25:14 CET 2020
;; MSG SIZE rcvd: 75Step 2: Create Insecure Registry
If you host your domain locally or want to use a registry without SSL certificates, you can do so though this is not recommended for production use.
Confirm that podman is installed:
$ podman version
Version: 1.4.2-stable2
RemoteAPI Version: 1
Go Version: go1.12.8
OS/Arch: linux/amd64
Create container data directory.
.sudo mkdir -p /var/lib/registryCreate your insecure private registry like follows:
podman run --privileged -d \
--name registry \
-p 5000:5000 \
-v /var/lib/registry:/var/lib/registry \
--restart=always \
registry:2- The registry contents will be store in /var/lib/containers/registry on the host system.
Here is my execution output:
Trying to pull docker.io/library/registry:2...Getting image source signatures
Copying blob c87736221ed0 done
Copying blob e8afc091c171 done
Copying blob 54d33bcb37f5 done
Copying blob b4541f6d3db6 done
Copying blob 1cc8e0bb44df done
Copying config f32a97de94 done
Writing manifest to image destination
Storing signatures
c99542d2802a85825cf75ecfa9ee34b5d4184b70f36acf110f75beaa4120b2aaCheck if registry container is running.
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c99542d2802a docker.io/library/registry:2 /entrypoint.sh /e... 3 minutes ago Up 3 minutes ago 0.0.0.0:5000->5000/tcp registryUsing Insecure Registry
By default, Docker / Podman client will try access registry over HTTPS. Since we have an HTTP registry, we need to make some changes to use insecure registry.
For Podman, edit the /etc/containers/registries.conf file and add insecure registry under the [registries.insecure] block.
$ sudo vi /etc/containers/registries.conf registries = ['myregistry.local','registry.it.techlabzone.com:5000']
For Docker, edit /etc/sysconfig/docker and add –insecure-registry option.
OPTIONS='--insecure-registry registry.it.techlabzone.com:5000 --selinux-enabled .....' You need to restart docker service after making the change.
sudo systemctl restart dockerTest registry:
$ podman pull hello-world
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/hello-world latest fce289e99eb9 12 months ago 6.14 kB
$ podman tag docker.io/library/hello-world registry.it.techlabzone.com:5000/hello-world
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/hello-world latest fce289e99eb9 12 months ago 6.14 kB
registry.it.techlabzone.com:5000/hello-world latest fce289e99eb9 12 months ago 6.14 kB
$ podman push registry.it.techlabzone.com:5000/hello-world
Getting image source signatures
Copying blob af0b15c8625b done
Copying config fce289e99e done
Writing manifest to image destination
Storing signaturesCheck the registry contents on Registry server host.
$ ls /var/lib/registry/docker/registry/v2/repositories/
hello-worldYou can tell pull the image on other hosts by running:
podman pull registry.it.techlabzone.com:5000/hello-worldStep 2: Create secure Registry with Let’s Encrypt certificate
Create container data directory.
sudo mkdir -p /var/lib/registryInstall certbot-auto tool which we’ll use to get a Let’s Encrypt SSL certificate for our registry.
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo firewall-cmd --add-service https --permanent
sudo firewall-cmd --reload
Get a Let’s Encrypt SSL certificate:
export DOMAIN="registry.it.techlabzone.com"
export EMAIL="alerts@it.techlabzone.com"
sudo /usr/local/bin/certbot-auto --standalone certonly -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
- Set your email address and domain name for registry
You’ll be shown the path where certificate and private keys are saved.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for registry.it.techlabzone.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/registry.it.techlabzone.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/registry.it.techlabzone.com/privkey.pem Your cert will expire on 2020-04-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Set cron to autorenew:
# crontab -e
00 3 * * * /usr/local/bin/certbot-auto renew --quietNow create a secure Container registry.
export REG_DOMAIN="registry.it.techlabzone.com"
podman run --privileged -d \
--name registry \
-p 5000:5000 \
-v /var/lib/registry:/var/lib/registry \
-v /etc/letsencrypt/live/${REG_DOMAIN}/fullchain.pem:/certs/fullchain.pem \
-v /etc/letsencrypt/live/${REG_DOMAIN}/privkey.pem:/certs/privkey.pem \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \
registry:2 Check if container is started successfully.
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d5ee3ead9d77 docker.io/library/registry:2 /entrypoint.sh /e... 7 seconds ago Up 7 seconds ago 0.0.0.0:5000->5000/tcp registryConfirm it works:
$ podman pull nginx
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest c7460dfcab50 6 days ago 130 MB
$ podman tag docker.io/library/nginx registry.it.techlabzone.com:5000/nginx
$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest c7460dfcab50 6 days ago 130 MB
registry.it.techlabzone.com:5000/nginx latest c7460dfcab50 6 days ago 130 MB
$ podman push registry.it.techlabzone.com:5000/nginx
Getting image source signatures
Copying blob 17fde96446df done
Copying blob c26e88311e71 done
Copying blob 556c5fb0d91b done
Copying config c7460dfcab done
Writing manifest to image destination
Storing signaturesYou can now use the registry across you infrastructure. If you want a more advanced registry, check: