Master Builder

Your Registry

By the way, GitLab offers features that are very similar to GitHub. If you don't want to spend money on GitHub to create your own private repositories, you can switch to a local GitLab instance instead. Also, if you do not want to make your images available to the public, you will need a private registry for your container images.

That said, running the repository is not as easy as you might think at first. Useful software for this task was not available under a free license for a long time. Fortunately, several providers now have suitable offerings on the market, and one of them is Docker itself. The command in Listing 5 launches a local Docker registry. The command details are important.

docker service create --name registry --secret domain.crt --secret domain.key --constraint 'node.labels.registry==true' --mount type=bind,src=/mnt/registry,dst=/var/lib/registry -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/domain.crt -e REGISTRY_HTTP_TLS_KEY=/run/secrets/domain.key --publish published=443,target=443 --replicas 1 registry:2

The example assumes that the /mnt/registry/ folder exists on the host, because it will be mounted to /var/lib/registry/ later in the running container. You also need to create the domain.crt and domain.key secrets on the host through Docker. You can do so with the first two commands,

$ docker secret create domain.crt certs/domain.crt$ docker secret create domain.key certs/domain.key$ docker node update --label-add registry=true <hostname>

which also add the contents of the two files as passwords to Docker's metadata. Before adding the Docker service, the last line creates a label for the node running the registry.

Again, this example is very simple. For example, the option to secure access to images with a username and password combination is missing. Technically, this would not be a problem; the Docker documentation contains more information on the subject.

Running a registry with Quay (Figure 4) offers significantly more scope than the standard Docker approach. The service, which was developed by Red Hat to a large extent, not only delivers images to clients but also has comprehensive CI/CD functions on board in the background (Figure 5). The project [3] is available under a free license, but the setup is not very intuitive. The simplest option is to roll out Quay in the form of a prebuilt container in Kubernetes.

Figure 4: Quay, a registry for container images, provides statistical data on individual images in addition to the upload and download functionality. © Quay [4]

Figure 5: Besides the registry functionality, Quay has a lot of additional tech on board that includes an extensive CI/CD toolchain that supports developers wanting to build images. © Quay [4]

Conclusions: Not Too Tricky

As the examples show, building Docker containers is not particularly complicated. Even running a separate registry for containers is quite easy, all told. If you are planning larger workloads that are based on containers, you will inevitably have to square up to the task of building images. The best idea is to use only official Docker Hub images as the basis for your own work. All other approaches involve a huge risk of working blindfolded and can quickly turn into a nightmare. When it comes to the practical process of building containers, CI/CD tools will help make the whole experience more convenient.

Want to learn about Docker’s toolset for container development? Download our new focus guide and go inside the world of Docker. Available free for a limited time.

The Author

Freelance journalist Martin Gerhard Loschwitz focuses primarily on topics such as OpenStack, Kubernetes, and Chef.