Docker: What is the simplest way to secure a private registry

authenticationdocker

Our Docker images ship closed sources, we need to store them somewhere safe, using own private docker registry.
We search the simplest way to deploy a private docker registry with a simple authentication layer.

I found :

this manual way http://www.activestate.com/blog/2014/01/deploying-your-own-private-docker-registry
and the shipyard/docker-private-registry docker image based on stackbrew/registry and adding basic auth via Nginx – https://github.com/shipyard/docker-private-registry

I think use shipyard/docker-private-registry, but is there one another best way?

Best Solution

I'm still learning how to run and use Docker, consider this an idea:

# Run the registry on the server, allow only localhost connection
docker run -p 127.0.0.1:5000:5000 registry

# On the client, setup ssh tunneling
ssh -N -L 5000:localhost:5000 user@server

The registry is then accessible at localhost:5000, authentication is done through ssh that you probably already know and use.

Sources:

Related Solutions

Docker – How to get a Docker container’s IP address from the host

The --format option of inspect comes to the rescue.

Modern Docker client syntax is:

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name_or_id

Old Docker client syntax is:

docker inspect --format '{{ .NetworkSettings.IPAddress }}' container_name_or_id

These commands will return the Docker container's IP address.

As mentioned in the comments: if you are on Windows, use double quotes " instead of single quotes ' around the curly braces.

Docker – Docker images stored on the host machine

The contents of the /var/lib/docker directory vary depending on the driver Docker is using for storage.

By default this will be aufs but can fall back to overlay, overlay2, btrfs, devicemapper or zfs depending on your kernel support. In most places this will be aufs but the RedHats went with devicemapper.

You can manually set the storage driver with the -s or --storage-driver= option to the Docker daemon.

/var/lib/docker/{driver-name} will contain the driver specific storage for contents of the images.
/var/lib/docker/graph/<id> now only contains metadata about the image, in the json and layersize files.

In the case of aufs:

/var/lib/docker/aufs/diff/<id> has the file contents of the images.
/var/lib/docker/repositories-aufs is a JSON file containing local image information. This can be viewed with the command docker images.

In the case of devicemapper:

/var/lib/docker/devicemapper/devicemapper/data stores the images
/var/lib/docker/devicemapper/devicemapper/metadata the metadata
Note these files are thin provisioned "sparse" files so aren't as big as they seem.

Best Solution

Related Solutions

Docker – How to get a Docker container’s IP address from the host

Docker – Docker images stored on the host machine

Related Question