Registry for Docker images

Repository D

Registry Operation as Proxy Cache

One approach that could be interesting for many admins would be running their own registries as proxies. The Docker documentation refers to this as "pull through cache." You just need to add the proxy keyword to the configuration file and enter the URL of the upstream registry below it:

proxy:remoteurl: https://registry-1.docker.io

Another option is to run both the registry and auth server behind a proxy like Apache, Nginx, or HAProxy. In this case, the port number is omitted from the registry URLs, and you have to avoid two open ports on the server. Typically, you then also terminate TLS via the proxy, so that you can do without encryption on the servers. You simply have to differentiate between the back ends during proxy configuration by the URLs you call. You can see a configuration of this type for HAProxy in Listing 7.

Listing 7

HAProxy Configuration

use_backend registry if { hdr_end(host) -i remote.repository.com } { path_beg /v2 }
use_backend registry_auth if { hdr_end(host) -i remote.repository.com } { path_beg /auth }
...
backend registry server registry 127.0.0.1:5000
backend registry_auth server registry_auth 127.0.0.1:5001

Other Docker Registries

One alternative to using docker_auth as the authentication back end is Red Hat's Keycloak server [2]. Keycloak is available as free software, offers numerous additional features for single sign-on, and has a web-based front end; but, there is no possibility to manage authorization by default. The Pulp Repository Server [3] is another Red Hat project that now also supports Docker, but again only rudimentarily.

If you want to replace the complete registry including access control, you can look at two open source projects: Portus [4] by SUSE and Harbor [5] by VMware. However, both are in active development and not easy to install and configure. Commercial products like JFrog's Artifactory [6] or Sonatype Nexus, which can host Docker images and numerous other "artifacts" (e.g., packages for Apache Maven, RubyGems, RPMs, etc.) are easier to use. The Sonatype Nexus [7] open source version offers almost the complete functionality of the enterprise version, apart from features such as high availability and vendor support.

Conclusions

Running your own registry for Docker images is not difficult. It can be a little more complex if you want to supplement file-based authentication with authorization for individual resources or a connection to an LDAP back end, but both tasks can be handled with the free docker_auth software. As an alternative, several commercial Docker registries are available, some of which are available as open source variants with a slightly reduced feature set.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus