Registry on internal network Part 1
Why do you care? Because if you are not considering docker or some other related container or cloud native system you will be wasting too much time on code related deployment garbage instead of the meaty stuff in your database. For many perfectly good reasons you may not want to use the docker hub for all of your images.
https://docs.docker.com/registry/deploying/ has tons of info on how to make registries that are publicly available. However, for many tasks only an internal registry is really needed, especially when you do continuous integration and automated testing (you are testing your database layer, right?)
Simple localhost example
docker run -d -p 5000:5000 --restart=always --name registry registry:2
docker pull centos:7 docker tag centos:7 localhost:5000/centos7 docker push localhost:5000/centos7 ...
localhost works! But if you have more than one docker host, how do you get it to use your registry?
Your first inclination might be to create either a DNS CNAME or a
/etc/hosts entry pointing to your new registry (e.g.
myregistry -> docker host). However, this does not work.
# docker tag centos:7 myregistry:5000/centos7 # docker push myregistry:5000/centos7 The push refers to a repository [myregistry:5000/centos7] Get https://myregistry:5000/v1/_ping: http: server gave HTTP response to HTTPS client
This is because docker push uses http only for localhost. All else requires a TLS connection.
Allow insecure connections
One solution is to allow insecure connections. Since you are inside a network this is certainly an option. Update the systemd service that runs docker with the correct insecure registry option
ExecStart= ExecStart=/usr/bin/dockerd --insecure-registry 192.168.0.1:5000
Restart docker daemon
systemctl daemon-reload systemctl restart docker
Verify that this worked
docker push myregistry:5000/centos7 docker push myregistry:5000/centos7 The push refers to a repository [myregistry:5000/centos7] 5bef08742407: Pushed latest: digest: sha256:0930dd4cc97ed5771ebe9be9caf3e8dc5341e0b5e32e8fb143394d7dfdfa100e size: 528
If you did not set up your CNAME or
/etc/hosts/ correctly you may get
docker push myregistry:5000/centos7 The push refers to a repository [myregistry:5000/centos7] Get http://myregistry:5000/v2/: dial tcp: lookup myregistry on 10.0.0.1:53: no such host
Is this the best way?
While you can certainly change each docker host on your internal network to manually allow insecure connections to your new registry it will quickly become unmaintainable and you lose the value that you would derive from having TLS connections.
In my next post I talk about your options for getting TLS connections set up.