Docker internal registries Part 1

Registry on internal network Part 1

Why do you care? Because if you are not considering docker or some other related container or cloud native system you will be wasting too much time on code related deployment garbage instead of the meaty stuff in your database. For many perfectly good reasons you may not want to use the docker hub for all of your images.

https://docs.docker.com/registry/deploying/ has tons of info on how to make registries that are publicly available. However, for many tasks only an internal registry is really needed, especially when you do continuous integration and automated testing (you are testing your database layer, right?)

Simple localhost example

docker run -d -p 5000:5000 --restart=always --name registry registry:2

This works.

docker pull centos:7
docker tag centos:7 localhost:5000/centos7
docker push localhost:5000/centos7
...

localhost works! But if you have more than one docker host, how do you get it to use your registry?

Your first inclination might be to create either a DNS CNAME or a /etc/hosts entry pointing to your new registry (e.g. myregistry -> docker host). However, this does not work.

# docker tag centos:7 myregistry:5000/centos7
# docker push myregistry:5000/centos7
The push refers to a repository [myregistry:5000/centos7]
Get https://myregistry:5000/v1/_ping: http: server gave HTTP response to HTTPS client

This is because docker push uses http only for localhost. All else requires a TLS connection.

Allow insecure connections

One solution is to allow insecure connections. Since you are inside a network this is certainly an option. Update the systemd service that runs docker with the correct insecure registry option

/etc/systemd/system/docker.service.d/insecure_registry.conf

ExecStart=
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.0.1:5000

Restart docker daemon

systemctl daemon-reload
systemctl restart docker

Verify that this worked

docker push myregistry:5000/centos7
docker push myregistry:5000/centos7
The push refers to a repository [myregistry:5000/centos7]
5bef08742407: Pushed
latest: digest: sha256:0930dd4cc97ed5771ebe9be9caf3e8dc5341e0b5e32e8fb143394d7dfdfa100e size: 528

If you did not set up your CNAME or /etc/hosts/ correctly you may get

docker push myregistry:5000/centos7
The push refers to a repository [myregistry:5000/centos7]
Get http://myregistry:5000/v2/: dial tcp: lookup myregistry on 10.0.0.1:53: no such host

Is this the best way?

While you can certainly change each docker host on your internal network to manually allow insecure connections to your new registry it will quickly become unmaintainable and you lose the value that you would derive from having TLS connections.

In my next post I talk about your options for getting TLS connections set up.

Leave a Reply

Your email address will not be published. Required fields are marked *