Once you start maintaining your own Docker image, you might need to have some private Docker registry to put some sensitive information into an image or your organization policy.
Docker Hub offers the private repository, which only the authenticated user can push and pull images, and is not visible to other users. However, there is only one quota for a free Docker Hub account. You may pay to increase the private repositories quota, but if you adopt the microservices architecture, you will need a large number of private repositories:
There are some ways to set up your own private Docker registry that unlimited Docker image quota locates inside of your network.
The easiest way to set up your Docker registry is use an official Docker registry image (https://docs.docker.com/registry/). Run the docker pull
command to download the Docker registry image as follows:
$ docker pull registry:2 2: Pulling from library/registry f32095d4ba8a: Pull complete 9b607719a62a: Pull complete 973de4038269: Pull complete 2867140211c1: Pull complete 8da16446f5ca: Pull complete fd8c38b8b68d: Pull complete 136640b01f02: Pull complete e039ba1c0008: Pull complete c457c689c328: Pull complete Digest: sha256:339d702cf9a4b0aa665269cc36255ee7ce424412d56bee9ad8a247afe8c49ef1 Status: Downloaded newer image for registry:2 //create Docker image datastore under /mnt/docker/images $ sudo mkdir /mnt/docker/images //launch registry that expose the 5000/tcp to 8888/tcp on host $ sudo docker run -p 8888:5000 -v /mnt/docker/images:/var/lib/registry registry:2
Let's create your simple Docker image based on nginx
:
index.html
as follows:$ cat index.html <html> <head><title>My Image</title></head> <body> <h1>Hello Docker !</h1> </body> </html>
Dockerfile
as follows to build your Docker image:$ cat Dockerfile FROM nginx COPY index.html /usr/share/nginx/html
<your name>/mynginx
as follows:$ ls Dockerfile index.html $ docker build -t hidetosaito/mynginx . Sending build context to Docker daemon 3.072 kB Step 1 : FROM nginx ---> 9737f81306ee Step 2 : COPY index.html /usr/share/nginx/html ---> 74dd7902a931 Removing intermediate container eefc2bb17e24 Successfully built 74dd7902a931
At this moment, the mynginx
image is stored on this host only.
<private_registry:port number>/<your name>/mynginx
as follows:$ docker tag hidetosaito/mynginx ip-10-96-219-25:8888/hidetosaito/mynginx $ docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ip-10-96-219-25:8888/hidetosaito/mynginx latest b69b2ab1f31b 7 minutes ago 134.6 MB hidetosaito/mynginx latest b69b2ab1f31b 7 minutes ago 134.6 MB
docker push
command as follows:$ docker push ip-10-96-219-25:8888/hidetosaito/mynginx The push refers to a repository [ip-10-96-219-25:8888/hidetosaito/mynginx] (len: 1) b69b2ab1f31b: Pushed ae8e1e9c54b3: Pushed 18de280c0e54: Pushed cd0794b5fd94: Pushed f32095d4ba8a: Pushed latest: digest: sha256:7ac04fdaedad1cbcc8c92fb2ff099a6509f4f29b0f694ae044a0cffc8ffe58b4 size: 15087
Now, your mynginx
image has been stored in your private registry. Let's deploy this image using Kubernetes.
nginx
from the private registry and use the Kubernetes service to expose to TCP port 30080
:# cat my-nginx-with-service.yaml apiVersion: v1 kind: ReplicationController metadata: name: mynginx spec: replicas: 2 selector: app: mynginx template: metadata: labels: app: mynginx spec: containers: - name: mynginx image: ip-10-96-219-25:8888/hidetosaito/mynginx --- apiVersion: v1 kind: Service metadata: name: mynginx-service spec: ports: - protocol: TCP port: 80 nodePort: 30080 type: NodePort selector: app: mynginx
kubectl create
command to load this YAML file:# kubectl create -f my-nginx-with-service.yaml replicationcontroller "mynginx" created
You have exposed your service to an external port on all the nodes in your cluster. If you want to expose this service to the external Internet, you may need to set up firewall rules for the service port(s) (TCP port 30080
) to serve traffic. Refer to http://releases.k8s.io/release-1.1/docs/user-guide/services-firewalls.md for more details:
service "mynginx-service" created
Then, access any Kubernetes node on TCP port 30080
; you may see index.html
as follows:
On running the docker push
command, it uploads your Docker image to the private registry. Then, when the kubectl create
command is run, the Kubernetes node performs docker pull
from the private registry.
Using the private registry is the easiest way to propagate your Docker image to all the Kubernetes nodes:
The official Docker registry image is the standard way to set up your private registry. However, from the management and maintenance points of view, you might need to make more effort. There is an alternative way to construct your own Docker private registry.
Docker Trusted Registry is an enterprise version of Docker registry. It comes with Web Console, LDAP integration, and so on. To know more about Docker Trusted Registry, please refer to the following link:
Nexus Repository Manager is one of the popular repository managers; it supports Java Maven, Linux apt/yum, Docker, and more. You can integrate all the software repository into the Nexus Repository Manager. Read more about Nexus Repository here:
http://www.sonatype.com/nexus/solution-overview/nexus-repository
This recipe described how to set up your own Docker registry. The private registry brings you more flexibility and security for your own images. The following recipes help to understand the need for private registry: