« Previous 1 2
Registry for Docker images
Repository D
Registry Operation as Proxy Cache
One approach that could be interesting for many admins would be running their own registries as proxies. The Docker documentation refers to this as "pull through cache." You just need to add the proxy
keyword to the configuration file and enter the URL of the upstream registry below it:
proxy:remoteurl: https://registry-1.docker.io
Another option is to run both the registry and auth server behind a proxy like Apache, Nginx, or HAProxy. In this case, the port number is omitted from the registry URLs, and you have to avoid two open ports on the server. Typically, you then also terminate TLS via the proxy, so that you can do without encryption on the servers. You simply have to differentiate between the back ends during proxy configuration by the URLs you call. You can see a configuration of this type for HAProxy in Listing 7.
Listing 7
HAProxy Configuration
use_backend registry if { hdr_end(host) -i remote.repository.com } { path_beg /v2 } use_backend registry_auth if { hdr_end(host) -i remote.repository.com } { path_beg /auth } ... backend registry server registry 127.0.0.1:5000 backend registry_auth server registry_auth 127.0.0.1:5001
Other Docker Registries
One alternative to using docker_auth as the authentication back end is Red Hat's Keycloak server [2]. Keycloak is available as free software, offers numerous additional features for single sign-on, and has a web-based front end; but, there is no possibility to manage authorization by default. The Pulp Repository Server [3] is another Red Hat project that now also supports Docker, but again only rudimentarily.
If you want to replace the complete registry including access control, you can look at two open source projects: Portus [4] by SUSE and Harbor [5] by VMware. However, both are in active development and not easy to install and configure. Commercial products like JFrog's Artifactory [6] or Sonatype Nexus, which can host Docker images and numerous other "artifacts" (e.g., packages for Apache Maven, RubyGems, RPMs, etc.) are easier to use. The Sonatype Nexus [7] open source version offers almost the complete functionality of the enterprise version, apart from features such as high availability and vendor support.
Conclusions
Running your own registry for Docker images is not difficult. It can be a little more complex if you want to supplement file-based authentication with authorization for individual resources or a connection to an LDAP back end, but both tasks can be handled with the free docker_auth software. As an alternative, several commercial Docker registries are available, some of which are available as open source variants with a slightly reduced feature set.
Infos
- GitHub repository docker_auth: https://github.com/cesanta/docker_auth
- Keycloak: https://www.keycloak.org
- Pulp: https://pulpproject.org
- Port: http://port.us.org
- Harbor: https://goharbor.io
- JFrog Artifactory: https://jfrog.com/artifactory/
- Sonatype Nexus OSS: https://www.sonatype.com/nexus-repository-oss
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.